According to your guacd log, it looks like FIPS mode is enabled somewhere, which isn't compatible with NLA. I've been using Guacamole with Windows 10 with no issues, since Windows 10 was released. Here's my guacd log connecting to Windows 10:
guacd[1]: INFO: Creating new client for protocol "rdp" guacd[1]: INFO: Connection ID is "$f3477e92-b703-49d6-919e-a63cb928255f" guacd[2378]: INFO: Security mode: Negotiate (ANY) guacd[2378]: INFO: Resize method: none guacd[2378]: INFO: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings. guacd[2378]: INFO: User "@7695c2df-202b-4f77-925a-59c38f01281e" joined connection "$f3477e92-b703-49d6-919e-a63cb928255f" (1 users now present) guacd[2378]: INFO: Recording of session will be saved to "/var/lib/guacamole/recordings/24c89d21-d71d-31a5-b3a0-e349dba3a2dc/57_redux.swiftlab.local_20240404_194834". guacd[2378]: INFO: Loading keymap "base" guacd[2378]: INFO: Loading keymap "en-us-qwerty" guacd[2378]: INFO: Connected to RDPDR 1.13 as client 0x0004 guacd[2378]: INFO: Connected to RDPDR 1.13 as client 0x0001 guacd[2378]: INFO: RDPDR user logged on guacd[2378]: INFO: Accepted format: 16-bit PCM with 2 channels at 44100 Hz guacd[2378]: INFO: Accepted format: 16-bit PCM with 2 channels at 44100 H On Thu, Apr 4, 2024 at 2:47 PM Devine, Harry (FAA) <harry.dev...@faa.gov.invalid> wrote: > If I change it to NLA, the browser just says “You have been disconnected”, > and /var/log/messages shows: > > > > Apr 4 15:42:40 access guacd[2286]: Creating new client for protocol "rdp" > > Apr 4 15:42:40 access guacd[2286]: Connection ID is > "$f67e0010-36ff-4dcf-abb6-0d4d25a2fd12" > > Apr 4 15:42:40 access guacd[1476113]: Security mode: NLA > > Apr 4 15:42:40 access guacd[1476113]: NLA security mode was selected, but > is known to be currently incompatible with FIPS mode (see > FreeRDP/FreeRDP#3412). Security negotiation with the RDP server may fail > unless TLS security mode is selected instead. > > Apr 4 15:42:40 access guacd[1476113]: Resize method: none > > Apr 4 15:42:40 access guacd[1476113]: No clipboard line-ending > normalization specified. Defaulting to preserving the format of all line > endings. > > Apr 4 15:42:40 access guacd[1476113]: User > "@fa0b5239-e6bf-4751-995c-b3e71c1ee057" joined connection > "$f67e0010-36ff-4dcf-abb6-0d4d25a2fd12" (1 users now present) > > Apr 4 15:42:40 access server[1652]: 15:42:40.905 [http-nio-8080-exec-10] > INFO o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to > connection "816". > > Apr 4 15:42:40 access server[1652]: 15:42:40.905 [http-nio-8080-exec-10] > INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel > (not WebSocket). Performance may be sub-optimal. > > Apr 4 15:42:40 access guacd[1476113]: Loading keymap "base" > > Apr 4 15:42:40 access guacd[1476113]: Loading keymap "en-us-qwerty" > > Apr 4 15:42:41 access guacd[1476113]: RDP server closed/refused > connection: Security negotiation failed (wrong security type?) > > Apr 4 15:42:41 access guacd[1476113]: User > "@fa0b5239-e6bf-4751-995c-b3e71c1ee057" disconnected (0 users remain) > > Apr 4 15:42:41 access guacd[1476113]: Last user of connection > "$f67e0010-36ff-4dcf-abb6-0d4d25a2fd12" disconnected > > Apr 4 15:42:41 access guacd[2286]: Connection > "$f67e0010-36ff-4dcf-abb6-0d4d25a2fd12" removed. > > Apr 4 15:42:41 access server[1652]: 15:42:41.279 [http-nio-8080-exec-9] > INFO o.a.g.tunnel.TunnelRequestService - User "harry.devine" disconnected > from connection "816". Duration: 374 milliseconds > > > > If I change it to “TLS Encryption”, it fails the same way that Any does. > > > > Thanks, > > Harry > > > > *From:* Devine, Harry (FAA) <harry.dev...@faa.gov.INVALID> > *Sent:* Thursday, April 4, 2024 3:40 PM > *To:* user@guacamole.apache.org > *Subject:* RE: Issue with Windows 10 RDP > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > I have “Any” now, but NLA didn’t work either. No matter what I choose, I > get that “RDP server closed/refused connection: Server refused connection > (wrong security type?)” error. > > > > Thanks, > > Harry > > > > *From:* Horváth Csaba <horvathcsabalas...@gmail.com> > *Sent:* Thursday, April 4, 2024 3:31 PM > *To:* user@guacamole.apache.org > *Subject:* Re: Issue with Windows 10 RDP > > > > *CAUTION:* This email originated from outside of the Federal Aviation > Administration (FAA). Do not click on links or open attachments unless you > recognize the sender and know the content is safe. > > > > Hi, > > > > Which security mode you have chosen? NLA is required for newer Windows > versions. > > > > Cs. > > > > Devine, Harry (FAA) <harry.dev...@faa.gov.invalid> ezt írta (időpont: > 2024. ápr. 4., Cs, 21:18): > > I am having an issue connecting to a new Windows 10 machine we stood up. > I’ve had this issue before, but everything that was suggested for that > issue doesn’t work here. I have enabled Remote Desktop on the server, > added the local accounts needed, and added them to the Remote Desktop Users > group. The Windows Firewall also is allowing RDP over 3389. On the Guac > server, I set the connection security to Any, and I’m logged into Guac with > my account that has a matching account on the Windows machine. > > > > When I log in, the windows says “The remote server is unavailable”, and > /var/log/messages on the server (running Guac 1.5.4), shows: > > > > Apr 4 15:12:50 access guacd[2286]: Creating new client for protocol "rdp" > > Apr 4 15:12:50 access guacd[2286]: Connection ID is > "$58d124a2-4e95-492d-8276-8ea335d08dc4" > > Apr 4 15:12:50 access guacd[1475582]: Security mode: Negotiate (ANY) > > Apr 4 15:12:50 access guacd[1475582]: Resize method: none > > Apr 4 15:12:50 access server[1652]: 15:12:50.415 [http-nio-8080-exec-1] > INFO o.a.g.tunnel.TunnelRequestService - User "harry.devine" connected to > connection "816". > > Apr 4 15:12:50 access guacd[1475582]: No clipboard line-ending > normalization specified. Defaulting to preserving the format of all line > endings. > > Apr 4 15:12:50 access server[1652]: 15:12:50.416 [http-nio-8080-exec-1] > INFO o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel > (not WebSocket). Performance may be sub-optimal. > > Apr 4 15:12:50 access guacd[1475582]: User > "@b5fa063a-d482-4150-9d76-398043991dfd" joined connection > "$58d124a2-4e95-492d-8276-8ea335d08dc4" (1 users now present) > > Apr 4 15:12:50 access guacd[1475582]: Loading keymap "base" > > Apr 4 15:12:50 access guacd[1475582]: Loading keymap "en-us-qwerty" > > Apr 4 15:12:50 access guacd[1475582]: FIPS mode is enabled. Excluding NLA > security mode from security negotiation (see: > https://github.com/FreeRDP/FreeRDP/issues/3412). > > Apr 4 15:12:50 access guacd[1475582]: RDP server closed/refused > connection: Server refused connection (wrong security type?) > > Apr 4 15:12:50 access guacd[1475582]: User > "@b5fa063a-d482-4150-9d76-398043991dfd" disconnected (0 users remain) > > Apr 4 15:12:50 access guacd[1475582]: Last user of connection > "$58d124a2-4e95-492d-8276-8ea335d08dc4" disconnected > > Apr 4 15:12:50 access guacd[2286]: Connection > "$58d124a2-4e95-492d-8276-8ea335d08dc4" removed. > > > > Any ideas? I can’t seem to find any usable solutions when I research this > online. > > > > Thanks, > > Harry > > > > > > *Harry Devine* > > Secure-OSE System Administrator > > Red Hat Certified System Administrator (RHCSA) > > > > *Office*: (609) 485-4218 > > *Personal Cell: (609) 276-0555* > > *FAA Cell: (609) 612-7274* > > *Home Office/Telework: (609) 547-3579* > > > > *Email : harry.dev...@faa.gov <harry.dev...@faa.gov>* > > > > William J Hughes Technical Center > > Building 300 3rd Floor Column L20 > > Atlantic City, NJ 08405 > > > > > > > >
