Difference between revisions of "OpenTC Development"
| Line 53: | Line 53: | ||
This value is located in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices", the name of the value is the name of the remote computer, and the value data seems like a random DWORD. | This value is located in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices", the name of the value is the name of the remote computer, and the value data seems like a random DWORD. | ||
We do not know yet what this random value stands for or is refered to, testing this by playing around with values causes very inconsistent results. | We do not know yet what this random value stands for or is refered to, testing this by playing around with values causes very inconsistent results. | ||
| + | |||
| + | <br> | ||
| + | <br> | ||
| + | |||
| + | Checking the "Don't ask me again" box will create a value with the name of the remote computer, in the key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices".<br> | ||
| + | When using a different RD Gateway server name, a different value will be created with both the computer name and server name separated by a semicolon (;).<br> | ||
| + | The data of this value is based on what features in "Local Resources" are selected, you can find a list of affected features here; | ||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Setting !! File Value | ||
| + | |- | ||
| + | | Record from this computer || "audiocapturemode:i:1" | ||
| + | |- | ||
| + | | Printers || "redirectprinters:i:1" | ||
| + | |- | ||
| + | | Clipboard || "redirectclipboard:i:1" | ||
| + | |- | ||
| + | | Ports || "redirectcomports:i:1" | ||
| + | |- | ||
| + | | Drives || "drivestoredirect:s:" (anything but empty) | ||
| + | |- | ||
| + | | Other supported PnP devices || "devicestoredirect:s:*" | ||
| + | |} | ||
| + | |||
| + | Having none of these features selected will result in the data of 0, having them all selected results in 239 (231 with RD Gateway settings). | ||
=Server mode= | =Server mode= | ||
Revision as of 03:35, 21 October 2021
Contents
Automatic login
The login screen where the credentials must be entered is a custom made form and is not related to any native Windows Remote Desktop functions.
Therefore, the credentials entered in the form must somehow be passed down to establish a Remote Desktop connection without having to fill in it's own credentials form.
There are two ways to do this, one of them is to make your own Remote Desktop client by using some Remote Desktop DLL's inside your project. This option has not been chosen for OpenTC, since in order to make all it's features available you would have to completely rewrite the client like the native one.
The other option is to fool Windows that the user has logged in before and used the "Remember me" option, causing it to automatically login without having to enter any credentials.
Before this can happen the credentials must be loaded into the current user, this can be done by using the built-in application cmdkey
Load credentials
Example on how Remote Desktop credentials would be saved:
cmdkey.exe /add:TERMSRV/<computername> /user:<username> /pass:<password>
It's important that "TERMSRV/" is placed before the computer or farm name, so Windows knows its destined for that connection.
When using a Remote Desktop Gateway (RD Gateway) the credentials must also be loaded separately for it, by using the gateway name;
cmdkey.exe /add:<gatewayname> /user:<username> /pass:<password>
The computernames and gatewaynames must be identical to the ones in the RDP-file, otherwise it will not work.
When the Remote Desktop connection has been established, it would be ideal to remove the saved credentials as soon as possible. OpenTC is being run under one local user account and therefore shares the same saved credentials database for anyone that uses the client computer.
While the following has not been reported as a bug in OpenTC, other Remote Desktop portal products who share this same method have incidentally experienced users being suddenly able to login to other users their account. We therefore take precaution and remove the credentials as soon as possible:
cmdkey.exe /delete:TERMSRV/<computername> cmdkey.exe /delete:<gatewayname>
Requirements
In order for this to work, the RDP-file would need to have a few settings set, this can by done with mstsc.exe or by opening the file with a text editor like Notepad.
"Allow me to save credentials" must be checked (when credentials are saved, this text will change to "Always ask for credentials", which in that case must be unchecked).
prompt for credentials:i:0
When a gateway is used, "Use my RD Gateway credentials for the remote computer" must be checked (located in Advanced > Settings).
This is so that Remote Desktop knows the credentials for the remote computer are the same as the credentials for the gateway, so it will not ask for them a second time.
promptcredentialonce:i:1
Some Group Policies must also be compliant. By default these are already set this way, however make sure this hasn't been changed.
On the client:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Prompt for credentials on the client computer": Not Configured / Disabled
And on the host server:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > "Always prompt for password upon connection": Not Configured / Disabled
Notes
It is reported that the following registry value would overwrite the "Allow me to save credentials" option for RDP files:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fPromptForPassword"=dword:00000000
Certificate warning
When there is no (valid) certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer cannot be verified.
This popup can be clicked away to continue, whoever this would be an inconvenience to the end user and might give them an unprofessional impression.
Years ago there used to be the ability to set a registry value telling the client to skip this check, whoever Microsoft patched this since it was concidered a security risk.
We recommend that you issue your RDP file with a valid certificate, you can find instructions on how to do this.
When you do not have the ability to do this, the easiest way to get rid of this warning would be to edit your image (which you were probably going to do anyways to install OpenTC), and manually check "Don't ask me again for connections to this computer" at the popup screen, for each RDP file.
We are still working on an automated process for this, but it seems that in order for the Remote Desktop client to remember you checked this box, it will add a value to the registry.
This value is located in the registry key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices", the name of the value is the name of the remote computer, and the value data seems like a random DWORD.
We do not know yet what this random value stands for or is refered to, testing this by playing around with values causes very inconsistent results.
Checking the "Don't ask me again" box will create a value with the name of the remote computer, in the key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices".
When using a different RD Gateway server name, a different value will be created with both the computer name and server name separated by a semicolon (;).
The data of this value is based on what features in "Local Resources" are selected, you can find a list of affected features here;
| Setting | File Value |
|---|---|
| Record from this computer | "audiocapturemode:i:1" |
| Printers | "redirectprinters:i:1" |
| Clipboard | "redirectclipboard:i:1" |
| Ports | "redirectcomports:i:1" |
| Drives | "drivestoredirect:s:" (anything but empty) |
| Other supported PnP devices | "devicestoredirect:s:*" |
Having none of these features selected will result in the data of 0, having them all selected results in 239 (231 with RD Gateway settings).
Server mode
Without server mode, OpenTC is not able to check if a user has entered an incorrect password. Therefore when standalone mode is used and an incorrect password has been entered, the user will be prompted with Remote Desktop's own credential input form. This could have been avoided by creating a trigger when this form is being opened, whoever this requires Administrator right, something that we do not want to give the OpenTC local user account.
Letting the client directly check via Active Directory was also not considered as an option, mainly because it would require working credentials to check AD in the first place, plus it would require plugins and a lot of code.
When server mode is used, the client will first send the credentials to the OpenTC server, the server will check the credentials against Active Directory, and will do other check like whether the account has been disabled locked or expired, or when the password has expired. When the latter is the case the server will return this to the client and the client will show a popup screen to change the password, which in turn will be send back to the server for them to be changed.
