SPS initiated and Domain Membership for RDP Control

Hi Tawfiq, just a quick question.

In a session-initiated scenario for RDP, SPS nodes absolutely must be members of the domain. Confirmed?
If this is a prerequisite, we will have to create a new SETTINGS policy (Traffic Control --> RDP) in which the option ‘Require domain members’ will be selected. Is this also linked to one of the two options which are ‘Enable NTLM authentication’ or ‘Enable Kerberos authentication’ or can I deselect both options? If I can only select ‘Require domain membership’, what is the authentication type used by default? the NLA Authentication by default?

What happens if there are multiple domains? Is it necessary to insert an SPS node in each domain? Is it possible to use a different authentication method?

How can the case of a customer with many domains be handled?
Does it change whether these domains are in trust or not?

Please, can you clarify me all about this?

Parents

0 Tawfiq.Ahmad 3 months ago

Hi,

If you want to use NLA authentication then you need to join SPS to the domain and Enable NTLM Authentication but you do not need to enable the setting "Require domain members"’ or ‘Enable Kerberos authentication’

https://docs.oneidentity.com/bundle/safeguard-for-privileged-sessions_administration-guide_8.0/page/guides/administration-guide/rdp-domain.htm

If there are multiple domains then two trust is needed for connections to be established as per this page:

https://docs.oneidentity.com/bundle/safeguard-for-privileged-sessions_administration-guide_8.0/page/guides/administration-guide/rdp-domain-trust.htm

If you want to use Kerberos authentication then you need to join SPS to the domain and enable the setting "Require domain members"’ AND ‘Enable Kerberos authentication’

- However, in this case you cannot use SPP AA Plugin or Credential Store plugins to fetch the password when Kerberos is enabled at this time (future feature pending to allow Kerberos use with plugins)

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 dario guastella 3 months ago in reply to Tawfiq.Ahmad

ok Tawfiq thank you.

In the case if we don't use NLA and i uncheck all the options on SETTINGS policy ("Enable NTLM Authentication", " Enable Kerberos Authentication" "Require domain membership" all unchecked), which is the default authentication method used by SPS? is it NLA (with NTLM authentication on the target system)? if so, i need to join SPS on the domain (enable Domain Membership)

We need to understand if we have to put one sps node on each singol domain not trusted. We would not want to put a sps node in each domain. Is there a method to manage sps-initiated mode without putting an sps node in each domain when the customer has several different domains not in trust?

that's it

From the links you sent me it seems that sps and target systems must be on the same domain, so if the customer has 10 non-trusted domains they must put 10 sps nodes. Is this the case?

Sorry but i need to understand clearly and i need to be sure at 100%

thank you very much for your time
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad 3 months ago in reply to dario guastella

If there is no trust between the domains then I think you will need separate SPS nodes in each domain.

I would suggest the customer to engage Professional Services for implementation to be 100% sure of the correct setup based on their use-case.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Tawfiq.Ahmad 3 months ago in reply to dario guastella

If there is no trust between the domains then I think you will need separate SPS nodes in each domain.

I would suggest the customer to engage Professional Services for implementation to be 100% sure of the correct setup based on their use-case.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data