Hello everyone, I would like to known if someone has ever successfully set up an RDP connection to a server with NLA authentication and an user member of « Protected users ».
I have set up a connection to a domain controler with guacamole using RDP and automatic negociation as security mode. I also tired with NLA without result. The connection works fine directly from my computer, but not from Guacamole. Logs indicate that authentication process failed due to the combination of NLA protection with Protected Users. NLA has failed and an NTLM connection is attempted but is prohibited by the fact that the account is a member of the special Protected Users group. Logs are as follows: guacd[96470]: DEBUG: freerdp_connect:freerdp_set_last_error_ex resetting error state guacd[96470]: DEBUG: Support for CLIPRDR (clipboard redirection) registered. Awaiting channel connection. guacd[96470]: DEBUG: Support for static channel "rdpdr" loaded. guacd[96470]: DEBUG: Support for static channel "rdpsnd" loaded. guacd[96470]: DEBUG: Local framebuffer format PIXEL_FORMAT_BGRX32 guacd[96470]: DEBUG: Remote framebuffer format PIXEL_FORMAT_RGB16 guacd[96470]: DEBUG: primitives autodetect, using optimized guacd[96470]: DEBUG: freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex resetting error state guacd[96470]: DEBUG: freerdp_tcp_connect:freerdp_set_last_error_ex resetting error state guacd[96470]: DEBUG: creating directory /root/.config/freerdp guacd[96470]: DEBUG: creating directory [/root/.config/freerdp/certs] guacd[96470]: DEBUG: created directory [/root/.config/freerdp/server] guacd[96470]: DEBUG: SPNEGO received NTSTATUS: STATUS_ACCOUNT_RESTRICTION [0xC000006E] from server guacd[96470]: DEBUG: nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_ACCOUNT_RESTRICTION [0x00020017] guacd[96470]: DEBUG: rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail guacd[96470]: DEBUG: transport_check_fds: transport->ReceiveCallback() - -1 guacd[96470]: DEBUG: SVC "rdpdr" disconnected. guacd[96470]: DEBUG: SVC "rdpsnd" disconnected. guacd[96470]: INFO: RDP server closed/refused connection: Access denied by server (account locked/disabled?) guacd[96470]: INFO: User "@6576c64b-07ee-497c-b5d1-e8fd71e2df49" disconnected (0 users remain) I check the Freerdp project page and found this issue : https://github.com/FreeRDP/FreeRDP/issues/5258 It seems that the most recent release of freerdp, which is used in guacamole according to the previous logs, is not compatible with NLA + Protected Users security. So my question is : Has anyone already configured this kind of connections in Guacamole ? Thank you for your help. Clément Itié ________________________________ Ce mail a été analysé par Bitdefender
