Add an RDP Server

Last modified on October 27, 2023

An Remote Desktop Protocol (RDP) Server in StrongDM is the combination of an IP/DNS address and authentication information used to control a Microsoft Windows resource, such as a server running Windows Server 2019 or Windows 10 Professional. This guide will show you how to add an RDP Server as a resource in the Admin UI.

Limitations

  • StrongDM supports the Microsoft Remote Desktop client on Windows and macOS. StrongDM does not support the Remote Desktop app.
  • StrongDM only supports NTLM authentication for RDP. If the user account used to set up the RDP resource in StrongDM is added to the “Protected Users” group in Windows, the user will be prevented from authenticating using NTLM, and connections through StrongDM will no longer work.

Add an RDP Server

To add your RDP server as a StrongDM resource, use the following steps.

  1. Log in to the Admin UI and go to Infrastructure > Servers.
  2. Click Add server.
  3. Select RDP as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server.
Add RDP Server Configuration Properties
Add RDP Server Configuration Properties
  1. Click create to save the resource.
  2. Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

Resource properties

Configuration properties are visible when you add a Server Type or when you click to view the server’s settings.

The following table describes the settings available for your RDP server.

PropertyRequirementDescription
Display NameRequiredMeaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)
Server TypeRequiredSelect RDP
HostnameRequiredIP/DNS address used to connect to the resource from your gateway or relay (for example, windows-server.strongdm.com)
PortRequiredPort on the target server that is listening for RDP connections; default port value 3389
Bind InterfaceRead-onlyAutomatically generated IP address value in the 127.0.0.1 to 127.255.255.254 IP address range; default is 127.0.0.1; preferred bind interface value can be modified later under Settings > Port Overrides
Port OverrideOptionalAutomatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides
Secret StoreOptionalCredential store location; defaults to Strong Vault; to learn more, see Secret Store options
Key TypeRequiredSigning algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options
UsernameRequiredEnter the username the relay should utilize to connect to the server via SSH (for example, mydomain\administrator)
PasswordRequiredEnter the password for the provided username
Resource TagsOptionalResource tags consisting of key-value pairs <KEY>=<VALUE> (for example, env=dev)

After the RDP Server is created, the Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

Windows 11 Support

Adding a Windows 11 RDP resource requires two minor configuration changes to the resource and to your StrongDM organization.

  1. On the Windows 11 resource the setting Require devices to use NLA to connect needs to be disabled.
  2. The StrongDM Support team must then enable a setting for your organization manually.

Windows Network Level Authentication (NLA)

Windows NLA is a security protocol used by the Remote Desktop Service. When enabled, it completes additional client-side verifications. Moreover, StrongDM will automatically detect and use Windows NLA if it is enabled. However, some variations of NLA are not supported. For example, you may encounter error messages such as the following in your sdm.log file:

cannot extract server's sent public key: failed to handshake tls conn: 
read tcp4 172.22.64.180:35118->172.22.20.44:3389: read: connection reset by peer"  
cannot complete server NLA authentication: cannot parse ntlm echo packet: 
cannot read class byte: remote error: tls: internal error

Users may also see similar errors when trying to connect to RDP servers.