Our department is responsible for giving courses that, amongst others, rely on a fully working Windows domain. Let us call these environments simply System1, System2 and so on. The aim is to provide a remote desktop connection for students of the courses, so that they can connect to these systems. Technically, this is just an RDP connection to any server within the system as a starting point. Let us call these starting points System 1 Gateway, System 2 Gateway and so on.
Above all these systems, we have an Active Directory domain for our department and a complete Windows Remote Desktop Setup, let us refer to this as main domain. This main domain has one server that acts as a Remote Desktop Gateway (RDGW) and also hosts a custom MVC5 webpage.
If a user participates in a course and wants to connect to one of the systems, we create an account for them, which they can then use to login to the MVC5 web application, which shows information about all the course and so on. They can also download a preconfigured .rdp file. This file has the webserver, which has a public domain with a valid TLS certificate, which is also the remote desktop gateway, configured and the target is an IP address within the main domain that does port-forwarding to one of the System X Gateways (this setup just has to be like this, assume it as given).
The issue that we currently have with this setup is, that the user must first log in to the webpage with their main domain credentials (from their own, either private or corporate computer). Then, they download the .rdp file, establish the connection where they have to enter the same credentials for the gateway again, as the credentials are not shared between OS or browser. Afterwards, they have to enter the credentials of the target system gateway as well. We can predefine the username of the final system gateway, but not the password, as an encrypted password within the .rdp file can only be decrypted successfully, if the encryption was created with their local Windows user key, which is, of course, not accessible via the web service. The password we speak of here is the one from the target system, which is just a training system with a dummy password, to this is okay. The secure comes form the Remote Desktop Gateway (RDGW) and the authentication against our main domain.
Long story short: This way of providing multiple credentials is quite confusing for the students, making many of them failing to connect at all. So we want to improve the process and make it as simple as possible for them. So my question is: How do we simplify the above-mentioned connection establishment? A first welcoming step would be to prevent the RDGW not asking for the credentials again. We don't want the user to install anything (as RDP on Windows is pre-installed, this is some kind of exception). Users run on PCs where they might do not have any rights at all.
Things we have considered or tried so far:
- As mentioned, we try to at least incorporate the encrypted password for the target system (which is always a simple dummy password as it is a training/test system), which fails as that would only work if their Windows system would be in our domain. Which it isn't; the client could theoretically also be a Linux system.
- We tried a
.batdownload which includes the step not working above. As it is executed locally, we can create the encrypted hash/token (whatever its called), create the.rdpon the fly and it works. The problem is though, who allows the execution of arbitrary executable files? No one. - We tried to use Microsoft's RD Web Service. The old version sucks as it uses ActiveX, so the newer version based on HTML5 is preferred. The good thing is, it basically provides a RDP client in the Browser, but the problem is that is was created for services running WITHIN the main domain, not to forward further to
ip:port. Maybe there exists a way to just extract and host the RDP client code, but how will it be configured then? - An external solutions like Myrtille or guacamole might work, but there seems to be no way to programmatically tell these solutions to: Establish RDP with that gateway to target
ip:port, please use the current web windows login credentials for the gateway.
We are stuck on this problem for quite a while now. Maybe we are completely overthinking it. Basically, we just want to establish an RDP connection via the web browser in such a way, that at least the gateway credentials are taken from the already establish login session, as the credentials for domain and gateway are, of course, the same. A browser add-on is not a solution here, we want 0-configuration.
Thank in advance for all hints, I hope this long text makes the problem and what we've tried to far somehow understandable.
