Score:1

Apache Guacamole Login with User from DomainA, rdp to Server from DomainB

us flag

Overview

We log into Gucamole with a User from DomainA where we select a rdp-connection to a server from DomainB.

Trusts

DomainA to DomainB and vice versa:

  • Type: External
  • Kerberos AES Encryption support: no
  • Direction: two-way
  • Transitivity: no
  • Authentication: Domain-wide

Permissions

User from DomainA has been joined to the local Remote Desktop Users group on the Server from DomainB. Have temporarily also tried with the local Administrators group.

Guacamole

The whole setup was not done by me and i don't have a lot of insight since it is managed by another team. What I know is that it works fine with a User from DomainA to a Server from DomainA. Users log into it with the upn and use 2FA by OpenOTP. If you guys think it would help to share some configurations of Guacamole let me know what you want to see and I check with the team.

Connections on Guacamole

  • protocol: rdp
  • hostname: ip of server from DomainB
  • port: 3389
  • username: ${GUAC_USERNAME}
  • password: ${GUAC_PASSWORD}
  • domain: blank
  • security mode: NLA
  • disable authentication: no
  • ignore server certificate: yes
  • everything else is set to default / not configured

Of course have we tried multiple different settings.

Symptoms

Now here is what happens.

  • I log into Guacamole with the User from DomainA
  • receive OpenOTP push and confirm
  • am logged into Guacamole and select the connection to the server of DomainB
  • receive error message:

The remote desktop server is currently unreachable. If the problem presists, please notify your system administrator, or check your system logs.

  • after a few retrys I sometimes get this message:

This connection has been closed because the server is taking too long to respond. This is usually cuased by network problems, such as a spotty wireless signal, or slow network speeds. Please check your network connection and try again or contact your system administrator.

  • and now comes the funny part that drives me crazy: I am able to log into the server of DomainB with the User from DomainA via direct rdp and if I do so, keep the connection open and start the connection on Guacamole, I am able to take over the session!!

Logs

Guacamole Logs show absolutely nothing useful.

Windows Security Log shows this event on the login error:

EventID 4625, Logon
An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       User (correct)
    Account Domain:     DomainA (correct)

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:         0xC000005E
    Sub Status:     0x0

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   f7054e3b9dd7
    Source Network Address: Guacamole-Server-IP
    Source Port:        0

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Troubleshooting

Now at this point I don't know where to set my next focus. We have tried multiple settings on the Guacamole rdp connection. Did a lot of research online but were not able to find examples with information where someone tries the same thing as we do. Since regular rdp works fine we think our trusts and permissions should be fine.

Can you guys give me any hints in which direction I should investigate?

Does someone use Guacamole in a similar setup?

Edit Additional Event Viewer info suggested from User Swisstone:

RemoteDesktopServices-RdpCoreTS
08:38:23 Info: The server accepted a new TCP connection from client *Guacamole-IP*:53494.
08:38:23 Info: Connection RDP-Tcp#78 created 
08:38:23 Info: Interface method called: PrepareForAccept
08:38:23 Info: Interface method called: SendPolicyData
08:38:23 Info: PerfCounter session started with instance ID 78
08:38:23 Warning: TCP socket was gracefully terminated
08:38:23 Info: Interface method called: OnDisconnected
08:38:23 Info: The server has terminated main RDP connection with the client.
08:38:23 Info: During this connection, server has not sent data or graphics update for 0 seconds (Idle1: 0, Idle2: 0).
08:38:23 Info: Channel rdpinpt has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: Channel rdpcmd has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: Channel rdplic has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: The disconnect reason is 14

TerminalServices-LocalSessionManager
nothing during this time

TerminalServices-RemoteConnectionManager
nothing during this time

Forgot to mention, the Server is 2019 Version 1809

Edit2

Ok, I got it working now by changing the security mode on the connection to tls. I remember having tried tls before when it was not working. Maybe some of the changes I did during the whole troubleshooting process made the difference. By now I can't tell what it was.

I came to this "solution" by randomly trying different options to connect using freerdp after I discovered that it is used by guacamole for rdp connections.

Does someone see any concerns in using tls instead of nla in this case?

Swisstone avatar
cn flag
You can take a look at the following logs on the target server and see if you can find something useful: Event viewer -> Applications and Services Logs -> Microsoft -> Windows -> `RemoteDesktopServices-RdpCoreTS`, and `TerminalServices-LocalSessionManager` and `TerminalServices-RemoteSessionManager`
Manu avatar
us flag
@Swisstone, added the Events during logon try. All of them belong to the task category "RemoteFX module", will dig deeper into this. Thanks!
Score:2
us flag

I got the whole thing working for me and am here concluding the information I've gathered on this way:

Trust

The Trust as posted in my question works just fine for this purpose. I'm sure some other options would work too.

Permissions

User in DomainA is member of a UniversalGroup of DomainA. This UniversalGroup is member of a LocalGroup in DomainB which is member of the local Administrator Group of the destination Server.

Guacamole

We use the upn for login, have set up the connection as following:

protocol: rdp
hostname: ip of server from DomainB
port: 3389
username: ${GUAC_USERNAME}
password: ${GUAC_PASSWORD}
domain: blank
security mode: tls
disable authentication: no
ignore server certificate: yes
everything else is set to default / not configured

Network

Make sure connections between the Domain Controllers are allowed: How to configure a firewall for Active Directory domains and trusts

If you want to brows GC of DomainA from Server of DomainB allow LDAP ports for this connection.

Remains unknown to me

If NLA would be an advantage and how I would get it to work.

For now I'll keep it the way it is.

Edit

By now I'm pretty sure I'd need a Forest trust to use NLA the way I try to log into the server (UPN)

Edit2

Am now 100% sure I'd need a Forest trust for RDP with NLA using UPN. Found one, tested, worked.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.