OK, we got in. It turns out that the user that was being used in the RDP connection in Guac had 2 issues:
1) It was locked out; 2) It had NLA turned on for it Once we corrected those, we were able to connect using “Any” as the security mode in Guac. Thanks, Harry From: Hankins, Jonathan <jhank...@homewood.k12.al.us> Sent: Friday, February 18, 2022 12:50 PM To: user@guacamole.apache.org Subject: Re: Issues with RDP connections I was incorrect -- I *did* have a domain user named "guacadmin". I checked the windows event logs on the 2012 machine I failed to connect to and saw error 4825 in the Windows/Security event log, as an Audit Failure message: "A user was denied the access to Remote Desktop. By default, users are allowed to connect only if they are members of the Remote Desktop Users group or Administrators group." If I delete the user and try to connect again, I get this expected error from guacd: "RDP server closed/refused connection: Authentication failure (invalid credentials?)" I hear you saying you can connect to the same server presumably with the same domain and username credentials via another RDP client, but I'd suggest double-checking that this is indeed the case as well as check your Windows Event logs to see if anything is logged when the connection from guacamole fails. On Fri, Feb 18, 2022 at 11:23 AM Hankins, Jonathan <jhank...@homewood.k12.al.us<mailto:jhank...@homewood.k12.al.us>> wrote: FWIW, I get the same error "RDP server closed/refused connection: Server refused connection (wrong security type?)" if I try to connect with a username passed through that does not exist on the Windows side. For reference, in my connection, I have the domain set, the login set to "${GUAC_USERNAME}", security mode set to NLA in guac (also required on the Windows side). If I login as "guacadmin" to guac and launch that connection, it fails with the message you are receiving, as there is no "guacadmin" user in my Windows domain. On Fri, Feb 18, 2022 at 6:47 AM Devine, Harry (FAA) <harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote: It doesn’t look like guacd.conf is being used in our installation. I tried “/etc/init.d/guacd restart –L”, but /var/log/messages doesn’t look any different in what its logging. Where else should I be adding/looking for the debug messages? Perhaps guacamole.properties? Thanks, Harry From: Nick Couchman <nick.e.couch...@gmail.com<mailto:nick.e.couch...@gmail.com>> Sent: Thursday, February 17, 2022 9:26 PM To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> Subject: Re: Issues with RDP connections On Thu, Feb 17, 2022 at 8:34 PM Devine, Harry (FAA) <harry.dev...@faa.gov.invalid<mailto:harry.dev...@faa.gov.invalid>> wrote: On the Windows side or the guacamole side? If the user couldn’t write there, why did the windows 10 rdp work? One of out admins said they can rdp to the windows 2013 server using MobaXterm and they see the TLS is 1.2. Does guacamole expect v2? If so, does the 2012 need to update to TLS2? This would be on the Guacamole side. No, I do not expect that Guacamole would require a TLS version that Windows doesn't support- I use 1.4.0 to connect to Server 2003, 2008/r2, 2012/r2, 2016, and 2019, along with Windows 10. Also, might want to start guacd with debug logging (-L debug on the command line, or log_level = debug in guacd.conf) to see if you get any more useful messages. -Nick -- Jonathan Hankins Homewood City Schools W: 205-877-4548 -- Jonathan Hankins Homewood City Schools W: 205-877-4548 This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments are prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
