Is it possible with 6.4 to do SSO with constrained delegation on a windows RDP terminal session ?
if you have setup SSO to the SSL as your LDAP username/password then you can link that in your terminal session username and password. When you create the session, add <USER> for the username and it will use the username they login with and then you can use <PASSWORD> for the variable password field.
thanks, but i want to know if it's possible with kerberos constrained delegation, like : a user log in with is RSA token and has access SSO to a rpd session on a machine on a domain. I dont think it's possible.
Hi. Complete newbie here, but if I understand the question correctly, I have set this up on our domain. For just Windows authentication, we use the default sign-in page. For things requiring RSA access, we use an alternate sign in page that prompts for both Windows password and RSA info. Our RSA usernames match windows usernames. Users access this page via an alternate subdomain URL.
This way the user is presented with a prompt for a username, and 2 separate boxes for passwords. The first password is the Passcode for RSA, and the 2nd password box is for the Windows password. You can label them appropriately.
Then on the Bookmark to access the RDP session we pass the credentials as follows:
That prepends the domain name to the username, and selects the 2nd password entered (which is their Windows password) rather than the RSA Passcode.
I hope that helps.
Thanks, it would help, but unfortunatly, the users dont know their windows password, that's why i would like to use constrainend delegation. anyway, i dont think this is possible...
If your authentication server is LDAP (to an RSA server), can the RSA server send back the appropriate fields (UPN, password) for your users? If so, then you'd need to use these variables for username/password for your SSO.
I don't have any experience doing this (my setup is just like the one described above, one userid, two passwords, 1 for windows and 1 for rsa pin+token).
If you seach the forum archives, i think you should be able to find an example of returning ldap parameters to the IVE.
Hope this helps.
No it is not possible. At least not in 6.4 / 6.5. I would hope that this capability is on the roadmap. I really like what they did with adding the SSO templates for Web resources. It would be great to see it extended to terminal services.
As mentioned by @muttbarker*** constrained delegation is web-only and cannot be used with terminal service bookmarks