Password token not working for RDP connection
-
I have just discovered that from Guacamole application package 2.0.0, the password token no longer works for RDP connections if using OIDC to log into Guacamole. I'm using an external LDAP directory (AD server) which is synced to Cloudron.
When configuring an RDP connection in Guacamole, you can use tokens to pass the current users credentials to RDP. ${GUAC_USERNAME} still seems to pass the correct username to RDP, but ${GUAC_PASSWORD} results in an authentication failure (as confirmed by the Guacamole and Windows Event Logs). I proved that it is only the password token (and that everything else was still working), by leaving ${GUAC_USERNAME} in place and saving my actual password in the RDP connection, which connected successfully.
Application package Version 2.0.0 was when OIDC was introduced. From what I can tell, the Guacamole version is 1.5.5 in package 1.8.6 and 2.0.0. The tokens work fine in package 1.8.6. The next Guacamole update to 1.6.0 isn't until package 2.5.0.
I found a reddit thread saying that passing the credentials can't be done with OpenID.
Is anyone else having this issue? Both my deployments have the same problem. Having my remote users log in once with their AD credentials to access their own RDP session is the whole reason I have Cloudron. Any help would be much appreciated. -
Hello @phsc
@phsc said in Password token not working for RDP connection:
I found a reddit thread saying that passing the credentials can't be done with OpenID.
Yes, exactly that is the case.
That is also why other apps like Nextcloud now need to use app-passwords for e.g. CalDAV.@phsc said in Password token not working for RDP connection:
Having my remote users log in once with their AD credentials to access their own RDP session is the whole reason I have Cloudron.
I understand.
In this case the forced switch to OIDC is more an inconvenience then everything else.
Especially since you are using an AD in Cloudron as external LDAP directory.Possible solutions:
Option A - No immediate solution
Raise this issue upstream with Guacamole Issues.
This might take a long time but would be the correct way.
Not solving your issue now.Option B - A security risk
Stick with the version v1.8.6 since it uses LDAP instead of OIDC.
Not a good option in my opinion since you will receive no updates, might be a security risk because of this.Option C - Manual Work
Create a fork of the Guacamole package.
Some extra work, this needs to be maintained manually by someone.
The diff from v2.5.0 to v1.8.6 is here https://git.cloudron.io/packages/guacamole-app/-/compare/v1.8.6...v2.5.0?from_project_id=611 so reversing the OIDC changes is somewhat less difficult.
If you can't do this yourself maybe a @partner or @appdev is willing to help.In my opinion this is the best option, even if it maybe costs some money, time and nerves.
-
Sure, feel free to contact me.
-
So, this is not a direct fix for passing the ${GUAC_PASSWORD} for LDAP only authentication, but I got two solutions that work.
-
Just drop out the contents of the password field in the Guacamole configuration for the server. The user will be prompted for the password, but it is a simple solution that doesn't require additional configuration. In my experience, RDS connections with a RDS Gateway do ** not** pick up the user's password input, and therefore this did not work for those connections.
-
This solution still uses OIDC from Cloudron with LDAP from Cloudron to Active Directory. You can automatically pull the password for connecting to the RDP from a Keeper vault if configured. You can pull it from the user's individual vault, or from a central store of passwords (less than ideal, but workable for small operations / single user). You will need the Keeper extension and to configure it with the directions here https://guacamole.apache.org/doc/gug/vault.html. Once done, if you have a central store, you can use the parameter
${KEEPER_USER_PASSWORD}in a Guacamole connection configuration to pull a secret from the Keeper vault, where theUSERis the username provided to Cloudron, and is passed to Guacamole by the OIDC connection. If the credential is in the user's Keeper Vault, they can establish a token to pull from their own vault.
-
-
Thanks @blanghoff, @BrutalBirdie and @james for your responses. I'm going to work through this information and see what I can come up with. I will report back on my progress. Thanks again.
