User Mapping Policy not being applied to LDAP user

I have setup user access to SPS using LDAP, which works. I can sign in as an LDAP user into the SPS web portal ok

Then created a user mapping policy which maps any local user name on a test sever to an LDAP group, which my LDAP user is a member of

My RDP connection  to the tester is using user the user mapping policy,

When I RDP onto the test server via the SPS web interface, my test account crednetials are recgonised, but if I sign into the SPS portal as that user, I can see the connection user gateway authentication, but no user or remote user name is shown.  the RDP connection displays a blank screen.

If I remove my user mapping policy from the RDP connection I can connect onto the test server ok.  What am I doing wrong?  I want to use user mapping, so my test user can sign onto the server as the local administrator

thanks!

Parents
  • Hi Robert,

    Please check the following settings:

    1. RDP Control > Settings > expand default > Make sure Require Domain membership is unchecked to allow local admin login to the test server

    2. RDP Control > Connections > Expand the connection > Under the checkbox Require Gateway Authentication on the SPS web Interfacte > Group +
    - Add the Oneidentity_RDP_All group

    3. Connect using the RDP Client :
    If this is a non-transparent connection then the RDP Client points to Computer field as the SPS IP
    Username: localadmin@targetserverIP

    After the connection is initialized, SPS will prompt for localadmin credentials and once submitted, SPS will pause the connection with a blank screen upon which the AD user allowed in user mapping should perform the out of band gateway authentication at the SPS web page > Gateway Authentication pane > Assign the connection request by clicking on Assign button

    Once the connection is assigned then the RDP Client connection will resume to allow the localadmin to access to the target server.

    Thanks!

  • Hi

    When create my RDP connection, the computer name field I have the destination server SPS IP address

    eg. 192.168.90.233

    In the username field I have the local server administrator account name @ destination sever actual IP address

    eg. administrator@192.168.90.205

    Then I get the SPS Web portal authentication page, I enter in the local administrator account password, and then get a blank screen.

    I sign into the SPS portal as one of the AD users in the group associated with my user mapping policy, OneIdentity_RDP_All, then under gateway authentication, I see the connection waiting to be assigned, and once assigned under active connections, I can see my AD user connected to the server as the local administrator.

    Does this sound correct?

    Is there anyway with this product, that I can use user my AD user's credentials to connect to RDP and into SPS Portal to assign the connection?

    Ideally we do not want the end users, to be using the local administrator account to sign into the destination server

    thanks!

  • Hi Robert,

    Yes that is the correct behavior for this use case.

    You can use AD user to login to target server as well if required, the difference is the username field in RDP client will look like this:

    ADUser@my.domain.local%TargetServerIP

    This is applicable for your SPS version 6.7.2

    Thanks!

  • Thanks for your help, really appreciated

    RDP connection to destination server SPS IP address: 

    192.168.90.236

    username (with target server IP)

    robert@networkedge.co.nz192.168.90.205

    I can sign into the web portal as robert@networkedge.co.nz, and assign the session, but the RDP connection is then rejected, as the user robert@networkedge.co.nz is not a local admin on the server.  Which means the user Robert@networkedge.co.nz is not being mapped to the local administrator account on the target server.

    What solution is required to make this work.  The target server is not on the networkedge.co.nz domain

  • Hi Robert,

    Could you try the following:

    In the Usermapping policy, you can enable the checkbox "Allow other unmapped usernames" which will allow the scenario for Gateway and remote username to be the same user.

    Also don't forget to add the percentage symbol before the target server IP such as:  robert@networkedge.co.nz%192.168.90.205

    Thanks!

  • Hi

    I have setup local users on the SPS now instead of LDAP and are now trying to connect to the destination sever, as:

    robert%192.168.90.205

    I can assign the connection, but it fails as the user robert does not have local admin access or remote desktop access on the destination sever.

    the user robert is not being mapped as the local administrator.

    on the destination sever are there any changes required to any of the local groups, RDP settings to allow these connections from the SPS?

    Another question, is it possible for a local user to enable auto assign for their connections,regardless if they are logged into the SPS console or not?

    thanks again

  • Hi Robert,

    The local user must be able to access the target server via RDP and so if this local user is not a local admin then you can add to Remote Desktop Users group possibly?

    out of band gateway authentication is an optional setting but when this option is enabled, the user must login to the SPS web UI as having the option enabled requires the user to perform out of band gateway authentication.

    You can enable auto-assign but this also requires the user to login at least once and keep the web page open in order for auto assign to trigger.

    - As per the admin guide:

    If your users have sessions to several remote server, or access a server several times a day, performing the gateway authentication for every session can be a nuisance. To permit your users to authenticate on the SPS web interface once, and open sessions without repeating the gateway authentication, select Enable auto-assign and click  . Note that the user must leave the browser window (or tab) of SPS open.

    - Here is the link on Performing out-of-band gateway authentication on One Identity Safeguard for Privileged Sessions (SPS)::

    support.oneidentity.com/.../83

    Thanks!

  • Hi,

    One query, for example:

    when a local user Robert connects via RDP onto a server, and signs into the SPS GUI using their local SPS password, when the user mapping policy is applied so this user is then signed into the target server as the local administrator, where is the password for the local administrator account on the target server, stored on the SPS?

  • HI Robert,

    To clarify, in a non-transparent use case:

    In the RDP client the user would point to SPS IP as the computer.
    - Then in the Username field you would type the remote username and destination server as for example: localadmin%192.168.90.205 then click connect

    - Since the connection policy requires a out of band gateway authentication, then user Robert (local SPS user in your example) will need to sign into the SPS web UI to assign the connection to themselves from Gateway Authentications pane.

    - The Usermapping policy is requited here since (Robert as gateway user does not match local admin as remote user) therefore, usermapping policy would designate if local SPS user "Robert" is allowed based on the group membership added in this policy to access the username on destination server being the local admin account.

    - During the RDP client connection, the user will be prompted to enter the password for the local administrator password for the target server unless the connection policy is also configured with a Local Credentials store that contains the local admin credentials or an AA Plugin that can fetch the password from an external vault that contains the local admin credentials which will require additional configuration.

    Thanks!

  • Hi

    I have seen on the security logs on the target server,  that the user is failing to login, but the domain account name NEL is being appended to the user name, which we don't need because the target server is not on this domain.

    How can we force the RDP connection use the local user Robert on the SPS?

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 5/02/2021 2:56:41 PM
    Event ID: 4625
    Task Category: Logon
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: johnny5
    Description:
    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Robert
    Account Domain: NEL

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: DESKTOP-JPE2C8O
    Source Network Address: 192.168.90.236
    Source Port: 0

    Detailed Authentication Information:
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0


    </Event>

  • Hi,

    The local account in SPS named "Robert" is not the one to be used to login to the target server but this is only used to login to SPS web ui as the gateway user.

    On the other hand, you need a local user that exists in the target server which will be used to login as the remote user on that server.

    Therefore in RDP client, you would specify the localuserintarget%targetserverIp

Reply
  • Hi,

    The local account in SPS named "Robert" is not the one to be used to login to the target server but this is only used to login to SPS web ui as the gateway user.

    On the other hand, you need a local user that exists in the target server which will be used to login as the remote user on that server.

    Therefore in RDP client, you would specify the localuserintarget%targetserverIp

Children
No Data