Advanced configuration properties within guacamole.properties
The guacamole.properties
file, located within /etc/guacamole
, is Guacamole’s main configuration file. Keeper Connection Manager provides a thoroughly-commented version of this configuration file, including example properties organized into logical sections with accompanying documentation.
The hostname and port of the machine hosting the guacd service, as well as whether that guacd service has been configured for SSL/TLS. By default, Guacamole will connect to guacd at port 4822 on localhost, and will not use SSL/TLS to do so.
guacd-hostname
localhost
The hostname of the machine hosting the guacd service.
guacd-port
4822
The port used by the guacd service.
guacd-ssl
false
Whether the guacd service has been configured for SSL/TLS.
The amount of time, in minutes, a Guacamole session may remain valid despite being inactive. By default, Guacamole sessions remain valid for 60 minutes.
api-session-timeout
60
The amount of time, in minutes, a Guacamole session may remain valid despite being inactive.
This setting affects Guacamole sessions only, not remote desktop sessions. To enforce limits on the duration of remote desktop sessions, you must change the relevant setting within your remote desktop server, such as the session time limit GPOs provided by the Windows RDP server. Guacamole considers a connected remote desktop session to be user activity, and does not attempt to define what constitutes an idle but connected remote desktop session.
It is unusual to need to change this setting:
File transfers within a remote desktop session are not affected by this limit.
Requests unrelated to file transfer should normally be well beneath the default limit (2 MB).
If you find yourself considering changing this property value, first investigate whether there may be any external factors causing the problem you're seeing, such as a reverse proxy, firewall, or browser extension. It is more common that the settings of the reverse proxy providing SSL termination need to be adjusted, and that no change needs to be made to Guacamole's request size limits whatsoever.
The maximum number of bytes to accept within the entity body of any particular HTTP request to Guacamole's internal REST API, including authentication requests. By default, HTTP requests made against the Guacamole web application are limited to 2 MB, excluding requests related to file transfer for a remote desktop session.
api-max-request-size
2097152
The maximum number of bytes to accept within the entity body of any particular HTTP request to the REST API, including authentication requests. This limit does not apply to files transferred within a remote desktop session. Specifying 0 disables request size limitations.
If setting this property intending to remove or lessen limitations on request sizes, be sure to check the settings of any reverse proxy providing SSL termination. Your reverse proxy may impose its own default limitations that will need to be overridden. For example, Nginx imposes a default limit of 1 MB per request.
If you have developed your own branding extension that overrides Guacamole's translation strings only for a subset of Guacamole's supported languages, you can force Guacamole to reduce the set of supported languages to only those languages you have modified. This is only necessary if you have developed your own branding. Branding extensions provided by Keeper Connection Manager as part of a Keeper Connection Manager subscription will update all supported languages.
allowed-languages
A comma-separated list of language keys for Guacamole's display language. If specified, only the listed languages will be made available to the user, and only the listed languages will be selected from automatically based on the user's browser's preferred language. By default, all defined languages will be available.
For example, to restrict Guacamole to only English and German, specify:
As English is the fallback language, used whenever a translation key is missing from the chosen language, English should only be omitted from this list if you are absolutely positive that no strings are missing from your custom translations.
In addition to the standard properties accepted by the web application, extensions may read additional properties which are specific to their own configuration needs. The guacamole.properties
file included with Keeper Connection Manager contains comments which cleanly group configuration into distinct sections for each supported extension, along with example properties and documentation.
OpenID Connect Configuration Properties
TOTP Configuration Properties
UDS Enterprise Configuration Properties
Advanced configuration properties for SAML 2.0 SSO
The properties listed here are only applicable if SAML 2.0 authentication is being used. Support for SAML 2.0 authentication is installed using the kcm-guacamole-auth-saml package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for SAML 2.0 authentication is configured using environment variables.
saml-idp-metadata-url
The URI of the XML metadata file that from the SAML Identity Provider that contains all of the information the SAML extension needs in order to know how to authenticate with the IdP. This URI can either be a remote server (e.g. https://
) or a local file on the filesystem (e.g. file://
). Often the metadata file contains most of the required properties for SAML authentication and the other parameters are not required.
saml-idp-url
The base URL of the SAML IdP. This is the URL that the SAML authentication extension will use to redirect when requesting SAML authentication. If the saml-idp-metadata-url
property is provided, this parameter will be ignored. If the metadata file is not provided this property is required.
saml-entity-id
The entity ID of the Keeper Connection Manager SAML client, which is generally the URL of the Keeper Connection Manager server, but is not required to be so. This property is required if either the saml-idp-metadata-url
property is not specified, or if the provided metadata file does not contain the SAML SP Entity ID for the Keeper Connection Manager Client.
saml-callback-url
The URL that the IdP will use once authentication has succeeded to return to the Keeper Connection Manager web application and provide the authentication details to the SAML extension. The SAML extension currently only supports callback as a POST operation to this callback URL. This property is required.
saml-strict
Require strict security checks during SAML logins. This will insure that valid certificates are present for all interactions with SAML servers and fail SAML authentication if security restrictions are violated. This property is optional, and will default to true, requiring strict security checks. This property should only be set to false in non-production environments during testing of SAML authentication.
saml-debug
Enable additional logging within the supporting SAML library that can assist in tracking down issues during SAML logins. This property is optional, and will default to false (no debugging).
saml-compress-request
Enable compression of the HTTP requests sent to the SAML IdP. This property is optional and will default to true (compression enabled).
saml-compress-response
Request that the SAML response returned by the IdP be compressed. This property is optional and will default to "true" (compression will be requested).
saml-group-attribute
The name of the attribute provided by the SAML IdP that contains group membership of the user. These groups will be parsed and used to map group membership of the user logging in, which can be used for permissions management within the Keeper Connection Manager Client, particularly when layered with other authentication modules. This property is optional, and defaults to “groups”.
saml-private-key-path
Path to a private key for use with connecting to an ID Provider which is configured to expect signed requests
saml-x509-cert-path
Path to a certificate used to authenticate to an ID Provider which is configured to expect signed requests
Keeper Connection Manager loads authentication extensions in order of priority, and evaluates authentication attempts in this same order. This has implications for how the login process behaves when an SSO extension is present:
If the SSO extension has priority:
Users that are not yet authenticated will be immediately redirected to the configured identity provider. They will not see a Keeper Connection Manager login screen.
If a non-SSO extension has priority:
Users that are not yet authenticated will be presented with a Keeper Connection Manager login screen. Additionally, links to the configured identity provider(s) will be available for users that wish to log in using SSO.
The default priority of extensions is dictated by their filenames, with extensions that sort earlier alphabetically having higher priority than others. This can be overridden by setting the extension-priority
property within guacamole.properties
.
Automatically redirecting all unauthenticated users
To ensure users are redirected to the SAML identity provider immediately (without a Keeper Connection Manager login screen), ensure the SAML extension has priority over all others:
Presenting unauthenticated users with a login screen
To ensure users are given a normal Keeper Connection Manager login screen and have the option to log in with traditional credentials or with SAML, ensure the SAML extension does not have priority:
Advanced configuration properties for Duo 2FA
The properties listed here are only applicable if Duo two-factor authentication is being used. Support for Duo two-factor authentication is installed using the kcm-guacamole-auth-duo
package or enabled with the Docker installation. If using the keeper/guacamole Docker image, support for Duo two-factor authentication is configured using environment variables.
The API hostname, integration key, and secret key are provided for you by Duo when you registered Guacamole within Duo's "Admin" panel. Each of these values is required and is generated by Duo.
duo-api-hostname
The hostname of the Duo API endpoint to be used to verify user identities, generated by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "API hostname" field.
duo-integration-key
The integration key provided for Guacamole by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "Integration key" field.
duo-secret-key
The secret key provided for Guacamole by Duo when you registered Guacamole within Duo's "Admin" panel. This value can be found within the application details in the "Secret key" field.
An arbitrary and random key must be provided for communicating with the Duo service. This key MUST be manually generated and MUST BE AT LEAST 40 CHARACTERS.
duo-application-key
The arbitrary, random key to use when communicating with the Duo service.
Any random value containing at least 40 characters will suffice. To quickly grab 40 random characters from /dev/random
:
Advanced configuration properties for Encrypted JSON Auth
The properties listed here are only applicable if encrypted JSON authentication is being used. Support for encrypted JSON authentication is installed using the kcm-guacamole-auth-json
package. If using the keeper/guacamole Docker image, support for encrypted JSON authentication is instead configured using environment variables.
A shared secret key is used by systems generating JSON data to encrypt and sign the JSON, and by the Guacamole server to verify and decrypt received data. This key must be 128 bits, specified with 32 hexadecimal digits.
json-secret-key
The 128-bit secret key that will be used to encrypt and sign JSON sent to Guacamole for authentication, formatted as 32 hexadecimal digits. Received JSON will not be accepted unless it has been encrypted and signed using this key.
This key can be essentially anything as long as it is unpredictable. An easy way of generating such a key is to echo a passphrase through the "md5sum" utility. This is the technique OpenSSL itself uses to generate 128-bit keys from passphrases. For example:
By default, received encrypted JSON will be accepted as long as it is valid and properly signed with the secret key. This can be further restricted to accept encrypted JSON only from machines which match a comma-separated list of trusted IP addresses and/or CIDR subnets.
json-trusted-networks
A comma-separated list of IP addresses and/or CIDR subnets which should be allowed to authenticate using encrypted JSON. By default, encrypted JSON is accepted without restriction from any address or subnet.
Advanced configuration properties for LDAP Authentication
The properties listed here are only applicable if LDAP authentication is being used. Support for LDAP authentication is installed using the kcm-guacamole-auth-ldap
package. If using the keeper/guacamole Docker image, support for LDAP authentication is instead configured using environment variables.
The TCP connection details of the LDAP server, as well as whether encryption should be used.
ldap-hostname
hostname
localhost
The hostname/address of the LDAP server.
ldap-port
port
389, or 636 for LDAPS
The TCP port that the LDAP server is listening on.
ldap-encryption-method
encryption-method
none
The encryption method to use when communicating with the LDAP server. Valid encryption methods are:
none
(for unencrypted LDAP)
ssl
(for LDAP over SSL/TLS, also known as LDAPS)
starttls
(for STARTTLS)
The base DN of all Guacamole users within the LDAP directory, and the attribute which contains each user's username. If the username attribute is not part of the DN, a search DN will need to be provided, as well.
ldap-user-base-dn
user-base-dn
N/A
The base DN beneath which all relevant LDAP users may be found. If not using a search DN, this DN must be the common portion of the DN shared by all users to which the username attribute can be added.
ldap-username-attribute
username-attribute
uid
The attribute which contains the user's username. For OpenLDAP, the default value of "uid" is usually correct. For Active Directory, the correct value is typically "sAMAccountName", and a search DN will be needed due to indirect mapping of the username.
The DN and password of the user to bind as when searching for the DN of each user attempting to log in. If omitted, the DN of each user will be derived directly using the user base DN and username attribute.
ldap-search-bind-dn
search-bind-dn
The DN of the user that Guacamole should bind as when attempting to resolve the DN of an authenticating user (indirect username mapping). If omitted, the DN of each user will be derived directly from the base DN and username attribute. Note that the permissions associated with this account do not affect whether a user can see objects within the LDAP directory. Users, connections, etc. will only be visible to LDAP users if those users are granted permission to see those objects within LDAP.
ldap-search-bind-password
search-bind-password
The password that should be provided when Guacamole binds with the given search DN in order to resolve the DN of an authenticating user.
The base DN of all Guacamole user groups within the LDAP directory, and the attribute which contains each group's name. If storing connection information within LDAP, the provided base DN must also contain any groups that may be referenced within "guacConfigGroup" objects using the "seeAlso" attribute.
ldap-group-base-dn
group-base-dn
N/A
The base DN beneath which all relevant LDAP groups may be found. This tree will be searched using the user's own credentials to determine their group memberships upon login.
If storing connection information within LDAP, this must also be the base DN of the LDAP directory subtree that should be searched for "guacConfigGroup" memberships specified using the "seeAlso" attribute.
ldap-group-name-attribute
group-name-attribute
cn
The attribute which contains the group's name. For most LDAP servers, including Active Directory, the default value of "cn" is usually correct.
The base DN for all Guacamole connections defined directly within the LDAP directory using "guacConfigGroup" objects. The LDAP schema files for "guacConfigGroup" objects can be found within /usr/share/guacamole-auth-ldap/schema
in both LDIF and .schema format. Note that storing connections directly within the LDAP directory is optional. If connections will not be stored within the directory, this base DN should not be provided.
ldap-config-base-dn
config-base-dn
The base DN of the LDAP subtree that should be searched for connections stored directly within the directory ("guacConfigGroup" objects). If connections are not being stored within the LDAP directory (no schema changes have been applied), this property should not be specified.
The maximum number of LDAP search results which can be returned by a single query. LDAP searches which exceed this limit will fail.
ldap-max-search-results
max-search-results
1000
The maximum number of LDAP search results to retrieve via a single query. By default, LDAP searches are limited to returning a maximum of 1000 entries.
Arbitrary LDAP user attributes may be used to dynamically affect the behavior of connections based on the user accessing them. When a user authenticates with LDAP and subsequently accesses a particular Guacamole connection, the values of these attributes will be made available as parameter tokens and applied to the parameters of the connection. If the attribute has no value for the current user, then the corresponding token is not applied. If the attribute has multiple values, then the first value of the attribute is used.
These attributes must be configured for use as parameter tokens ahead of time by being explicitly listed within /etc/guacamole/guacamole.properties
. By default, no LDAP user attributes are made available as parameter tokens.
ldap-user-attributes
user-attributes
The attribute or attributes to retrieve from the LDAP directory for users that authenticate using LDAP, separated by commas. If specified, the attributes listed here are retrieved from each authenticated user and dynamically applied to the parameters of that user's connections as parameter tokens with the prefix "LDAP_
".
When converting an LDAP attribute name into a parameter token name, the name of the attribute is transformed into uppercase with each word separated by underscores, a naming convention referred to as "uppercase with underscores" or "screaming snake case". For example:
lowercase-with-dashes
${LDAP_LOWERCASE_WITH_DASHES}
CamelCase
${LDAP_CAMEL_CASE}
headlessCamelCase
${LDAP_HEADLESS_CAMEL_CASE}
lettersAndNumbers1234
${LDAP_LETTERS_AND_NUMBERS_1234}
aRANDOM_mixOf-3NAMINGConventions
${LDAP_A_RANDOM_MIX_OF_3_NAMING_CONVENTIONS}
The search filter which should be used to retrieve lists of users or groups from the LDAP directory. By default, a filter which matches all objects is used, and the only restriction is given through the relevant base DN. If you need to narrow the lists of users or groups further, the default filter can be overridden.
If overriding a search filter, be sure that the filter is a valid LDAP filter. In particular, an LDAP filter must be enclosed in a matching pair of parenthesis. If unsure whether your filter is valid, or if seeing unexpected results, it can be helpful to verify your filter against your LDAP server using a command-line utility like "ldapsearch
".
ldap-user-search-filter
user-search-filter
(objectClass=*)
The search filter which should be used to retrieve the list of users from the LDAP directory. If a search DN is used (indirect user mapping), this filter will also restrict the users that can log into Guacamole.
ldap-group-search-filter
group-search-filter
(objectClass=*)
The search filter which should be used to retrieve the list of groups that may be used by other extensions to define permissions.
Whether (and how) Guacamole should follow LDAP aliases or referrals when encountered during an LDAP query. By default, Guacamole will not dereference aliases and will not follow referrals.
ldap-dereference-aliases
dereference-aliases
never
The method that Guacamole should use to dereference LDAP aliases, if at all. Legal alias dereferencing modes are:
never
(do not dereference aliases at all)
searching
(dereference aliases only after the search base has been found)
finding
(dereference aliases only when finding the search base)
always
(dereference aliases in all cases)
ldap-follow-referrals
follow-referrals
false
If set to "true", referrals received from the LDAP directory will be automatically followed. By default, referrals are not followed.
ldap-max-referral-hops
max-referral-hops
5
The maximum number of referrals to follow before aborting an LDAP query. This property only has an effect if LDAP referral following is enabled. If referral following is enabled, the following performed is limited to 5 hops by default.
Advanced configuration properties for MySQL
The properties listed here are only applicable if MySQL authentication is being used. Support for MySQL authentication is installed using thekcm-guacamole-auth-jdbc-mysql
package. If using the keeper/guacamole Docker image, support for MySQL authentication is instead configured using environment variables.
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
The TCP connection details for the MySQL / MariaDB database.
mysql-hostname
localhost
The hostname of the database server.
mysql-port
3306
The port of the MySQL or MariaDB service running on the database server.
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
mysql-database
The name of the database that Guacamole should issue queries against.
mysql-username
The username of the user that Guacamole should use to connect to the database.
mysql-password
The password Guacamole should provide when authenticating with the database.
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
mysql-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
mysql-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
mysql-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
mysql-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
mysql-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
mysql-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
mysql-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
mysql-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
mysql-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
mysql-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
mysql-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
mysql-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
mysql-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Whether authentication via other extensions is allowed for users that do not exist within the MySQL / MariaDB database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
mysql-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within MySQL. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding MySQL user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within MySQL.
Advanced configuration properties for PostgreSQL
The properties listed here are only applicable if PostgreSQL authentication is being used. Support for PostgreSQL authentication is installed using thekcm-guacamole-auth-jdbc-postgresql
package. If using the keeper/guacamole Docker image, support for PostgreSQL authentication is instead configured using environment variables.
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
The TCP connection details for the PostgreSQL database.
postgresql-hostname
localhost
The hostname of the database server.
postgresql-port
5432
The port of the PostgreSQL service running on the database server.
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
postgresql-database
The name of the database that Guacamole should issue queries against.
postgresql-username
The username of the user that Guacamole should use to connect to the database.
postgresql-password
The password Guacamole should provide when authenticating with the database.
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
postgresql-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
postgresql-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
postgresql-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
postgresql-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
postgresql-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
postgresql-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
postgresql-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
postgresql-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
postgresql-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
postgresql-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
postgresql-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
postgresql-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
postgresql-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Whether authentication via other extensions is allowed for users that do not exist within the PostgreSQL database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
postgresql-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within PostgreSQL. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding PostgreSQL user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within PostgreSQL.
Advanced configuration properties for SQL Server
The properties listed here are only applicable if SQL Server authentication is being used. Support for SQL Server authentication is installed using the kcm-guacamole-auth-jdbc-sqlserver
package. If using the keeper/guacamole Docker image, support for SQL Server authentication is instead configured using environment variables.
Minimum password length and complexity
Minimum/maximum password age
Password reuse prevention
Database concurrent connection limits
General connection concurrency limits
Per-user concurrency limits
Absolute concurrency limits
The TCP connection details for the SQL Server database.
sqlserver-hostname
localhost
The hostname of the database server.
sqlserver-port
1433
The port of the SQL Server service running on the database server.
The name of the database to use, as well as the credentials to use when connecting to the database. These properties are required if one of the database authentication extensions will be used.
sqlserver-database
The name of the database that Guacamole should issue queries against.
sqlserver-username
The username of the user that Guacamole should use to connect to the database.
sqlserver-password
The password Guacamole should provide when authenticating with the database.
Restrictions that should be applied to all database users with respect to password complexity, length, change frequency, and reuse.
These properties do not affect users defined outside the database.
sqlserver-user-password-min-length
0
The minimum length of each password, in characters. If specified, users will not be able to change their passwords to values that are not at least this length. By default, no minimum length is enforced. Empty passwords are never allowed.
sqlserver-user-password-require-multiple-case
false
If set to "true", require that all passwords contain at least one uppercase character and one lowercase character. By default, passwords are not required to contain mixed case.
sqlserver-user-password-require-symbol
false
If set to "true", require that all passwords contain at least one symbol, where a "symbol" is any non-alphanumeric character. By default, passwords are not required to contain symbols.
sqlserver-user-password-require-digit
false
If set to "true", require that all passwords contain at least one digit, where a "digit" is any numeric character. By default, passwords are not required to contain digits.
sqlserver-user-password-prohibit-username
false
If set to "true", prohibit passwords from containing the user's own username, regardless of case. By default, use of the user's own username within their password is not prevented.
sqlserver-user-password-min-age
The minimum number of days that must elapse between password changes (preventing users from changing passwords too frequency and defeating password reuse protections). By default, frequency of password changes is not restricted.
sqlserver-user-password-max-age
The maximum number of days that may elapse before users are required to change their passwords. By default, users passwords do not automatically expire.
sqlserver-user-password-history-size
The number of past passwords that should be remembered for each user. If specified, users will be prevented from reusing any of these passwords. By default, reuse of past passwords is not prevented.
Concurrent usage restrictions that should be enforced by default across all connections. With the exception the absolute concurrency limit, each of these restrictions may be overridden by the administrator on a per-connection basis by editing the connection.
sqlserver-default-max-connections
0
The maximum number of concurrent connections to allow to any particular connection, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connections.
sqlserver-default-max-group-connections
0
The maximum number of concurrent connections to allow to any particular balancing connection group, where "0" represents unlimited. By default, no overall concurrency limits are enforced on connection groups.
sqlserver-default-max-connections-per-user
0
The maximum number of concurrent connections to allow to any individual user to establish to a connection, where "0" represents unlimited. By default, no per-user concurrency limits are enforced on connections.
sqlserver-default-max-group-connections-per-user
1
The maximum number of concurrent connections to allow to any individual user to establish to a balancing connection group, where "0" represents unlimited. By default, no each user is limited to a single connection for each balancing connection group, to avoid allowing any one user to exhaust the available connections within that group..
sqlserver-absolute-max-connections
0
The absolute maximum number of concurrent connections to allow to the Guacamole server as a whole, regardless of which users are establishing those connections and which connections or groups are being accessed, where "0" represents unlimited. By default, no absolute concurrent restrictions are enforced.
Whether authentication via other extensions is allowed for users that do not exist within the SQL Server database. If set to "true", authentication attempts will be denied unless the authenticated user has been defined within the database.
sqlserver-user-required
false
If set to "true", require that all successful authentication attempts be associated with a user defined within SQL Server. If a user authentications successfully via another mechanism (such as LDAP), that attempt will still be denied if no corresponding SQL Server user exists. By default, successful authentication attempts will be considered successful regardless of whether an account for that user exists within SQL Server.
As of KCM version 2.9.6, KCM can be configured to limit a user's ability to login after multiple consecutive failed login attempts. This blocks brute-force login attacks on KCM instances.
By default KCM will lock a user out of logging in for 5 minutes after 5 failed attempts
Use the following properties to change the login attempt settings
ban-max-invalid-attempts
The number of invalid attempts before a user is locked out
ban-address-duration
The amount of time in seconds a user is locked out for after hitting the invalid attempts limit
ban-max-addresses
The number of addresses that KCM will track to check for invalid attempts. Defaults to 10485760