Remote Identity for RDP

You can use a Remote Identity, instead of a leased credential, with StrongDM to proxy authentication with your certificate-based RDP resources. Actions are executed via the user’s account (that is, the Remote Identity) with the resource, while user-level auditing and monitoring occur on the resource side via native logging.

Utilizing a Remote Identity results in your native server logs identifying the particular user performing an action, rather than identifying all actions conducted via StrongDM connections as being performed by the single leased user account. The username employed is the user’s Remote Identity set in their StrongDM user account.

Remote Identities for RDP is supported for Azure Active Directory (AD) and on-premises AD.

Prerequisites #

• The RDP root certificate must be installed on the target environment (Azure or on-premises AD).
• On-premises Azure AD must have AD Certificate Services enabled.
• Network Level Authentication (NLA) must be disabled on the RDP server.

Set Up Remote Identities #

Set up your server and user account #

1. Create your RDP server if you do not have one already.
2. Create or identify an account on the server that StrongDM can use to check its health. This user should have access to the machine.

Add the resource in StrongDM #

1. In the Admin UI, go to Infrastructure > Servers .
2. Click Add server to create the resource.
3. Select RDP (Certificate Based) as the server type and complete the fields on the resource form.
4. For Authentication, set Remote Identities.
5. For Healthcheck Username, set the RDP user account name to use for the healthcheck.
   The healthcheck only checks if the RDP resource is alive. It connects to the server but doesn’t log in. It might not work as intended if it is unable to authenticate, even if the Admin UI shows it as healthy because it can be reached.
6. Set all required RDP (Certificate Based) properties.
7. Click Create to save the resource.

Add the Remote Identity to the user’s settings #

1. In the Admin UI, go to Access > Users and select the user who is going to use a Remote Identity.

2. In that user’s settings, for Remote Identity, enter the RDP user account name (for example, alice.glick@example.com) that is used to authenticate to the RDP (Certificate Based) resource that is configured to use Remote Identities.

   

   If Remote Identities are configured on a resource, a Remote Identity also must be set for any user that is given access to that resource. If it is not, that user is unable to connect to the resource.

   Individual users must have their own accounts on the server. The account name must match the Remote Identity value specified in the user’s settings.

Configuration is now complete. You may now start using Remote Identities to authenticate with your RDP resource.