RDP a different way, HTML5 and using Linux!
So for a while I have been trying to create a new lab of which I may want to share with other to help out their learning paths with some of my mentees or even people in the community. The biggest hurdle we always hit is well licensing…. oh and of course security 🙂
My one goal is to have a lab on demand if me or others may want to try something and build upon the AutoLabs and Terraform things I have done
I decided to dedicate a little bit of time to this after seeing some recent great hands-on labs and I started to debate if I could do something similar. My other key criteria were to also do as much of it open source as much as possible. Well after much tweaking and huffing I found a few solid scripts and tweaks to make this work. So a massive shout out to c-nergy.be (I wish I could find the authors name) and Chase Wright (MysticRyuujin) over on GitHub. Their work made this much easier and a simpler blog/installation process
If you were doing this on a larger scale I would probably put the Guacamole server and NGNIX proxy on a separate box so just follow these bits once you have another server in place if needed. Either way, this is a lab so it’s not ‘production’ ready 😀
This first step is deciding what OS to use for the desktop. I decided to settle with Ubuntu 20.10 at the time of writing and also being the desktop version. There are many other dated guides that show you how to come from the ground up with the server distribution but I felt that this just saves me some time. A good example is here
During the setup process also found the GUI version is just nice and easy to add to your domain like so
You may well get an error like below and it’s always nearly DNS, the best thing is if possible have your DHCP pool on in your lab pointing to your Active Directory server. That said again its best to set a static IP if you can and ensure DNS is pointing to AD
That said you can do this after the install by following this guide here
Once the OS has installed and started up its best to get SSH installed so we can get to the box and use copy and paste with some of the command rather than a console window.
sudo apt install openssh-server
Once this is done SSH to your box with your tool of choice, I just use the in built SSH tool on the Mac but you may want to use PuTTY on Windows
If you do not know the IP of the box you can use ifconfig or ip a to find this
Once in issue you first set of commands below
wget https://www.c-nergy.be/downloads/xrdp-installer-1.2.2.zip
unzip xrdp-installer-1.2.2.zip
chmod +x xrdp-installer-1.2.2.sh
./xrdp-installer-1.2.2.sh
You may want to get a drink as this can take some time to install depending on the speed of your system, once done reboot the system
From here you should now be able to login with a local account via RDP to check this all works
If you get a black screen this could be down to you not rebooting or you have logged into the console session and this is a known bug from what I have seen, Also be patient the first time 🙂
If you try and login with an RDP user now you are going to get this error
You need to fix the following file and amend the access_provider to simple
sudo nano /etc/sssd/sssd.conf
Once this has done reboot the SSD service
sudo systemctl restart sssd.service
If you test this with an AD account now you should now be able to get in, remember you will need to use the full UPN or you will get an error
So now we have RDP working lets get on with the HTML interface
Lets go grab the Guacamole script installer and get this working
wget https://git.io/fxZq5 -O guac-install.sh
chmod +x guac-install.sh
sudo ./guac-install.sh
Follow the on screen instructions with the options you want, remember nice secure passwords!
The install can also take some time so again go grab a break
Once this is done you need to edit the following file
sudo nano /etc/guacamole/guacamole.properties
In this file, you will need the following but with your details, the AD account password does not need to be the same as the MYSQL password for the AD account.
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: SuperSecureP@assw0rd!
# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
# LDAP properties (for security reasons, change the ldap-encryption- method to ssl or tls, "none" is only for testing)
ldap-hostname: dc01.yourdomain.tld.com
ldap-port: 389
ldap-user-base-dn: CN=Users,DC=domain,DC=co,DC=uk
ldap-username-attribute: samAccountName
ldap-encryption-method: none
ldap-search-bind-dn: CN=guacadmin,CN=Users,DC=domain,DC=co,DC=uk
ldap-search-bind-password: SuperSecureP@assw0rd!
If you need your LDAP strings if you run this command within AD PowerShell on a DC to work these out
Get-ADUser -Identity guacadmin
You now need to go get the latest version of the LDAP Auth plugin, you then need to extract the file and copy it to the Guacamole extension folder
wget https://mirrors.ukfast.co.uk/sites/ftp.apache.org/guacamole/1.3.0/binary/guacamole-auth-ldap-1.3.0.tar.gz
tar xvf guacamole-auth-ldap-1.3.0.tar.gz
cd guacamole-auth-ldap-1.3.0/
sudo cp guacamole-auth-ldap-1.3.0.jar /etc/guacamole/extensions/
ls /etc/guacamole/extensions/
If the file is there then you need to reboot the services to make sure this is working
sudo systemctl restart tomcat9 guacd
So now what we need to do is check that this is all working, for me I am using guacadmin as also the AD account, to verify it’s all working you need to go to settings and then users, you should now see all your AD accounts. If you do not see this you have probably logged in with your local account no the AD account, hence why I use different passwords
To get to the Guacamole interface head to http://YOURIP:8080/guacamole/#/settings/users
Once you can see all your users we need to set up the first connection so that we can test all this now works, you can set the connections up by selecting connections. I first set up a group and then the connection, this way its easier to assign this to the users. For now, I still need to find a way of mapping this to AD groups
You will also the variables like below, also if on a separate box the DNS or IP of the RDP host. If you do not add the full AD user (UPN) Ubuntu will not single sign this on forcing your users to re-authenticate. I have to thank Travis Whitney’s blog here for point me in the right direction but he is using Windows 🙂
${GUAC_USERNAME}@yourUPN.domain
${GUAC_PASSWORD}
Now we want to assign this to a group for easy additions and updates to users
Once this is done we need to assign this to a user
So close now… so lets test it out 🙂 Logout of Guacadmin and try your AD user, also the slowness is my lab. Still trying to work out what is causing it 🙂
And there you go! Here is Linux RDP running over Chrome
The only major final piece would be if you want to hide this behind a proxy, for this I use NGNIX. To install this run the below command.
sudo apt install nginx
Once installed you will need to create the following file with the below command
sudo nano /etc/nginx/conf.d/guacamole.conf
In this file put the following data but substituting your domain or public domain of what will access this
GNU nano 5.2 /etc/nginx/conf.d/guacamole.conf
server {
listen 80;
listen [::]:80;
server_name guacamole.lab.virtualisedfruit.co.uk;
access_log /var/log/nginx/guac_access.log;
error_log /var/log/nginx/guac_error.log;
location / {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /;
}
}
Finally issue the following command to restart the server so its listening on this
sudo systemctl reload nginx
Of course, if you are opening this up to the web you should probably secure this with SSL and there is a great guide here to do that with Let’s Encrypt under the Enable HTTPS section, Xiao Guoan does this part justice over at https://www.linuxbabe.com/
So what else do I want to try and get sorted
- Maybe automate all of this via a script for use of things with like Terraform or templates
- Work out how to use AD groups to validate user membership for easy adding of users
- Document the black screen issue a little more
- Maybe add some nice themes to the login page
- Try this out with SSH and Windows machines
I hope you enjoyed this as I did writing it after sifting through many blogs and forum posts, I hope it helps someone out there and please also do pass your Kudos on to the people I referenced throughout the post.