01-18-2010 11:24 AM
if you have setup SSO to the SSL as your LDAP username/password then you can link that in your terminal session username and password. When you create the session, add <USER> for the username and it will use the username they login with and then you can use <PASSWORD> for the variable password field.
01-19-2010 04:06 AM
thanks, but i want to know if it's possible with kerberos constrained delegation, like : a user log in with is RSA token and has access SSO to a rpd session on a machine on a domain. I dont think it's possible.
01-29-2010 06:53 AM
Hi. Complete newbie here, but if I understand the question correctly, I have set this up on our domain. For just Windows authentication, we use the default sign-in page. For things requiring RSA access, we use an alternate sign in page that prompts for both Windows password and RSA info. Our RSA usernames match windows usernames. Users access this page via an alternate subdomain URL.
This way the user is presented with a prompt for a username, and 2 separate boxes for passwords. The first password is the Passcode for RSA, and the 2nd password box is for the Windows password. You can label them appropriately.
Then on the Bookmark to access the RDP session we pass the credentials as follows:
That prepends the domain name to the username, and selects the 2nd password entered (which is their Windows password) rather than the RSA Passcode.
I hope that helps.
02-03-2010 08:49 PM
If your authentication server is LDAP (to an RSA server), can the RSA server send back the appropriate fields (UPN, password) for your users? If so, then you'd need to use these variables for username/password for your SSO.
I don't have any experience doing this (my setup is just like the one described above, one userid, two passwords, 1 for windows and 1 for rsa pin+token).
If you seach the forum archives, i think you should be able to find an example of returning ldap parameters to the IVE.
Hope this helps.
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
02-05-2010 03:44 PM
No it is not possible. At least not in 6.4 / 6.5. I would hope that this capability is on the roadmap. I really like what they did with adding the SSO templates for Web resources. It would be great to see it extended to terminal services.
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador
Juniper Elite Reseller
J-Partner Service Specialist - Implementation
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.