certificaterdpguacamolefreerdp

How to get Guacamole working with RDP Certificate?


I've spent a lot of time trying to configure a RDP connection without using Ignore server certificate = true. The connection always fails.

RDP Failed

I have a Windows Server 2022 with a certificate issued by my PKI and I installed the CA root certificate in $HOME/.freerdp/certs directory but nothing works. Do I miss a step ?

systemctl status guacd : 

guacd[9091]: Resize method: none` 
guacd[9091]: No clipboard line-ending normalization specified. Defaulting to preserving the format of all line endings.
guacd[9091]: User "@c28ba2ca-53a8-420f-8259-2950f6344169" joined connection "$b552c27f-b754-440b-8a96-f7e16aa5d994" (1 users now present) 
guacd[9091]: Loading keymap "base"  
guacd[9091]: Loading keymap "en-us-qwerty"  
guacd[9091]: Certificate validation failed  
guacd[9091]: RDP server closed/refused connection: SSL/TLS connection failed (untrusted/self-signed certificate?)  
guacd[9091]: User "@c28ba2ca-53a8-420f-8259-2950f6344169" disconnected (0 users remain) 
guacd[9091]: Last user of connection "$b552c27f-b754-440b-8a96-f7e16aa5d994" disconnected 
guacd[902]: Connection "$b552c27f-b754-440b-8a96-f7e16aa5d994" removed.

I tried to write in $HOME/.freerdp/certs/know_host2 manually and it works however not really an option since I would have to do it for all the machines...

Does someone have ever been able to get it working ? I searched for hours on the Internet, but no one talked about a solution other than ignoring server certificate.

Versions : FreeRDP2-dev Guacamole 1.5.5


Solution

  • After a while, I found a solution and also why it didn't work.

    The reason :

    By default, even if you issue a certificate by your PKI/RootCA, Windows won't use it for RDP connection and will use instead its self-signed certificate. I found that by using Remina and by checking the know_host2 file.

    The solution :

    Let's start with Guacamole. Export your RootCA from your PKI or a server, it doesn't matter, and then send it to your Guacamole Server into /usr/local/share/ca-certificates. Once this is done, sudo update-ca-certificates. And that's all for Guacamole.

    Now, Windows. Here you will have to change the default certificate. For that you have to option :

    For that next part, I used the post that I found really good : https://aventistech.com/2019/08/08/replace-rdp-default-self-sign-certificate/

    How to do it :

    Personally, I did it with a GPO and it works really good. Only difference, I created a new GPO and a template already in place.

    Here is a short version of what I did. If you want a full version, use the link above.

    "Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Server Authentication Certificate Template and enter the Template Name that you created"

    "Go to Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require use of specific security layer for remote (RDP) connections and change the Security Layer to SSL"

    After that, execute gpupdate /force and Restart-Service TermService -force. Finally, restart the server or computer.

    Once this is done, Guacamole will be able to connect with ignore server certificate = false