Is it possible to use SSO with NiceDCV to login to a Windows Domain desktop ?


The NiceDCV manual mentions the DCV server can enable Kerberos/GSSAPI for authentication. Does this mean that we make a user connect to a remote desktop with NiceDCV using SSO(skipping the ctlr/alt/del login screen)? The user would be running a Windows laptop joined to the domain and the DCV server would be running on a (virtual) Windows desktop joined to the same domain.

질문됨 9달 전487회 조회
1개 답변

Hey there, thank you for the question. SSO for DCV on Windows is only available when you are directly connecting to the DCV server with SYSTEM auth. When a DCV Connection Gateway is used, it will rely on an External Authenticator. For Linux, the session will also land on the lock screen. With Active Directory joined machines, ensure you are logging in as DOMAIN\USER in the DCV client.

profile pictureAWS
답변함 9달 전
  • We did an experiment with AD joined Windows machines with a direct connection:

    host=<private ip>

    It did not work and we received a username/password dialog in the NiceDCV client.

  • On the Windows client machine (logged in with domain\user), the (partial) DCV client log:

    2023/09/27 10:26:54.879 |   Info|  viewer.AuthenticationChannel| Authentication channel connected
    2023/09/27 10:26:55.143 |   Info|  viewer.AuthenticationChannel| Server SASL mechanisms: [GSSAPI, PLAIN]
    2023/09/27 10:26:55.144 |   Info|  viewer.AuthenticationChannel| Server authentication mode: System
    2023/09/27 10:26:55.155 |   Info|  viewer.AuthenticationChannel| Client SASL supported mechanisms: [SCRAM-SHA-1, GSSAPI, DIGEST-MD5, EXTERNAL, CRAM-MD5, LOGIN, PLAIN, ANONYMOUS]
    2023/09/27 10:26:55.155 |   Info|  viewer.AuthenticationChannel| Common SASL mechanisms subset: GSSAPI, PLAIN
    2023/09/27 10:26:55.159 |   Info|  viewer.AuthenticationChannel| Proceeding to SASL mechanism GSSAPI negotiation
    2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Matching credential not found)
    2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| Client GSSAPI: ERROR (generic failure)
    2023/09/27 10:27:01.230 |  Error|  viewer.AuthenticationChannel| Client mech GSSAPI start returned failure code -1
    2023/09/27 10:27:01.230 |   Info|  viewer.AuthenticationChannel| Proceeding to SASL mechanism PLAIN negotiation
    2023/09/27 10:27:01.230 |   Info|  viewer.AuthenticationChannel| Requesting credentials (needed by chosen mech)
  • On the Windows DCV server, the only thing I can see about this session:

    2023-09-27 10:26:54,477730 [  3936:3984  ] DEBUG http-service - Incoming connection from (establish-timeout: 5 sec)
    2023-09-27 10:26:54,657961 [  3936:3984  ] DEBUG http-service - Checking headers for GET request (path: /auth) from client
    2023-09-27 10:26:54,658963 [  3936:3984  ] DEBUG http-service - Websocket auth handler called
    2023-09-27 10:26:54,979885 [  3936:3984  ] INFO  authenticator - Received authentication request from client ''
    2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG authenticator - Created SASL server for mode: system
    2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG sasl - List of mechanisms (mode: system): GSSAPI,PLAIN
    2023-09-27 10:26:54,982880 [  3936:3984  ] DEBUG authenticator - Sending SASL init to client

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠