Just a quick How To: Getting Guacamole to Authenticate users in Microsoft Active Directory

Keywords: Apache Guacamole - Virtual Machines - How to - Credentials
Description:
Getting Guacamole to Authenticate users in Microsoft Active Directory

A year ago you we used your Apache Guacamole stack to get our users up and running remotely during the Covid-19 shutdowns. You guys were life savers, and it worked GREAT!. Even though we had users working from home, my implementation of your stack still was not the best. I had concerns, but they were not related to your stack, they were more related to how my remote users accessed Guacamole…

We are currently working on a better way to deploy the Apache Guacamole stack for remote users. We are concurrently working on a VDI solution and are looking to use Guacamole for the user front end for the VDI so that it is the same no matter if they are on site, or working remotely. To accomplish this, the first hurdle was to get Guac to use Microsoft’s Active Directory for authentication. Microsoft has deployed updates that has (possibly) setup you AD servers to require LDAPS instead of LDAP for queries. So I proceeded down that rabbit hole and tried setting up internal CA, create certificates, etc. I was never able to get Guac to successfully authenticate, even though I believe the certificates were all created and deployed properly. This had brought our project to a stand still, and it needed to get going again. In order to get the project moving, this is what I had to do:

Download guacamole-auth-ldap-1.3.0.jar
Copy guacamole-auth-ldap-1.3.0.jar to /optt/bitnami/guacamole/extensions
Modify /opt/bitnami/guacamole/guacamole.properties to include
Ldap-hostname: <ip address of an AD server>
Ldap-port: 389
Ldap-username-attributes: sAMAccount
Ldap-search-binddn: cn=<users>,ou=<orgUnit>,dc=<YourDomain>,dc=<yourDOmain>
Ldap-search-bind-password: <password>
Ldap-encryption-method: none

From and administrative machine/account open Group Policy Editor
Modify the following Default Domain Control Policy
Computer Configuration/Policies/Windows Setting/Security Settings/Local Policies/Security Options/Domain Controler: LDAP server signing requirements = None
Run GPupdate from a CMD shell on the AD controller that is configured in the guacamole.properties file

This will disable the required use of LDAPS for queries, on ALL AD SERVERS!!! PLEASE GO BACK AND READ THAT AGAIN! If you require LDAPS for your environment, then you should not change the policy!!! If you are like me and it is not a requirement, then it will work, and then you can re-visit enabling the added security.

Just thought I would try and give back a little, especially since you guys helped us me and my organization out immensely last year. Hope this little bit of information is helpful to someone. Once again, thanks for the great product/service and a huge thank you for putting out their for the community to use for free! You guys are GREAT!

Hi @speace,

Thank you so much for taking the time to write this small tutorial and share it here, I’m sure it’ll help other users :slight_smile:

I’ll notify our documentation team to take it into account for future guides in our documentation. In order to help them, can you share the documentation guides you followed to configure Guacamole that way, this way they can include those references in the documentation as well.

Thanks

Jota,

In my many travels of trying to get LDAPS to work I found this page:

https://astrix.co.uk/news/2020/1/31/how-to-set-up-secure-ldap-for-active-directory

At the very bottom it tells you what GPO settings to change to disable Secure LDAP (LDAPS)

The rest is from the APACHE GUACAMOLE documentation and your documentation

I did forget to add the ldap-user-basedn: dc=,dc= in the guacamolie.properties

Thanks for the info again! :slight_smile: I’ll notify our documentation team.