SSL VPN
Reply
Visitor
maxime_simard
Posts: 6
Registered: ‎01-18-2010
0

SSO and RDP

Is it possible with 6.4 to do SSO with constrained delegation on a windows RDP terminal session ?

 

Thanks

Contributor
BryGuy
Posts: 49
Registered: ‎06-17-2008
0

Re: SSO and RDP

if you have setup SSO to the SSL as your LDAP username/password then you can link that in your terminal session username and password. When you create the session, add <USER> for the username and it will use the username they login with and then you can use <PASSWORD> for the variable password field.

Visitor
maxime_simard
Posts: 6
Registered: ‎01-18-2010
0

Re: SSO and RDP

thanks, but i want to know if it's possible with kerberos constrained delegation, like : a user log in with is RSA token and has access SSO to a rpd session on a machine on a domain.  I dont think it's possible.

Visitor
SharkUSMC
Posts: 1
Registered: ‎01-29-2010
0

Re: SSO and RDP

Hi. Complete newbie here, but if I understand the question correctly, I have set this up on our domain. For just Windows authentication, we use the default sign-in page. For things requiring RSA access, we use an alternate sign in page that prompts for both Windows password and RSA info. Our RSA usernames match windows usernames. Users access this page via an alternate subdomain URL.

 

This way the user is presented with a prompt for a username, and 2 separate boxes for passwords. The first password is the Passcode for RSA, and the 2nd password box is for the Windows password. You can label them appropriately.

 

Then on the Bookmark to access the RDP session we pass the credentials as follows:

 

domain\<USER>

<PASSWORD[2]>

 

That prepends the domain name to the username, and selects the 2nd password entered (which is their Windows password) rather than the RSA Passcode.

 

I hope that helps.

Visitor
maxime_simard
Posts: 6
Registered: ‎01-18-2010
0

Re: SSO and RDP

Thanks, it would help, but unfortunatly, the users dont know their windows password, that's why i would like to use constrainend delegation. anyway, i dont think this is possible...

Trusted Contributor
stine
Posts: 437
Registered: ‎05-05-2008
0

Re: SSO and RDP

If your authentication server is LDAP (to an RSA server), can the RSA server send back the appropriate fields (UPN, password) for your users?  If so, then you'd need to use these variables for username/password for your SSO.

 

I don't have any experience doing this (my setup is just like the one described above, one userid, two passwords, 1 for windows and 1 for rsa pin+token).

 

If you seach the forum archives, i think you should be able to find an example of returning ldap parameters to the IVE.

 

Hope this helps.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Distinguished Expert
muttbarker
Posts: 2,379
Registered: ‎01-29-2008
0

Re: SSO and RDP

No it is not possible. At least not in 6.4 / 6.5. I would hope that this capability is on the roadmap. I really like what they did with adding the SSO templates for Web resources. It would be great to see it extended to terminal services.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Moderator
zanyterp
Posts: 2,300
Registered: ‎11-19-2007
0

Re: SSO and RDP

As mentioned by @muttbarker*** constrained delegation is web-only and cannot be used with terminal service bookmarks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.