Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SSO with custom domain only (SMA 500v)

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

did anyone accomplished to log into a RDP Bookmark having the credentials forwarded but using a custom domain on the RDP server?

I'am using multiple domains on my SMA which are Radius based. The names of these domains are different from the AD domain names, so "Use Login Domain for SSO" isn't an option. The credentials are the same for Radius and AD (Radius is talking to AD in the background) I just need to inject the correct domain.

I tried to import RDP options, but this does not seem to make any difference. At the moment I disabled SSO, but would like to have it.

I have the feeling that I already did this in the past (Firmware 8 or earlier) and the Admin Guide page 248 clearly names what I need, but I cannot leave the password empty. Using %USERNAME% as the custom username and a domain worked in the past, but not in 10.x.

Creating Bookmarks with Custom SSO Credentials The administrator can configure custom Single Sign On (SSO) credentials for each user, group, or globally in HTTP(S), RDP (ActiveX, VNC), File Shares (CIFS), and FTP bookmarks. This feature is used to access resources such as HTTP, RDP and FTP servers that need a domain prefix for SSO authentication. Users can log in to the SMA appliance as username, and click a customized bookmark to access a server with domain\username. Either straight textual parameters or dynamic variables might be used for the Username and Domain. For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the bookmark.

Any idea highly appreciated.

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Best Answer

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    edited January 2021 Answer ✓

    Hi all,

    this year comes to an end and I try to clean-up house by closing open issues to see if some potential show stoppers can be resolved.


    1) short story

    It's back working as documented starting with 10.0.6 and 10.2.0.2, I couldn't find any reference in the Release Notes.

    It's somewhat broken for Terminal Services in 10.0.6 / 10.2.0.2+, can't logout from a Windows Server (W2K12R2), it's automatically reconnecting infinitely, not happening before. Not related to any bookmark settings, tried with and without SSO, Automatic Reconnection etc. But we can't have it all, or can we?


    2) long story

    I spent some time to get to the bottom of this issue, regarding empty passwords in Custom Credentials SSO.

    It was working up to 8.6.0.5, I was able to create a bookmark with empty password field and when logging in, the password provided was forwarded to the Terminal-Server, as documented ! Working great with Radius and Local (SMA) domains.


    Starting with 8.6.0.7 I'am not able to create a bookmark with empty password field any longer. But the existing bookmark with empty password is still working. This is the case for all 9.0, 10.0 (up to 10.0.5) and 10.2 (up to 10.2.0.1) releases.

    According to my supporting Sales Engineer there should be a RFE opened for that matter. After my tests I think it got taken care of.

    If you need this functionality like I do, just use 10.0.6 or 10.2.0.3 and at least this is working again.

    --Michael@BWC

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    after a slow start the support was able to catch and reproduce the problem. Hopefully it will be fixed in an upcoming release, it seems that I'am the only fool on this planet who needs this :)

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi all,

    just to keep you updated, if anyone even care, after having a support case open for weeks, the conclusion for the not working documented feature "For the Password field, enter the custom password to be passed, or leave the field blank to pass the current user’s password to the bookmark." is that it's not working by design.

    I should open up a RFE for having a documented feature (which was implemented in the past) to be implemented <head scratcher>.

    If anyone else needs this, please let me know so I can forward this demand with my RFE.

    Stay safe.

    --Michael@BWC

  • SSO will forward the credentials when users log in. but as per description this looks like Radius..if we can check the session variables and see if that works..

    If not open a support ticket and one of the support engineer to file a JIRA ticket, I'll talk to engg for the same..

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Vijay_Kumar_KV

    this is not Radius related, but never mind, all hands are on deck, Sales is informed and @Chris jumped on it as well.

    --Michael@BWC

  • RedNetRedNet Enthusiast ✭✭

    Thanks for the notice on this @BWC , will be deploying a 500v with an RDS farm bookmark as part of the setup soon enough, so this is good to know.

    Out of interest, how is your 500v performing and what CPU/RAM/Disk are you giving it, I PoC'd one in Azure and although D2v2 is advised in the official SonicWALL datasheet, I used a B2s for the PoC and it seemed ok.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @RedNet

    I only deployed the 500v in private cloud environments (VMware, Hyper-V) and was fine with 2 CPU Cores, 4GB RAM and the usual 20GB HDD. But I never crossed the 50 User line, usually in the range of 25-35 and no performance complains.

    --Michael@BWC

  • Great and thanks for the updates.

    If you're using more users then increase the vCPU and memory for better performance

    Vijay Kumar KV

    Enterprise Tech Support Consultant | SME

Sign In or Register to comment.