RDP application access policy using linked accounts

Hello,

We are facing a challenge in RDP application policy configuration, as the RDP Host Asset Account couldn't be (linked account) type selected.

The account should be selected manually for each policy, that is not suitable for group assignment, because all group users will access the host asset with the same account, which is rejected by security wise.

Parents
  • The RDP Host Asset Account is only used to create the RDP session via RDS server.

    On the other hand, You would create an Application Asset in SPP that is added in the Scope of the RDP Application policy which can use linked accounts for credential injection into the Remote application.

    The RDP Host Asset Account credentials are not passed to the Remote Application in this case instead it would be the Asset Account or (Linked account or Directory Account) if set in the policy > Security Tab > Asset-Based Session Access

Reply
  • The RDP Host Asset Account is only used to create the RDP session via RDS server.

    On the other hand, You would create an Application Asset in SPP that is added in the Scope of the RDP Application policy which can use linked accounts for credential injection into the Remote application.

    The RDP Host Asset Account credentials are not passed to the Remote Application in this case instead it would be the Asset Account or (Linked account or Directory Account) if set in the policy > Security Tab > Asset-Based Session Access

Children
  • In addition:

    Remote Desktop/Terminal Services has two settings for multiple sessions. You can either allow multiple sessions per user (in which case if you log in twice, you'll get two sessions), or force a single session per user (in which case you can only log in once and subsequent sessions will be redirected to the original session.

    To change this setting, you may perform a registry change. The following steps describe the process:
    • Start Registry Editor (by default, this is located at c:\windows\regedit.exe).
    • Go to the following registry key:
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer
    • If the fSingleSessionPerUser value doesn't exist, create a new DWORD value named fSingleSessionPerUser
    • Open the fSingleSessionPerUser value. The possible values for this setting are as follows:
      • 0x0 Allow multiple sessions per user
      • 0x1 Force each user to a single session
    • Enter the new setting, and then click OK.