Start a new topic

Authentication & Permissions

Hi,


This might seem like a basic question and I may be simply missing something simple but I cannot seem to get the correct outcome from my server/TS config.


From what I can understand there are only two options to regarding the access rules for both the document store and royal server itself. 


1) Turn them on and force the user to create a credential record in TS to authenticate.

2) Leave them off meaning anyone can access them.


My question is why can't I get the access rules to work based on the account username (windows credentials) that is logged into TS by default? Looking at the Royal Server logs, the server seems to know which user account is lodging requests regardless of the used credentials. Is specifying an additional credential record really necessary since we have already logged into TS with a domain account that has the required access?  


Any assistance appreciated. 


Cheers, 

Jake 


Hi Jake,


to authenticate a windows user, we need to perform a login of the user on the server to find out if the user is valid and has permission. For that we need the username and the password. We can get the current username you run Royal TS with but it's not possible to programmatically get the password of your user (which is a good thing, otherwise it would be a huge security issue in Windows!). That is one of the reasons you have to create a credential object in order to get access to your document on the Royal Server. Another reason is the support of other platforms (macOS, Android and iOS).


I hope this clears things up. If you have any further questions, let me know.


Regards,
Stefan

Ok - I see what you're getting at with the passwords begin required. 


However, I'm not sure how comfortable we are with creating records that hold our domain account credentials. I wish to use AD groups to manage access to royal server and various documents. 


Is there either a supported single sign on option or a way we can just set up a one time authentication when opening TS and adding the server or opening a document in TS?

Hi Jake,


this depends on your infrastructure. You can configure GPOs for your Windows clients to enable SSO for RDP (passing through the interactive user to the server):
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/how-to-enable-single-sign-on-for-my-terminal-server-connections/ba-p/246523


For other connection types (like VNC or SSH) you need to provide credentials.


Regarding your concerns with storing passwords: we are using industry standard encryption technologies (AES-XTS) to encrypt all sensitive data (like passwords) in our documents. Using a secure master password will protect your passwords and secrets. You can read more about this here: https://docs.royalapps.com/r2021/royalts/getting-started/security.html#encryption


Regards,
Stefan

Login or Signup to post a comment