Set Up Transparent Login for RDP Servers

Describes how to implement transparent login for a Windows RDP server.
capam33
You can implement transparent login for a Windows RDP server. Transparent login provides secondary access through an application on that device. As with
Privileged Access Manager
HTML WebSSO, the administrator uses "Learn Mode" to teach the product to recognize the relevant access interface of a target application. In this case, it is a
Privileged Access Manager
-configured RDP Application.
The benefit of the feature is that credentials and software are not stored on the target RDP server. No installation of agents is needed on the access client or the RDP server. Optionally, these applications can be cached for improved load times.
No special configuration is required on
Privileged Access Manager
or the target Device. This provisioning process embodies the required setup.
This topic explains the following information:
2
Target Devices Support
  • OS versions:
    Windows Server 2012, Windows Server 2016, Windows Server 2019; x86 and x64 versions for each
  • Applications:
    VMware vSphere Client and vSphere Client console; Microsoft SQL Server Management Studio; WinSCP; Dell Toad; PuTTY; Oracle SQL*Plus
Windows Configuration
Windows (RDP server) devices that are the targets of
Privileged Access Manager
transparent login require the following configuration to work properly.
Certificates
If you are using a signed certificate on
Privileged Access Manager
, you must install the CA certificate on each Windows target Device. Import this certificate as a Trusted Root.
Session Recording
For transparent login activity to be successfully recorded when using Internet Explorer, configure all equivalent
Privileged Access Manager
addresses. For example, a cluster VIP name and VIP address in the browser security settings:
  1. In Internet Explorer, select
    Tools
    ,
    Internet Options
    .
  2. Select the
    Security
    tab, then on
    Trusted Sites
    , and then the
    Sites
    button.
  3. In the
    Trusted sites
    dialog window, key in and
    Add
    each equivalent
    Privileged Access Manager
    address in use. Select
    Close
    to exit Trusted sites.
  4. Select
    OK
    to save and exit Internet Options.
This setting might not work fully. If that is the case, try this additional configuration in
Internet Options
:
  1. Select the
    Connections
    tab, then on
    LAN settings
    . If the
    Proxy server
    checkbox is selected, select the
    Advanced
    button.
  2. In the
    Exceptions
    section, remove any "127.*" or equivalent construct
  3. Select
    OK
    to save and exit
    Proxy Settings.
    Then, select
    OK
    again to save and exit
    Local Area Network (LAN) Settings
    , and then
    OK
    again to save and exit
    Internet Options
    .
Prerequisites
On Windows Server 2012
  1. Add your Windows Server 2012 to your Domain.
    For testing purposes, you can instead install a Domain Controller on the same server. See:
    http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
  2. Configure cmd.exe as a RemoteApp using the instructions in the following article:
    http://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspx
    For security reasons: In the
    RemoteApp Properties
    dialog,
    Command-line arguments
    option button, select the
    Always use the following command-line arguments
    option. Set its arguments to use the following string.
    Whether you copy-and-paste this string or you enter it in manually, ensure that you do not introduce any additional hidden characters or white space. Otherwise, the command might not work.
    /C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\\tsclient\virt\xcd_run.bat"
On Windows Server 2016 and Windows Server 2019
  1. Add your Windows Server 2016 or Windows Server 2019 to your Domain.
    For testing purposes, you can install a Domain Controller on the same server. Refer to the following article for guidance:
    http://pc-addicts.com/setup-dhcp-role-server-2016/
  2. Deploy your Remote Desktop environment, referring to the Microsoft documentation for guidance:
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure
  3. Create a Remote Desktop Services collection for desktops and apps to run. See the following Microsoft documentation for guidance, stopping when you reach the "Publish RemoteApp Programs" section, then proceed to Step 4 in this procedure.
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-create-collection
  4. Follow these steps to publish cmd.exe as a RemoteApp:
    1. In
      Server Manager
      , select the new collection
    2. Under
      RemoteApp Programs
      , select
      Tasks
      ,
      Publish RemoteApp programs
    3. Select
      Add
    4. In the file chooser, use the search box to locate and select the appropriate instance of cmd.exe
    5. Select
      Open
    6. Select
      Next
    7. Select
      Publish
    8. Under
      RemoteApp Programs
      , right-click
      cmd
      and select
      E
      dit Properties
    9. Select
      Parameters
    10. For security reasons, set the
      Always use the following
      command-line parameters
      option and set its arguments to use the following string:
      /C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\\tsclient\virt\xcd_run.bat
      Whether you copy-and-paste this string or you enter it manually, ensure that you do not introduce any additional hidden characters or white space. Otherwise, the command might not work.
    11. Select
      OK