Is it possible to use SSO with NiceDCV to login to a Windows Domain desktop ?

The NiceDCV manual mentions the DCV server can enable Kerberos/GSSAPI for authentication. Does this mean that we make a user connect to a remote desktop with NiceDCV using SSO(skipping the ctlr/alt/del login screen)? The user would be running a Windows laptop joined to the domain and the DCV server would be running on a (virtual) Windows desktop joined to the same domain.

Topics

Security, Identity, & Compliance Compute

Tags

Security, Identity, & Compliance NICE DCV Windows

Language

English

joustie

asked 7 months ago420 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hey there, thank you for the question. SSO for DCV on Windows is only available when you are directly connecting to the DCV server with SYSTEM auth. When a DCV Connection Gateway is used, it will rely on an External Authenticator. For Linux, the session will also land on the lock screen. With Active Directory joined machines, ensure you are logging in as DOMAIN\USER in the DCV client.

Andrew_M

answered 7 months ago

joustie

7 months ago

We did an experiment with AD joined Windows machines with a direct connection:

[version]
format=1.0
[connect]
host=<private ip>
port=8443
sessionid=pnlkGSkYBGyJLjSqkVCtxLhDDLjtBH2yB3
user=domain\user
proxytype=Direct
proxyhost=
proxyport=
proxyuser=
proxypassword=
certificatevalidationpolicy=accept-untrusted
[options]
promptreconnect=false
fullscreen=false

It did not work and we received a username/password dialog in the NiceDCV client.

joustie

7 months ago

On the Windows client machine (logged in with domain\user), the (partial) DCV client log:

2023/09/27 10:26:54.879 |   Info|  viewer.AuthenticationChannel| Authentication channel connected
2023/09/27 10:26:55.143 |   Info|  viewer.AuthenticationChannel| Server SASL mechanisms: [GSSAPI, PLAIN]
2023/09/27 10:26:55.144 |   Info|  viewer.AuthenticationChannel| Server authentication mode: System
2023/09/27 10:26:55.155 |   Info|  viewer.AuthenticationChannel| Client SASL supported mechanisms: [SCRAM-SHA-1, GSSAPI, DIGEST-MD5, EXTERNAL, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS]
2023/09/27 10:26:55.155 |   Info|  viewer.AuthenticationChannel| Common SASL mechanisms subset: GSSAPI, PLAIN
2023/09/27 10:26:55.159 |   Info|  viewer.AuthenticationChannel| Proceeding to SASL mechanism GSSAPI negotiation
2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found)
2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| Client GSSAPI: ERROR (generic failure)
2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| Client mech GSSAPI start returned failure code -1
2023/09/27 10:27:01.230 |   Info|  viewer.AuthenticationChannel| Proceeding to SASL mechanism PLAIN negotiation
2023/09/27 10:27:01.230 |   Info|  viewer.AuthenticationChannel| Requesting credentials (needed by chosen mech)

joustie

7 months ago

On the Windows DCV server, the only thing I can see about this session:

2023-09-27 10:26:54,477730 [  3936:3984  ] DEBUG http-service - Incoming connection from 10.86.128.163:60423 (establish-timeout: 5 sec)
2023-09-27 10:26:54,657961 [  3936:3984  ] DEBUG http-service - Checking headers for GET request (path: /auth) from client 10.86.128.163
2023-09-27 10:26:54,658963 [  3936:3984  ] DEBUG http-service - Websocket auth handler called
2023-09-27 10:26:54,979885 [  3936:3984  ] INFO  authenticator - Received authentication request from client '10.86.128.163:60423'
2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG authenticator - Created SASL server for mode: system
2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG sasl - List of mechanisms (mode: system): GSSAPI,PLAIN
2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG authenticator - Sending SASL init to client 10.86.128.163:60423

Relevant content

NiceDCV/AppStream with multiple viewers
Accepted Answer
AWS-User-7460616
asked 3 years ago
Allow AWS SSO Login using Windows Desktop credentials
Accepted Answer
Carlos del Castillo
asked a year ago
NiceDCV connection gateway working example?
AWS-User-9267445
asked 2 years ago
is it possible to use email id when login to aws sso(connected with microsoft AD) instead of using AD domain id
rePost-User-6912125
asked a year ago
How can I use the CloudWatch agent to view metrics for Performance Monitor on a Windows server?
AWS OFFICIALUpdated 2 years ago
How do I use my Windows 10 desktop license with WorkSpaces?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot Remote Desktop Connection issues to my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 3 years ago
Why can't I connect to my Amazon EC2 Windows instance with RDP using Fleet Manager?
AWS OFFICIALUpdated a year ago
How to connect to a private EC2 instance from a local Visual Studio Code IDE with Session Manager and AWS SSO (CLI)
EXPERT
Faraz_AWS
published 2 years ago
Migrating Windows workloads to AWS
EXPERT
Gayathri Krishnamoorthy
published a year ago