Overview
We log into Gucamole with a User from DomainA where we select a rdp-connection to a server from DomainB.
Trusts
DomainA to DomainB and vice versa:
- Type: External
- Kerberos AES Encryption support: no
- Direction: two-way
- Transitivity: no
- Authentication: Domain-wide
Permissions
User from DomainA has been joined to the local Remote Desktop Users group on the Server from DomainB. Have temporarily also tried with the local Administrators group.
Guacamole
The whole setup was not done by me and i don't have a lot of insight since it is managed by another team. What I know is that it works fine with a User from DomainA to a Server from DomainA. Users log into it with the upn and use 2FA by OpenOTP. If you guys think it would help to share some configurations of Guacamole let me know what you want to see and I check with the team.
Connections on Guacamole
- protocol: rdp
- hostname: ip of server from DomainB
- port: 3389
- username: ${GUAC_USERNAME}
- password: ${GUAC_PASSWORD}
- domain: blank
- security mode: NLA
- disable authentication: no
- ignore server certificate: yes
- everything else is set to default / not configured
Of course have we tried multiple different settings.
Symptoms
Now here is what happens.
- I log into Guacamole with the User from DomainA
- receive OpenOTP push and confirm
- am logged into Guacamole and select the connection to the server of DomainB
- receive error message:
The remote desktop server is currently unreachable. If the problem presists, please notify your system administrator, or check your system logs.
- after a few retrys I sometimes get this message:
This connection has been closed because the server is taking too long to respond. This is usually cuased by network problems, such as a spotty wireless signal, or slow network speeds. Please check your network connection and try again or contact your system administrator.
- and now comes the funny part that drives me crazy: I am able to log into the server of DomainB with the User from DomainA via direct rdp and if I do so, keep the connection open and start the connection on Guacamole, I am able to take over the session!!
Logs
Guacamole Logs show absolutely nothing useful.
Windows Security Log shows this event on the login error:
EventID 4625, Logon
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: User (correct)
Account Domain: DomainA (correct)
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000005E
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: f7054e3b9dd7
Source Network Address: Guacamole-Server-IP
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Troubleshooting
Now at this point I don't know where to set my next focus. We have tried multiple settings on the Guacamole rdp connection. Did a lot of research online but were not able to find examples with information where someone tries the same thing as we do. Since regular rdp works fine we think our trusts and permissions should be fine.
Can you guys give me any hints in which direction I should investigate?
Does someone use Guacamole in a similar setup?
Edit Additional Event Viewer info suggested from User Swisstone:
RemoteDesktopServices-RdpCoreTS
08:38:23 Info: The server accepted a new TCP connection from client *Guacamole-IP*:53494.
08:38:23 Info: Connection RDP-Tcp#78 created
08:38:23 Info: Interface method called: PrepareForAccept
08:38:23 Info: Interface method called: SendPolicyData
08:38:23 Info: PerfCounter session started with instance ID 78
08:38:23 Warning: TCP socket was gracefully terminated
08:38:23 Info: Interface method called: OnDisconnected
08:38:23 Info: The server has terminated main RDP connection with the client.
08:38:23 Info: During this connection, server has not sent data or graphics update for 0 seconds (Idle1: 0, Idle2: 0).
08:38:23 Info: Channel rdpinpt has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: Channel rdpcmd has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: Channel rdplic has been closed between the server and the client on transport tunnel: 0.
08:38:23 Info: The disconnect reason is 14
TerminalServices-LocalSessionManager
nothing during this time
TerminalServices-RemoteConnectionManager
nothing during this time
Forgot to mention, the Server is 2019 Version 1809
Edit2
Ok, I got it working now by changing the security mode on the connection to tls. I remember having tried tls before when it was not working. Maybe some of the changes I did during the whole troubleshooting process made the difference. By now I can't tell what it was.
I came to this "solution" by randomly trying different options to connect using freerdp after I discovered that it is used by guacamole for rdp connections.
Does someone see any concerns in using tls instead of nla in this case?
I got the whole thing working for me and am here concluding the information I've gathered on this way:
Trust
The Trust as posted in my question works just fine for this purpose. I'm sure some other options would work too.
Permissions
User in DomainA is member of a UniversalGroup of DomainA. This UniversalGroup is member of a LocalGroup in DomainB which is member of the local Administrator Group of the destination Server.
Guacamole
We use the upn for login, have set up the connection as following:
Network
Make sure connections between the Domain Controllers are allowed: How to configure a firewall for Active Directory domains and trusts
If you want to brows GC of DomainA from Server of DomainB allow LDAP ports for this connection.
Remains unknown to me
If NLA would be an advantage and how I would get it to work.
For now I'll keep it the way it is.
Edit
By now I'm pretty sure I'd need a Forest trust to use NLA the way I try to log into the server (UPN)
Edit2
Am now 100% sure I'd need a Forest trust for RDP with NLA using UPN. Found one, tested, worked.