From 9578820bbdbc81e624f2282f04a0ed8dcf051be3 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 22 Jun 2026 13:26:06 +0000 Subject: [PATCH] Add RDP security mode override for hosts that reject auto-negotiated security --- backend/src/routes/guacamole.ts | 10 ++++++++-- src/pages/Settings.tsx | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/backend/src/routes/guacamole.ts b/backend/src/routes/guacamole.ts index 067b7c4..5a03d0d 100644 --- a/backend/src/routes/guacamole.ts +++ b/backend/src/routes/guacamole.ts @@ -72,7 +72,7 @@ export async function guacamoleRoutes(app: FastifyInstance) { return } - const { protocol, hostname, port, username, domain } = target.config + const { protocol, hostname, port, username, domain, security } = target.config const settings: Record = { hostname, username, password: target.secrets.password ?? '' } if (port) settings.port = port if (domain) settings.domain = domain @@ -80,7 +80,13 @@ export async function guacamoleRoutes(app: FastifyInstance) { // (via guacd) rejects those by default, so trust them rather than failing the // connection. There's no MITM concern here since ArchNest connects directly to // a hostname/IP the user configured themselves. - if (protocol === 'rdp') settings['ignore-cert'] = 'true' + if (protocol === 'rdp') { + settings['ignore-cert'] = 'true' + // Defaults to "any" (auto-negotiate) unless overridden in Settings; some RDP + // hosts enforce NLA and reject "any" with "Server refused connection (wrong + // security type?)", so let the user pin it explicitly. + settings.security = security || 'any' + } const token = new Crypt(CRYPT_CYPHER, CRYPT_KEY).encrypt({ connection: { type: protocol, settings }, diff --git a/src/pages/Settings.tsx b/src/pages/Settings.tsx index 5681009..7cfe731 100644 --- a/src/pages/Settings.tsx +++ b/src/pages/Settings.tsx @@ -88,6 +88,7 @@ const integrationTypeDefs: { type: string; name: string; multiInstance?: boolean { key: 'username', label: 'Username' }, { key: 'domain', label: 'Domain (RDP only)' }, { key: 'password', label: 'Password', secret: true }, + { key: 'security', label: 'Security Mode (RDP only — any / nla / tls / rdp)', placeholder: 'any', hint: '"Server refused connection (wrong security type?)" usually means the target enforces NLA — try setting this to "nla".' }, ] }, ]