SPS initiated and Domain Membership for RDP Control

Hi,

If you want to use NLA authentication then you need to join SPS to the domain and Enable NTLM Authentication but you do not need to enable the setting "Require domain members"’ or ‘Enable Kerberos authentication’

https://docs.oneidentity.com/bundle/safeguard-for-privileged-sessions_administration-guide_8.0/page/guides/administration-guide/rdp-domain.htm

If there are multiple domains then two trust is needed for connections to be established as per this page:

https://docs.oneidentity.com/bundle/safeguard-for-privileged-sessions_administration-guide_8.0/page/guides/administration-guide/rdp-domain-trust.htm

If you want to use Kerberos authentication then you need to join SPS to the domain and  enable the setting "Require domain members"’ AND ‘Enable Kerberos authentication’

- However, in this case you cannot use SPP AA Plugin or Credential Store plugins to fetch the password when Kerberos is enabled at this time (future feature pending to allow Kerberos use with plugins)

Thanks!

ok Tawfiq thank you.

In the case if we don't use NLA and i uncheck all the options on SETTINGS policy ("Enable NTLM Authentication", " Enable Kerberos Authentication" "Require domain membership" all unchecked), which is the default authentication method used by SPS? is it NLA (with NTLM authentication on the target system)? if so, i need to join SPS on the domain (enable Domain Membership)

We need to understand if we have to put one sps node on each singol domain not trusted. We would not want to put a sps node in each domain. Is there a method to manage sps-initiated mode without putting an sps node in each domain when the customer has several different domains not in trust?

that's it

From the links you sent me it seems that sps and target systems must be on the same domain, so if the customer has 10 non-trusted domains they must put 10 sps nodes. Is this the case?

Sorry but i need to understand clearly and i need to be sure at 100%

thank you very much for your time

ok Tawfiq thank you.

In the case if we don't use NLA and i uncheck all the options on SETTINGS policy ("Enable NTLM Authentication", " Enable Kerberos Authentication" "Require domain membership" all unchecked), which is the default authentication method used by SPS? is it NLA (with NTLM authentication on the target system)? if so, i need to join SPS on the domain (enable Domain Membership)

We need to understand if we have to put one sps node on each singol domain not trusted. We would not want to put a sps node in each domain. Is there a method to manage sps-initiated mode without putting an sps node in each domain when the customer has several different domains not in trust?

that's it

From the links you sent me it seems that sps and target systems must be on the same domain, so if the customer has 10 non-trusted domains they must put 10 sps nodes. Is this the case?

Sorry but i need to understand clearly and i need to be sure at 100%

thank you very much for your time

If there is no trust between the domains then I think you will need separate SPS nodes in each domain.

I would suggest the customer to engage Professional Services for implementation to be 100% sure of the correct setup based on their use-case.

Thanks!