Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Use DCV gateway, but it is not logging into instance - Brings up CTRL-ALT-DELETE screen

1

I have (finally) got the DCV Gateway working, however it does not log in directly into the windows session.

I have it going to the DCV Gateway --> DCV Server with external Authentication --> presents CTRL-ALT-DELETE screen instead of logging in directly.

I have tried both HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\security\authentication: system or none

It is reaching the External Authentication server and responding with (username below is the OS account):

<auth result='yes'><username>username</username></auth>

Getting this in the log (sanitized host, users, ipaddresses):

2022-06-09 18:15:26,518420 [  3556:3192  ] DEBUG frontend-handler - Incoming connection request message [(msg: 472)(bin: 0)(pad: 0)] from 10.10.10.10:55470
2022-06-09 18:15:26,518420 [  3556:3192  ] INFO  http-user-auth - Requesting token authentication for session console using verifier https://host/rest/dcv/auth
2022-06-09 18:15:26,518420 [  3556:3192  ] DEBUG http-user-auth - Sending message
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Message sent to verifier https://host/rest/dcv/auth
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Content-length: 122, reading 122 bytes
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Auth result: yes
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Username: username
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG frontend-handler - Connection request from client 10.10.10.10:55470 has valid token (user: username)
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG usercredentials - No domain name to be converted
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG throttler - New connection for user username added, now 1 of 10
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  usercredentials - Cannot trigger credential provider without auth data
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Client Information for 10.10.10.10:55470: dcv web client/Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 (1.1.329), System: Win32 web (transport: websocket)
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG channel - Channel main (1, 000002A3DA440060) created for client 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sent connection confirm for session console to 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  channel - Channel main (1, 000002A3DA440060) of connection 1 successfully established with client 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG session - Connection 1 established, adding to session
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  session-manager - Client 1 (user: username) connected to session with ID console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG session - New client 1 connected to session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG connection - Client connection 1 established
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG connection - Checking authorized channels of connection 1 for user 'username'
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'audio' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel audio to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'input' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel input to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'display' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel display to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'clipboard' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel clipboard to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'filestorage' not available for user 'username', backend not available.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'redirection' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel redirection to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'usb' not available for user 'username', backend not available.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'smartcard' not available for user 'username', user not authorized.
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Starting main protocol for session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel input in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel display in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel audio in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel clipboard in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel redirection in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending license updates notification for session console to main channel 000002A3DA440060
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG throttler - Available tokens 99
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG throttler - Adding tokens, new available tokens number is 100
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG http-service - Incoming connection from 10.10.10.10:55474 (establish-timeout: 5 sec)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG http-service - Checking headers for GET request (path: /ws) from client 10.10.10.10
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG http-service - Websocket handler called
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Incoming connection request message [(msg: 328)(bin: 0)(pad: 0)] from 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Checking channel connection token with id 2
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG auth-token - Checking claims: {"cid": "1", "sid": "console", "ch": "input"}
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Insert token 2 in the set of already spent tokens
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Channel connection request from client 10.10.10.10:55474 has valid token (channel: input)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG channel - Channel input (2, 000002A3DA442080) created for client 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG DCV - Sent connection confirm to 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] INFO  channel - Channel input (2, 000002A3DA442080) of connection 1 successfully established with client 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG connection - Data channel input for connection 1 is ready (000002A3DA442080)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG connection - Data channel input connected for client connection 1
2022-06-09 18:15:27,082046 [  3556:3192  ] INFO  input - Client 10.10.10.10:55474 can handle input status updates. Session ID: console.
Themen
Kalkulation
Tags
NICE DCV
Sprache
English
LtnSnoopy
gefragt vor 2 Jahren421 Aufrufe
2 Antworten
0

Hello! Are you using the DcvSimpleExternalAuthenticator that we provide [1] or did you implement your own? Have you modified the default.perm file [2] in C:\Program Files\NICE\DCV\Server\conf to use the keyboard-sas? Due to the nature of this issue I would suggest that you reach to us on a Support Case so that we can follow through and provide you with a solution.

[1] Use External Authentication - https://docs.aws.amazon.com/dcv/latest/adminguide/external-authentication.html

[2] Working with permissions files - https://docs.aws.amazon.com/dcv/latest/adminguide/security-authorization-file-create.html

AWS
SUPPORT-TECHNIKER
Francisco_L
beantwortet vor 2 Jahren
0

Replies to your questions are below. I did submit a support case with NICE support directly (authors of DCV) and this is what they said surprisingly:

> Unfortunately, automatic login on Windows using the Credential Provided is currently not supported when using the DCV external authenticator, and the DCV gateway currently requires an external authenticator to work. I filed a a feature request for this, here is the internal ticket number for you for reference/escalation: DCV-5617

This kinda defeats the whole purpose with external authenticator. The documentation implies it should bypass the built-in winLogin process https://docs.aws.amazon.com/dcv/latest/adminguide/external-authentication.html . To me it seems like a bug not a feature request, but whatever. Without gateway/external authenticator, DCV web browser and DCV client can bypass the O/S login. I hope this get resolved quickly.

Answers to your questions:

  • [1] - I used my own authentication server
  • [2] - Yes we have modified the permission file:
%any% deny file-download file-upload smartcard printer
username allow builtin

Another feature request (related) to the permissions file: I would rather control the permissions through the response from the External Authentication instead of a file the user could change. Something like: <auth result="yes"><username>username</username><permissions><deny>file-download file-upload smartcard printer</deny><allow>builtin</allow></permissions></auth>

LtnSnoopy
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt