GUACAMOLE-2057: Add configuration parameters for supporting Kerberos authentication for RDP. by necouchman · Pull Request #581 · apache/guacamole-server

necouchman · 2025-04-27T01:41:19Z

Adds the required parameters to configure the FreeRDP library to force Kerberos and configure a couple of the parameters related to that, if required. I have tested the changes against both servers with NTLM still enabled and against one where NTLM is disabled, and it seems to work, but others should feel free to test.

I do need one bit of help with this - I have not added the detection of the Kerberos support to the configure.ac file, yet, as I'm struggling to figure out how to do that. In my mind, it needs 2-3 checks:

Check if FreeRDP contains support for the FreeRDP_AuthenticationPackageList setting. This is probably the biggest thing I'm struggling with, as this setting is part of an enum in one of the FreeRDP header files, but I'm having trouble finding any guidance on how to generate an autoconf check for an enum member? Any hints on the best way to do that would be appreciated.
Check if FreeRDP is built with Kerberos support. There's a flag in the FreeRDP buildconfig.h file, within the constant FREERDP_BUILD_CONFIG that shows WITH_KRB5=ON, but, again, I'm struggling with how to get autoconf to check for this, or identify a sane method or member to use with one of the other autoconf checks.

…authentication for RDP.

jbostoen · 2025-05-09T21:44:34Z


+    /**
+     * The authentication package to use based on the underlying FreeRDP support
+     * for alternatives to NTML. Currently FreeRDP2 only supports NTLM, while


Just a typo (NTML > NTLM)

corentin-soriano · 2026-03-24T07:56:48Z

+    switch(guac_settings->auth_pkg) {
+
+        case GUAC_AUTH_PKG_NTLM:
+            freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "ntlm,!kerberos");
+            break;
+
+        case GUAC_AUTH_PKG_KERBEROS:
+            freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "!ntlm,kerberos");
+            break;
+
+        case GUAC_AUTH_PKG_ANY:
+            freerdp_settings_set_string(rdp_settings, FreeRDP_AuthenticationPackageList, "ntlm,kerberos");
+            break;
+
+    }
+
+    if (guac_settings->kdc_url != NULL)
+        freerdp_settings_set_string(rdp_settings, FreeRDP_KerberosKdcUrl, guac_strdup(guac_settings->kdc_url));
+
+    if (guac_settings->kerberos_cache != NULL)
+        freerdp_settings_set_string(rdp_settings, FreeRDP_KerberosCache, guac_strdup(guac_settings->kerberos_cache));


The specific Kerberos code should only be enabled with FreeRDP >= 3.x to avoid compilation errors in 2.x.

mike-jumper · 2026-03-29T02:36:30Z

+     * When kerberos authentication is in use, the path to the kerberos ticket
+     * cache, relative to GUACAMOLE_HOME. If not specified, the default system
+     * cache of the underlying system on which guacd is running will be used.


It doesn't look to me like the path is evaluated relative to GUACAMOLE_HOME, but passed to FreeRDP unaltered (and then interpreted by FreeRDP relative to somewhere?).

mike-jumper · 2026-03-29T02:39:44Z

+    /**
+     * The authentication package to use based on the underlying FreeRDP support
+     * for alternatives to NTML. Currently FreeRDP2 only supports NTLM, while
+     * FreeRDP3 introduces support for Kerberos and continues to support NTLM.
+     * The default is to negotiate between guacd and the remote server.
+     */
+    IDX_AUTH_PKG,


Should this be part of the security parameter, rather than separate?

These are two different parameters. We may need to choose an explicit value for each

corentin-soriano · 2026-06-12T10:19:16Z

Check if FreeRDP contains support for the FreeRDP_AuthenticationPackageList setting. This is probably the biggest thing I'm struggling with, as this setting is part of an enum in one of the FreeRDP header files, but I'm having trouble finding any guidance on how to generate an autoconf check for an enum member? Any hints on the best way to do that would be appreciated.

This test seems to work:

if test "x${have_freerdp}" = "xyes"
then
    AC_CHECK_DECL([FreeRDP_AuthenticationPackageList],
                  [AC_DEFINE([HAVE_FREERDP_AUTHENTICATION_PACKAGE_LIST],,
                             [Defined if FreeRDP_AuthenticationPackageList is available])],,
                  [#include <freerdp/settings.h>])
fi

However, FreeRDP_AuthenticationPackageList seems to have been added for version 3.0.0 so I'm not sure if it's necessary to check it.

What needs to be removed are these assignments when not HAVE_SETTERS_GETTERS (freerdp 2.x):

rdp_settings->AuthenticationPackageList
rdp_settings->KerberosKdcUrl
rdp_settings->KerberosCache

settings.c: In function ‘guac_rdp_push_settings’:
settings.c:2019:25: error: ‘rdpSettings’ {aka ‘struct rdp_settings’} has no member named ‘AuthenticationPackageList’
 2019 |             rdp_settings->AuthenticationPackageList = "ntlm,!kerberos";
      |                         ^~
settings.c:2023:25: error: ‘rdpSettings’ {aka ‘struct rdp_settings’} has no member named ‘AuthenticationPackageList’
 2023 |             rdp_settings->AuthenticationPackageList = "!ntlm,kerberos";
      |                         ^~
settings.c:2027:25: error: ‘rdpSettings’ {aka ‘struct rdp_settings’} has no member named ‘AuthenticationPackageList’
 2027 |             rdp_settings->AuthenticationPackageList = "ntlm,kerberos";
      |                         ^~
settings.c:2033:19: error: ‘rdpSettings’ {aka ‘struct rdp_settings’} has no member named ‘KerberosKdcUrl’; did you mean ‘KerberosKdc’?
 2033 |     rdp_settings->KerberosKdcUrl = guac_strdup(guac_settings->kdc_url);
      |                   ^~~~~~~~~~~~~~
      |                   KerberosKdc
settings.c:2036:19: error: ‘rdpSettings’ {aka ‘struct rdp_settings’} has no member named ‘KerberosCache’; did you mean ‘KerberosKdc’?
 2036 |     rdp_settings->KerberosCache = guac_strdup(guac_settings->kerberos_cache);
      |                   ^~~~~~~~~~~~~
      |                   KerberosKdc
make[4]: *** [Makefile:1370: libguac_client_rdp_la-settings.lo] Error 1

GUACAMOLE-2057: Add configuration parameters for supporting Kerberos …

5c1032c

…authentication for RDP.

necouchman force-pushed the working/rdp-kerberos branch from 08026b5 to 5c1032c Compare May 3, 2025 12:28

jbostoen reviewed May 9, 2025

View reviewed changes

corentin-soriano reviewed Mar 24, 2026

View reviewed changes

mike-jumper reviewed Mar 29, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GUACAMOLE-2057: Add configuration parameters for supporting Kerberos authentication for RDP.#581

GUACAMOLE-2057: Add configuration parameters for supporting Kerberos authentication for RDP.#581
necouchman wants to merge 1 commit into
apache:mainfrom
necouchman:working/rdp-kerberos

necouchman commented Apr 27, 2025

Uh oh!

jbostoen May 9, 2025

Uh oh!

corentin-soriano Mar 24, 2026

Uh oh!

mike-jumper Mar 29, 2026 •

edited

Loading

Uh oh!

mike-jumper Mar 29, 2026

Uh oh!

corentin-soriano Jun 12, 2026

Uh oh!

corentin-soriano commented Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

necouchman commented Apr 27, 2025

Uh oh!

jbostoen May 9, 2025

Choose a reason for hiding this comment

Uh oh!

corentin-soriano Mar 24, 2026

Choose a reason for hiding this comment

Uh oh!

mike-jumper Mar 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mike-jumper Mar 29, 2026

Choose a reason for hiding this comment

Uh oh!

corentin-soriano Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

corentin-soriano commented Jun 12, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mike-jumper Mar 29, 2026 •

edited

Loading