Tagged: NLA
- This topic has 11 replies, 3 voices, and was last updated 3 years, 11 months ago by
CDLane.
-
AuthorPosts
-
July 24, 2020 at 9:15 am #52672
So…this is going to be a long post so please bear with me.
We use Dell Wyse ThinOS devices (5212, 5213, DX0D and latterly 3040) which have a mixture of 8.2.xxx all the way to 8.6.xxx. These are used in conjunction with WMS on pure Hyper-V, no Citrix etc. My users have ongoing issue with passwords and lockouts etc (…and I have ongoing problems with users – but that’s another matter).
In an effort to solve this I have the standard IIS password change link on the Remote Web Access page together with the Adaxes Self-Service Client URL to solve lockouts and forgotten passwords. However this doesn’t help if they haven’t got a device to hand to reach the webpage so here is my idea.
I have created a VM (low spec) with the Adaxes Self-Service Client installed so the link is on the log on screen. The server has the Remote Desktop Session Host Role installed but no user has access to actually log in. However, they can use the link to reset password etc.
Now to the crux of the matter; On this one server (which is not accessible from the outside world) I have turned OFF NLA. The Thin Client should throw the user straight to the Server sign on screen without the Dell Wyse login box popping up and off they go to reset their password. My problem is in the “Remote Connection 8.5+ / Microsoft RDP Settings” section of the ThinOS profile I have to have “Enable NLA” ticked to protect all the “real” RDS servers which do face the outside world (via RWA, the gateway and the brokers, granted).
How do I have this one server NOT use NLA? I have tried the following in the advanced section (which is how I define my RDP’s):
CONNECT=RDP Host=REAL_RDS_SERVERBROKERFARM Description=”1) New Desktop Infrastructure” Fullscreen=yes Resolution=1920×1080 Domainname=MYDOMAIN Logon_Mode=Prompt
CONNECT=RDP Host=NON_NLA_SERVER Description=”2) Password Reset” Fullscreen=no Resolution=1024×768 EnableNLA=no SignOn=No
Can it be done via WNOS.ini (and ConfGen) meaning I scrap WMS? Any help would be appreciated.
July 27, 2020 at 2:27 pm #52681Any advice from any of you gurus out there?
July 29, 2020 at 4:14 pm #52708The Advanced parameters you are using are wnos.ini parameters.
So, the answer is yes. Everything can be accomplished with a wnos.ini.
Just remember that INI parameters are no longer supported with ThinOS 9.CG
July 30, 2020 at 10:24 am #52710Thanks for coming back to me Thomas.
This throws up two more question for me:
a) Where (or is) there the equivalent to EnableNLA=No on a per connection basis in WMS?
b) At some point new v9 devices will be supplied by distributors…what would I do then if INI isn’t available anymore?
August 1, 2020 at 4:41 pm #52723a) there is currently no option to do this in the RDP connection in WMS.
However, you can use (again) the Advanced section and add the full RDP connection string there, including NLA.
b) only manage the devices with WMSCG
August 2, 2020 at 11:40 pm #52724Hi Thomas,
I’ve kinda done full circle now as this is where I came in with my original question:
Now to the crux of the matter; On this one server (which is not accessible from the outside world) I have turned OFF NLA. The Thin Client should throw the user straight to the Server sign on screen without the Dell Wyse login box popping up and off they go to reset their password. My problem is in the “Remote Connection 8.5+ / Microsoft RDP Settings” section of the ThinOS profile I have to have “Enable NLA” ticked to protect all the “real” RDS servers which do face the outside world (via RWA, the gateway and the brokers, granted).
How do I have this one server NOT use NLA? I have tried the following in the advanced section (which is how I define my RDP’s):
CONNECT=RDP Host=REAL_RDS_SERVERBROKERFARM Description=”1) New Desktop Infrastructure” Fullscreen=yes Resolution=1920×1080 Domainname=MYDOMAIN Logon_Mode=Prompt
CONNECT=RDP Host=NON_NLA_SERVER Description=”2) Password Reset” Fullscreen=no Resolution=1024×768 EnableNLA=no SignOn=No
…the last bit in bold doesn’t appear to work.
Equally if I untick “Enable NLA” in the “Remote Connection 8.5+ / Microsoft RDP Settings” section and add “EnableNLA=yes” to the NLA protected, public facing server, I see this in the “System Information” screen:
Invalid CONNECT Parameter: EnableNLA=yes
…but now the “disabled NLA” password server does work. It’s one or other but not both.
As ever, many thanks for any ideas and everything you do for the community in general.
Best regards,
Chris
August 4, 2020 at 12:34 pm #52738EnableNLA is a global parameter. It is not working nor designed to be used in an RDP connection string.
CG
August 4, 2020 at 1:36 pm #52739Hmmm…ok…so how do I set one connection to use NLA and one to not use NLA? This all comes down to there being no mechanism provided by Microsoft (or Dell) to allow users to change there passwords prior to connection.
August 4, 2020 at 1:44 pm #52742Not after you are logged in.
You could use the SelectGroup function to present a drop-down in the login box.
This way the user could decide before login to use the one or other server.I would personally enable NLA on each server 😉
CG
August 4, 2020 at 1:58 pm #52745I agree but if I do that I am presented with the Dell Wyse logon box, not the logon screen on the server and it’s catch 22. I need the user to see the server logon screen so they can click the Adaxes Self Service “Forgot your password?” link etc.
Of course if users changed their password on day T-14 when the first warning is displayed, the problem goes away. IT would be so much easier without users :-/
August 11, 2020 at 5:29 pm #52790Hi CDLane and CG
i have exacly the same issue since upgraded thin os to 8.6 (needed for rds2019 full support), users are not able to reset their passords, as they are not able to reach the login page of the RDS server.
i made a simple test : downgrade to 8.4, and if the “reset password needed” is ticked for the user, user is prompted for his credentials as usual, and the logon screen of the rds appear, allow him to change his password.
But since 8.6, i only have the thin logon box, which prompt for a new password, but this never worked….
Any idea would be very welcome 🙂
August 24, 2020 at 9:42 am #52885Well, you got farther than I ever did. I have never resolved this issue.
-
AuthorPosts
- You must be logged in to reply to this topic.