Windows 2008 R2 server running Remote Desktop Services (what we used to call Terminal Services back in the olden days). This server is the entry point into a hosted application -- you could call it Software as a Service I suppose. We have 3rd party clients connecting to use it.
Using RemoteApp Manager to build RemoteApp .rdp shortcuts to distribute to client workstations. These workstations are not in the same domain as the RDS server. There is no trust relationship between domains (nor will there be). There is a tightly controlled site to site VPN between workstations and the RDS server, we're quite confident we have access to the server locked down.
The remoteApp being run is an ERP application with its own authentication scheme.
The issue? I'm trying to avoid the need to create AD logins for every end user when connecting to the RemoteApp server. In fact, since we're doing a remoteApp and they have to authenticate to that app, I'd rather just not prompt them at all for AD creds. I certainly don't want them caught up in managing AD passwords (and periodic expirations) for accounts they only use to get to their ERP login.
However, I can't figure out how to embed AD creds in a RemoteApp .rdp file. I don't really want to turn off all authentication on the RDS server at that level.
Any good options? My goal is to make this as seamless as possible for the end-users.
Clarifying questions are welcome.
It is possible to embed a password in a .rdp file, but the password is encrypted with the SID of your local user account in such a way that the .rdp file is not interchangeable between users or computers. This behavior is by design: Microsoft didn't want an intruder to be able to obtain the keys to a terminal server just by stealing an .rdp file from someone's desktop.
Fortunately, there is a reasonably well-documented workaround. Basically, you need to create the .rdp file "on the fly" via a batch file or script that the user runs instead of invoking
mstsc.exe
directly. Your script creates the appropriate .rdp file and, in doing so, it encrypts the password in such a way thatmstsc.exe
will accept it in the context of the current user.Resources:
Each of the above articles includes either a link to a tool that can be used to encrypt RDP passwords and/or source code. I would suggest working from the source code if feasible. (As always, use binaries compiled by internet strangers at your own risk.)
Hmm... interesting. The first thing that comes to mind is using key/certificate (like ssh):
Does this help?