Our division is chargeable for giving programs that, amongst others, depend on a totally working Home windows area. Lets us name these environments merely System1, System2 and so forth. The intention is to offer a distant desktop connection for college kids of the programs, in order that they’ll join to those methods. Technically, that is simply an RDP connection to any server throughout the system as a place to begin. Allow us to name these beginning factors System 1 Gateway, System 2 Gateway and so forth.
Above all these methods, we have now an Lively Listing area for our division and a whole Home windows Distant Desktop Setup, allow us to confer with this as major area. This major area has one server that acts as a Distant Desktop Gateway (RDGW) and in addition hosts a customized MVC5 webpage.
If a consumer participates in a course and desires to connect with one of many methods, we create an account for them, which they’ll then use to login to the MVC5 net software, which exhibits details about all of the course and so forth. They’ll additionally obtain a preconfigured
.rdp file. This file has the webserver, which has a public area with a legitimate TLS certificates, which can be the distant desktop gateway, configured and the goal is an IP tackle inside the principle area that does port-forwarding to one of many System X Gateways (this setup simply needs to be like this, assume it as given).
The difficulty that we presently have with this setup is, that the consumer should first log in to the webpage with their major area credentials (from their very own, both personal or company pc). Then, they obtain the
.rdp file, set up the connection the place they must enter the similar credentials for the gateway once more, because the credentials are usually not shared between OS or browser. Afterwards, they must enter the credentials of the goal system gateway as nicely. We will predefine the username of the ultimate system gateway, however not the password, as an encrypted password throughout the
.rdp file can solely be decrypted efficiently, if the encryption was created with their native Home windows consumer key, which is, after all, not accessible by way of the net service. The password we converse of right here is the one from the goal system, which is only a coaching system with a dummy password, to that is okay. The safe comes type the Distant Desktop Gateway (RDGW) and the authentication towards our major area.
Lengthy story quick: This fashion of offering a number of credentials is sort of complicated for the scholars, making lots of them failing to attach in any respect. So we need to enhance the method and make it so simple as doable for them. So my query is: How will we simplify the above-mentioned connection institution? A primary welcoming step can be to forestall the RDGW not asking for the credentials once more. We do not need the consumer to put in something (as RDP on Home windows is pre-installed, that is some form of exception). Customers run on PCs the place they may don’t have any rights in any respect.
Issues we have now thought-about or tried thus far:
- As talked about, we attempt to a minimum of incorporate the encrypted password for the goal system (which is at all times a easy dummy password as it’s a coaching/check system), which fails as that will solely work if their Home windows system can be in our area. Which it is not; the shopper might theoretically even be a Linux system.
- We tried a
.batobtain which incorporates the step not working above. As it’s executed domestically, we will create the encrypted hash/token (no matter its referred to as), create the
.rdpon the fly and it really works. The issue is although, who permits the execution of arbitrary executable information? Nobody.
- We tried to make use of Microsoft’s RD Net Service. The outdated model sucks because it makes use of ActiveX, so the newer model based mostly on HTML5 is most well-liked. The nice factor is, it principally supplies a RDP shopper within the Browser, however the issue is that’s was created for providers operating WITHIN the principle area, to not ahead additional to
ip:port. Perhaps there exists a strategy to simply extract and host the RDP shopper code, however how will it’s configured then?
- An exterior options like Myrtille or guacamole would possibly work, however there appears to be no strategy to programmatically inform these options to: Set up RDP with that gateway to focus on
ip:port, please use the present net home windows login credentials for the gateway.
We’re caught on this downside for fairly some time now. Perhaps we’re fully overthinking it. Mainly, we simply need to set up an RDP connection by way of the net browser in such a method, that a minimum of the gateway credentials are taken from the already set up login session, because the credentials for area and gateway are, after all, the identical. A browser add-on is not an answer right here, we would like 0-configuration.
Thank prematurely for all hints, I hope this lengthy textual content makes the issue and what we have tried to far one way or the other comprehensible.