By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use DCV gateway, but it is not logging into instance - Brings up CTRL-ALT-DELETE screen

0

I have (finally) got the DCV Gateway working, however it does not log in directly into the windows session.

I have it going to the DCV Gateway --> DCV Server with external Authentication --> presents CTRL-ALT-DELETE screen instead of logging in directly.

I have tried both HKEY_USERS\S-1-5-18\Software\GSettings\com\nicesoftware\dcv\security\authentication: system or none

It is reaching the External Authentication server and responding with (username below is the OS account):

<auth result='yes'><username>username</username></auth>

Getting this in the log (sanitized host, users, ipaddresses):

2022-06-09 18:15:26,518420 [  3556:3192  ] DEBUG frontend-handler - Incoming connection request message [(msg: 472)(bin: 0)(pad: 0)] from 10.10.10.10:55470
2022-06-09 18:15:26,518420 [  3556:3192  ] INFO  http-user-auth - Requesting token authentication for session console using verifier https://host/rest/dcv/auth
2022-06-09 18:15:26,518420 [  3556:3192  ] DEBUG http-user-auth - Sending message
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Message sent to verifier https://host/rest/dcv/auth
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Content-length: 122, reading 122 bytes
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Auth result: yes
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG http-user-auth - Username: username
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG frontend-handler - Connection request from client 10.10.10.10:55470 has valid token (user: username)
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG usercredentials - No domain name to be converted
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG throttler - New connection for user username added, now 1 of 10
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  usercredentials - Cannot trigger credential provider without auth data
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Client Information for 10.10.10.10:55470: dcv web client/Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36 (1.1.329), System: Win32 web (transport: websocket)
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG channel - Channel main (1, 000002A3DA440060) created for client 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sent connection confirm for session console to 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  channel - Channel main (1, 000002A3DA440060) of connection 1 successfully established with client 10.10.10.10:55470
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG session - Connection 1 established, adding to session
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  session-manager - Client 1 (user: username) connected to session with ID console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG session - New client 1 connected to session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG connection - Client connection 1 established
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG connection - Checking authorized channels of connection 1 for user 'username'
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'audio' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel audio to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'input' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel input to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'display' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel display to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'clipboard' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel clipboard to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'filestorage' not available for user 'username', backend not available.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'redirection' authorized for user 'username': notifying channel.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  main-channel - Send channel notification for channel redirection to 10.10.10.10:55470 in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'usb' not available for user 'username', backend not available.
2022-06-09 18:15:26,643420 [  3556:3192  ] INFO  connection - Channel 'smartcard' not available for user 'username', user not authorized.
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Starting main protocol for session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel input in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel display in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel audio in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel clipboard in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending to 10.10.10.10:55470 channel notification for channel redirection in session console
2022-06-09 18:15:26,643420 [  3556:3192  ] DEBUG main-channel - Sending license updates notification for session console to main channel 000002A3DA440060
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG throttler - Available tokens 99
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG throttler - Adding tokens, new available tokens number is 100
2022-06-09 18:15:27,066446 [  3556:3192  ] DEBUG http-service - Incoming connection from 10.10.10.10:55474 (establish-timeout: 5 sec)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG http-service - Checking headers for GET request (path: /ws) from client 10.10.10.10
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG http-service - Websocket handler called
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Incoming connection request message [(msg: 328)(bin: 0)(pad: 0)] from 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Checking channel connection token with id 2
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG auth-token - Checking claims: {"cid": "1", "sid": "console", "ch": "input"}
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Insert token 2 in the set of already spent tokens
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG frontend-handler - Channel connection request from client 10.10.10.10:55474 has valid token (channel: input)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG channel - Channel input (2, 000002A3DA442080) created for client 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG DCV - Sent connection confirm to 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] INFO  channel - Channel input (2, 000002A3DA442080) of connection 1 successfully established with client 10.10.10.10:55474
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG connection - Data channel input for connection 1 is ready (000002A3DA442080)
2022-06-09 18:15:27,082046 [  3556:3192  ] DEBUG connection - Data channel input connected for client connection 1
2022-06-09 18:15:27,082046 [  3556:3192  ] INFO  input - Client 10.10.10.10:55474 can handle input status updates. Session ID: console.
Topics
Compute
Tags
NICE DCV
Language
English
LtnSnoopy
asked 2 years ago399 views
2 Answers
0

Hello! Are you using the DcvSimpleExternalAuthenticator that we provide [1] or did you implement your own? Have you modified the default.perm file [2] in C:\Program Files\NICE\DCV\Server\conf to use the keyboard-sas? Due to the nature of this issue I would suggest that you reach to us on a Support Case so that we can follow through and provide you with a solution.

[1] Use External Authentication - https://docs.aws.amazon.com/dcv/latest/adminguide/external-authentication.html

[2] Working with permissions files - https://docs.aws.amazon.com/dcv/latest/adminguide/security-authorization-file-create.html

AWS
SUPPORT ENGINEER
Francisco_L
answered 2 years ago
0

Replies to your questions are below. I did submit a support case with NICE support directly (authors of DCV) and this is what they said surprisingly:

> Unfortunately, automatic login on Windows using the Credential Provided is currently not supported when using the DCV external authenticator, and the DCV gateway currently requires an external authenticator to work. I filed a a feature request for this, here is the internal ticket number for you for reference/escalation: DCV-5617

This kinda defeats the whole purpose with external authenticator. The documentation implies it should bypass the built-in winLogin process https://docs.aws.amazon.com/dcv/latest/adminguide/external-authentication.html . To me it seems like a bug not a feature request, but whatever. Without gateway/external authenticator, DCV web browser and DCV client can bypass the O/S login. I hope this get resolved quickly.

Answers to your questions:

  • [1] - I used my own authentication server
  • [2] - Yes we have modified the permission file:
%any% deny file-download file-upload smartcard printer
username allow builtin

Another feature request (related) to the permissions file: I would rather control the permissions through the response from the External Authentication instead of a file the user could change. Something like: <auth result="yes"><username>username</username><permissions><deny>file-download file-upload smartcard printer</deny><allow>builtin</allow></permissions></auth>

LtnSnoopy
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content