guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Apache front end with HTTP Basic authentication Windows AD LDAP - username and password tokens
Date Sat, 05 Nov 2016 06:34:18 GMT
On Mon, Oct 31, 2016 at 6:51 AM, Patrick L Archibald (PLA) ☮ <> wrote:

> Hi,
> Our Intranet is an Apache front end configured with HTTP Basic
> authentication via LDAP to a Windows AD. Apache uses ProxyPass
> websocket-tunnel to the Guac Tomcat application server.
> I would like to pass the HTTP Basic authentication user name and
> password to Windows 2008 R2 RDS VMs and Windows 7 VMs.

Guacamole will do this automatically, at least in part. If the
"Authorization" header is present from HTTP Basic authentication,
Guacamole's authentication system will automatically pull the username and
password and pass them to installed authentication extensions.

> I had noauth-config.xml configured like so:

If you want usernames or passwords to have any meaning, using NoAuth (the
extension which effectively neuters the authentication system) is
definitely not the way to go. More on this below.

> Before I roll my own authentication, is there a BASIC_USERNAME and
There are no such tokens, but if there is no true separation of identity
between the user authenticating via HTTP Basic and the user authenticating
with the RDP server, I think it would be a mistake to try to force such a
separation within Guacamole. It would be better to embrace Guacamole's
concept of a user and credentials, and allow the layers to communicate

For an arbitrary user X, you currently have the following layers, connected
in order:

1) Proxy (configured to verify and recognize user X)
2) Guacamole (configured to not recognize anyone thanks to NoAuth)
3) RDP (configured to verify and recognize user X)

The system here breaks down because the middle layer (Guacamole) has been
explicitly configured to not care about identity. What you should be doing
instead is:

1) Proxy (configured to verify and recognize user X)
2) Guacamole (configured to verify and recognize user X)
3) RDP (configured to verify and recognize user X)

If each layer is configured to verify and recognize the user in the same
way, then each layer will function as expected, including the behavior of
things like the ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens.

Any other suggestions?
I'd recommend using the LDAP authentication included with Guacamole, either
on its own or together with a database. As long as you configure the LDAP
authentication to use the same Windows AD server as your proxy, the
username/password within the HTTP Basic authentication will just magically
work, and users will not need to manually log in.

You would end up with a system which re-verifies the credentials provided,
and then pulls connection data from elsewhere. If eventually someone
manages to access your Guacamole server without going through your
authenticating proxy, Guacamole would itself enforce authentication, and
things remain secure.


- Mike

View raw message