Set Up Transparent Login for RDP Servers
Describes how to implement transparent login for a Windows RDP server.
You can implement transparent login for a Windows RDP server. Transparent login provides secondary access through an application on that device. As with
Privileged Access ManagerHTML WebSSO, the administrator uses "Learn Mode" to teach the product to recognize the relevant access interface of a target application. In this case, it is a
Privileged Access Manager-configured RDP Application.
The benefit of the feature is that credentials and software are not stored on the target RDP server. No installation of agents is needed on the access client or the RDP server. Optionally, these applications can be cached for improved load times.
Transparent Login with RDP Proxy Fails with Protocol Error
To use transparent login with an RDP proxy, you must enable drive mapping in the RDP client and disable other device mappings, such as printers, ports, and so on.
Therwise, no special configuration is required on
Privileged Access Manageror the target Device. This provisioning process embodies the required setup.
This topic explains the following information:
Target Devices Support
- OS versions:Windows Server 2012, Windows Server 2016, Windows Server 2019; x86 and x64 versions for each
- Applications:VMware vSphere Client and vSphere Client console; Microsoft SQL Server Management Studio; WinSCP; Dell Toad; PuTTY; Oracle SQL*Plus
Windows (RDP server) devices that are the targets of
Privileged Access Managertransparent login require the following configuration to work properly.
If you are using a signed certificate on
Privileged Access Manager, you must install the CA certificate on each Windows target Device. Import this certificate as a Trusted Root.
For transparent login activity to be successfully recorded when using Internet Explorer, configure all equivalent
Privileged Access Manageraddresses. For example, a cluster VIP name and VIP address in the browser security settings:
- In Internet Explorer, selectTools,Internet Options.
- Select theSecuritytab, then onTrusted Sites, and then theSitesbutton.
- In theTrusted sitesdialog window, key in andAddeach equivalentPrivileged Access Manageraddress in use. SelectCloseto exit Trusted sites.
- SelectOKto save and exit Internet Options.
This setting might not work fully. If that is the case, try this additional configuration in
- Select theConnectionstab, then onLAN settings. If theProxy servercheckbox is selected, select theAdvancedbutton.
- In theExceptionssection, remove any "127.*" or equivalent construct
- SelectOKto save and exitProxy Settings.Then, selectOKagain to save and exitLocal Area Network (LAN) Settings, and thenOKagain to save and exitInternet Options.
On Windows Server 2012
- Add your Windows Server 2012 to your Domain.For testing purposes, you can instead install a Domain Controller on the same server. See:http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
- Install the Remote Desktop Session Host role using the following instructions:https://support.microsoft.com/en-us/help/2833839/guidelines-for-installing-the-remote-desktop-session-host-role-service
- Configure cmd.exe as a RemoteApp using the instructions in the following article:http://social.technet.microsoft.com/wiki/contents/articles/10817.publishing-remoteapps-in-windows-server-2012.aspxFor security reasons: In theRemoteApp Propertiesdialog,Command-line argumentsoption button, select theAlways use the following command-line argumentsoption. Set its arguments to use the following string.Whether you copy-and-paste this string or you enter it in manually, ensure that you do not introduce any additional hidden characters or white space. Otherwise, the command might not work./C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\\tsclient\virt\xcd_run.bat"
On Windows Server 2016 and Windows Server 2019
- Add your Windows Server 2016 or Windows Server 2019 to your Domain.For testing purposes, you can install a Domain Controller on the same server. Refer to the following article for guidance:http://pc-addicts.com/setup-dhcp-role-server-2016/
- Deploy your Remote Desktop environment, referring to the Microsoft documentation for guidance:https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure
- Create a Remote Desktop Services collection for desktops and apps to run. See the following Microsoft documentation for guidance, stopping when you reach the "Publish RemoteApp Programs" section, then proceed to Step 4 in this procedure.https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-create-collection
- Follow these steps to publish cmd.exe as a RemoteApp:
- InServer Manager, select the new collection
- UnderRemoteApp Programs, selectTasks,Publish RemoteApp programs
- In the file chooser, use the search box to locate and select the appropriate instance of cmd.exe
- UnderRemoteApp Programs, right-clickcmdand selectEdit Properties
- For security reasons, set theAlways use the followingcommand-line parametersoption and set its arguments to use the following string:/C title Initializing RDP session&echo Please wait...&timeout 4 /nobreak>nul&"\\tsclient\virt\xcd_run.batWhether you copy-and-paste this string or you enter it manually, ensure that you do not introduce any additional hidden characters or white space. Otherwise, the command might not work.