Add RDP security mode override for hosts that reject auto-negotiated security

backend/src/routes/guacamole.ts

@@ -72,7 +72,7 @@ export async function guacamoleRoutes(app: FastifyInstance) {
         return
       }
 
-      const { protocol, hostname, port, username, domain } = target.config
+      const { protocol, hostname, port, username, domain, security } = target.config
       const settings: Record<string, unknown> = { hostname, username, password: target.secrets.password ?? '' }
       if (port) settings.port = port
       if (domain) settings.domain = domain
@@ -80,7 +80,13 @@ export async function guacamoleRoutes(app: FastifyInstance) {
       // (via guacd) rejects those by default, so trust them rather than failing the
       // connection. There's no MITM concern here since ArchNest connects directly to
       // a hostname/IP the user configured themselves.
-      if (protocol === 'rdp') settings['ignore-cert'] = 'true'
+      if (protocol === 'rdp') {
+        settings['ignore-cert'] = 'true'
+        // Defaults to "any" (auto-negotiate) unless overridden in Settings; some RDP
+        // hosts enforce NLA and reject "any" with "Server refused connection (wrong
+        // security type?)", so let the user pin it explicitly.
+        settings.security = security || 'any'
+      }
 
       const token = new Crypt(CRYPT_CYPHER, CRYPT_KEY).encrypt({
         connection: { type: protocol, settings },

src/pages/Settings.tsx

@@ -88,6 +88,7 @@ const integrationTypeDefs: { type: string; name: string; multiInstance?: boolean
     { key: 'username', label: 'Username' },
     { key: 'domain', label: 'Domain (RDP only)' },
     { key: 'password', label: 'Password', secret: true },
+    { key: 'security', label: 'Security Mode (RDP only — any / nla / tls / rdp)', placeholder: 'any', hint: '"Server refused connection (wrong security type?)" usually means the target enforces NLA — try setting this to "nla".' },
   ] },
 ]