MFA Guides

RapidIdentity MFA Windows Client Shared Workstation Instant Connect

RapidIdentity MFA Windows Client Shared Workstation InstantConnect offers a single-step authentication solution for Citrix XenApp, XenDesktop, VMware View, and Microsoft Remote Desktop through direct integration with Citrix Online Plug-in or VMware View Client and Remote Desktop Protocol.

Prerequisites

It is necessary to install the Citrix Online Plug-in, VMware View 4.5 or later, and Microsoft Remote Desktop for Server 2008 or later.

Citrix Online Plugin Configuration

Ensure these three Citrix Online Plugin settings are configured:

  1. Citrix Online Plug-in must be configured for Pass-through authentication.

  2. Automatically re-connect disconnected sessions (optional, but recommended).

  3. RapidIdentity MFA Windows Client must be configured for Shared Workstation mode, with SWCitrixInstantConnect set to “True”. This can also be configured in RapidIdentity MFA Windows Client Server Policies.

VMware View Configuration

Ensure these three VMware View settings are configured.

  1. The VMware View Connection Server must be manually added to the Windows Registry. By default, VMware View uses SSL to secure the connection to the VMware View Connection Server. If SSL is not used, then the following settings would be configured with “http://” rather than “https://”. Depending on the operating system, configure one of the following settings:

    1. 32-bit OS

      1. Open the Registry Editor.

      2. Navigate to HKEY_LOCAL_MACHINE | Software | VMware, Inc. | VMware VDM | Client

      3. Create a new String Value as shown.

        server_url_string_value.png

      4. The value data of the registry key specifies the default View connection Server instance by URL, IP address, or FQDN.

    2. 64-bit OS

      1. Open the Registry Editor.

      2. Navigate to HKEY_LOCAL_MACHINE | Software | Wow6432Node | VMware, Inc. | VMware VDM | Client

      3. Create a new String Value as shown.

        serverurl2.png

      4. The value data of the registry key specifies the default View connection Server instance by URL, IP address, or FQDN.

  2. The Server Certificate used for VMware View SSLconnectivity must be added to the Trusted Root Certificate Authorities using Group Policy for all users.

  3. RapidIdentity MFA Windows Client must be configured for Shared Workstation mode, with SWVMwareInstantConnect set to “True.” This can also be configured in RapidIdentity MFA Windows Client Server Policies.

Microsoft Remote Desktop Configuration

Ensure these three Microsoft Remote Desktop settings are configured:

  1. Remote Desktop Connections or Remote Desktop Services must be enabled on the destination server. Automatically re-connect disconnected sessions (optional, but recommended).

  2. RapidIdentity MFA Windows Client must be configured for Shared Workstation mode, with SWRdpInstantConnect set to “True”, and with SWRdpServer set to the desired server name.

  3. This can also be configured in RapidIdentity MFA Windows Client Server Policies.

Integration

This integration allows for a shared workstation computer to leverage strong authentication with the full range of supported RapidIdentity MFA Windows Client authentication methods to virtual resources by performing these twelve steps.

  1. Shared Workstation may be logged in as a local or domain-member generic user account.

  2. RapidIdentity MFA Windows Client protects the desktop and presents the user with a dialog to present credentials.

  3. Once a credential is presented, RapidIdentity MFA Windows Client will optionally prompt for PIN, and upon successful authentication, RapidIdentity MFA Windows Client Shared Workstation will grant access to the Windows desktop for that user.

  4. Citrix Online Plug-in will be automatically logged accessible to the user that RapidIdentity MFA Windows Client authenticated, and any disconnected sessions will be reconnected and presented to the user.

  5. VMware View will be automatically authenticated for the user that RapidIdentity MFA Windows Client and any assigned VM desktops will be automatically connected and presented to the user.

  6. Microsoft Remote Desktop will be automatically connected and logged on for the user that RapidIdentity MFA Windows Client authenticated, and any assigned remote desktops will be automatically connected and presented to the user.

  7. When the user is finished working at the shared workstation, the user presents the card to the reader or removes the smart card from reader to secure the Windows desktop. RapidIdentity MFA Windows Client can also be configured to secure the Shared Workstation if a user logs off of the VM Desktop, Citrix Published Desktop, or Microsoft Remote Desktop.

  8. If a user returns to the same shared workstation, the user will be re-authenticated to Shared Workstation, and the VM Desktop, Citrix Published Desktop or Applications, or Microsoft Remote Desktop will still be active.

  9. If a new user presents their card to the shared workstation, then the first user will have all Citrix/VMware/RDP connections disconnected, and be logged out of the respective client. The new Citrix/VMware/RDP user will automatically be reconnected to all disconnected sessions (i.e. any Citrix Published Desktop/Application or VMware View Desktop or Microsoft Remote Desktop).

  10. All of this happens automatically without requiring any additional actions on behalf of the user.

  11. The time to transition desktops is often less than a few seconds, as opposed to user-required interaction or logging off and logging on the desktop, which can take upwards of several minutes to complete.

  12. RapidIdentity MFA Windows Client Shared Workstation InstantConnect is supported on Windows Embedded Standard, Windows 7, Windows 7 Embedded, Windows 8, Windows 8.1 Windows 8 Embedded, and includes both 32-bit and 64-bit platforms.

In this section: