How to Set Up Auto-Login for Windows RDP
You set up Windows RDP access to a target device so that the end user logs in automatically without entering a password. You configure the following procedures to provide the auto-login access:
capam33
You set up Windows RDP access to a target device so that the end user logs in automatically without entering a password. You configure the following procedures to provide the auto-login access:
Watch a Video
Watch this video to see a demonstration of this topic.
Create a Device
Add the device to which you want to provide auto-login access. For more details about Device attributes that are not covered in this procedure, see Device Group Setup.
Follow these steps:
- SelectDevices,Manage Devices.
- To specify a new device, selectAdd.
- Enter aName. This name is displayed on the Access page. You can enter double-byte characters.
- Enter the device IP address or FQDN in theAddressfield.
- For FQDN, DNS must be set up properly on theConfiguration,Network,Network Settingspage.
- ForDevice Type, select Access and Password Management.
- SelectScanto detect services that are configured on the device. The detected services appear on the Access Methods and Services tabs. RDP should appear on the Access Methods tab after selectingScan.
- SelectOKto save the Device.
Create an Application
Add the Application and Target Connector for connecting users to your device. For Windows RDP, you can use one of the following connectors. Select an Application Type according to your Windows infrastructure and the type of login account you plan to use.
- Windows Proxy Connector: To use the Windows Proxy connector, you must install the connector on a remote server in your target domain.
- Windows Remote Target Connector: The Windows Remote target connector uses local Windows accounts to connect.
- Active Directory Target Connector: The Active Directory connector uses Active Directory accounts to connect.
For ease of demonstration, we use the Windows Remote connector.
Follow these steps in the UI:
- SelectCredentials,Manage Targets,Applications.
- SelectAdd.
- Use theHost Namemagnifying glass to find the target device. Select the device and selectOK.
- TheHost NameandDevice Nameof the target server are populated.
- Enter a uniqueApplication Name. This name does not have to be an existing application on the target device.
- In theApplication Typefield, selectWindows Remote.
- Select theWindows Remotetab.
- For theAccount Type, selectLocal Account. This type is only able to manage local accounts on target servers.
- SelectOKto save the Application.
Create an Account
Add the login account for
Privileged Access Manager
to use to log in to the target device. For more information about setting up accounts for different application types, see the following pages: - Windows Proxy Target Accounts: The Windows Proxy connector can use local accounts or domain accounts with the AD connector.
- Windows Remote Target Accounts: The Windows Remote target connector uses local Windows accounts to connect.
- Active Directory Target Account: The Active Directory connector uses Active Directory accounts to connect.
For ease of demonstration, we use the Windows Remote connector.
Follow these steps:
- SelectCredentials,Manage Targets,Accounts. The Target Account page appears with a list of existing accounts.
- SelectAdd. The Add Target Account page appears.
- Select theApplication Namemagnifying glass to find the target application. Select the application and selectOK.TheHost Name,Device Name, andApplication Namefields are populated.
- Enter theAccount Name. The account name must be unique for a given target application and must be the account name that the target system uses.
- Select thePassword View Policyfor the account.
- Enter an initial accountPasswordor select the Generate Credential key icon to generate a default password.
- On thePasswordtab, SelectDiscovery Allowedto discover accounts on the Windows remote system.
- Select theUpdate both the Credential Manager Server and the target system.Password updates are performed both in Credential Manager and on the target system to maintain consistency.
- On theWindows Remotetab, select the AdministratorAccount Type.
- SelectOKto save the Account.
Create a User
Add a User that you want to use auto-login to access the target device. For information about authentication methods, roles, and other User attributes, see Identify Users that Can Log in to the Server. For ease of demonstration, we create a "local"
Privileged Access Manager
user. Follow these steps:
- SelectUsers,Manage Users.
- SelectAddto create a user.
- Complete the required fields in theBasic Infosection (indicated by a red asterisk).
- User Nameaccepts alphanumeric characters, a dash, an underscore, and spaces. For AWS users, a user name can be from 2 through 32 characters long because of restrictions on federated users within AWS.
- SelectOKto save the User.
Create a Policy
Create a Policy linking the user, the device, and the account. For more detailed information about policies, see Set Up a Policy.
Follow these steps:
- SelectPolicies,Manage Policies.
- Create a policy by clickingAdd.
- Use the fields in theAssociationtab to locate the user and device that you want to associate in the policy.Select the search icon in each field to display the list of choices. Select an entry andOKto add it to the Association screen.
- On theAccesstab, select "RDP" and move it to the Selected Access list. Then select the target account that you created for auto-login. Use the magnifying glass button under the Target Account heading to find the account. Use the shuttle control to move the account from the Available column to the Selected column.
- SelectOK.
- If session recording capability is configured, you can specify the types of recording to make using the options on theRecordingtab.
- SelectOKto save the Policy.
The User should now be able to log in to the Access page, and RDP into the Device without credentials.