Jump to content

Search the Community

Showing results for tags 'rdp'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Essentials
    • Announcements
  • Passwordstate 9.x
    • Community Support
    • General Hints and Tips
    • Known Issues
    • Installing Passwordstate
    • Feature Requests
    • Feature Requests - Completed
    • 3rd Party Hardware/Software Knowledge Forum
  • Knowledge Base
    • General FAQs
    • Password Resets
    • Remote Session Launcher
    • App Server
    • Passwordstate API
    • Browser Extensions
    • Password Reset Portal
  • Passwordstate 8.x
    • Community Support

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Jabber


Google Plus Account


Skype


AIM


Yahoo


ICQ


Website URL


MSN


Interests


Location


Biography


Location


Interests


Occupation

Found 2 results

  1. Hi all, My company is an MSP and uses PasswordState. We are moving many of our customer environments to Microsoft Azure. Customer VMs in Azure are accessed using RDP via an Azure Bastion host. I wanted to know if PasswordState supports the launching of RDP sessions to VMs hosted in Azure that must be accessed via an Azure Bastion service? I have searched the Internet and these forums and have not had a single hit on "PasswordState" with "Azure Bastion". I do see other vendors updating their products to support RDP connections via Bastion (e.g. RoyalTS just did this). The authentication scenarios would look like this: 1. Our engineers log into PasswordState using their in-house Active Directory accounts that we manage. 2. The engineer would launch an RDP session to a VM via Azure Bastion. The connection address would have to include the full path to resource in Azure. This could either be a Bastion shareable link which would look something like the following (both links are samples/obfuscated): https://bst-e5347507-0e14-42b3-971f-07058357fcbe.bastion.azure.com/api/shareable-url/70eac15e-b29b-4755-907b-b945213845a3 This will hit a logon web page like the following: Or, using the Azure Resource ID like the following: /subscriptions/2e5152ee-237e-44c6-b00a-682bff10711c/resourceGroups/ABC-RG-UK-MYRESGROUP/providers/Microsoft.Compute/virtualMachines/AMD-BKO-UKS-1 The latter is the method that RoyalTS now uses to specify the remote host. They use the Azure CLI Bastion extension to create the remote connection. 3. [Edited] The challenge as I see it is in being able to pass two sets of authentication credentials to Bastion to be able to log on, which will be required for some scenarios (see below). This is similar to how Terminal Server Gateway works - you need to authenticate to both the Bastion service (gateway), and to the target VM that you wish to logon to). In some scenarios, these credentials would have to come from two accounts: one with the privileges required to access Azure Bastion and the other to logon to the VM. PasswordState would have to be able to store and pass both. For reference, Bastion requires that the connecting user has the following Azure RBAC roles: Reader role on the virtual machine object. Reader role on the NIC with private IP of the virtual machine. Reader role on the Azure Bastion resource. Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network). Ref: Are any roles required to access a virtual machine? Logging on the VM itself would require one or two sets of credentials depending on how the VM is configured. Here are the scenarios I can think of: 1) The VM is Entra ID-joined. If this method is used, the account used to authenticate to Bastion could also be used to logon to the VM. In addition to the Entra ID RBAC roles given above, the account would also require the VM Admin Login or VM Login RBAC role. This would be the least common scenario for us. 2) The VM is joined to an AD DS domain. In this scenario, separate account credentials would have to be presented to authenticate: an Entra ID account (for Bastion) and then the AD DS domain account (for the VM). This would be very common for us. 3) The VM is in a local Windows Workgroup configuration. In this scenario, separate account credentials would have to be presented to authenticate: an Entra ID account (for Bastion) and then the local Windows account (for the VM). Has anyone done this already? Is there a config guide for this? If it's possible, I guess it's the connection string clarification that I need. As I say - I haven't found anything on the web around this config. Many thanks in advance, Garry
  2. Purpose: This post outlines the process you need to follow, to grant someone access to the Remote Session Launcher, without them having the need to know the password. An example could be you have a contractor coming on site, and you want them to connect to machines and perform work, but you do knot want them knowing the password they are using to connect. If you are not familiar with how to set up the Remote Session Launcher, please see this in depth Forum Post - https://www.clickstudios.com.au/community/index.php?/topic/2110-how-to-set-up-the-remote-session-launcher-passwordstate-8/ 1. Under the Passwords tab, add a new Password Record that has an account that has permissions to connect into machines on your network. The following example is an Active Directory account which can connect to any Windows Server or Desktop. **Note, you do not grant the contractor permissions to see or use this Password Record: 2. Under Hosts tab -> Hosts Home, create a new Remote Session Credential, and link it to the existing Password Record you just created: 3. Grant your Contractor access to the remote session Credential you have just created in step 2 above: 4. Under the Hosts tab, grant the user access to the Folder of your choice, which has the machines added into it: 5. The user will now be able to choose a Host of their choice, and click the Auto Launch button. This will use the Remote Session Credential to establish a connection to the remote host, and the contractor will not have access to the password that they have connected in with: Regards, Support Click Studios
×
×
  • Create New...