RAS Publishing Agent Connection Settings

RAS Publishing Agent connection settings can be accessed from the Connection category available in the system menu.

Follow the instruction below to configure RAS Publishing Agent connection settings.

Choosing Authentication Type

In the Authentication Type drop-down list, select one of the following options:

• Username/Password . The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log into an RDP session.
• Smart Card . Uses smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it.
• Username/Password or Smart Card . Uses both Windows and smart card authentication.

Note that if smart card authentication is disabled, RAS Publishing Agent will not hook the Local Security Authority Subsystem Service (LSASS).

Smart card support is available on Windows Server 2008, 2008 R2, 2012, 2012 R2.

Smart card authentication can be used in Parallels Client for Windows and Parallels Client for Linux.

Enforcing Authentication

By default, all users are required to authenticate the connection against Parallels Remote Application Server before even viewing the list of the available published applications or desktops. By disabling the option Always require user credentials for application list on the Authentication tab page you can allow users to see the list of published resources without being authenticated. As a result, the user will be able to see the list, but as soon as the user tries to open an application or a desktop, the server will ask to supply credentials.

Configuring Authentication

Once authentication is enforced, you can configure the Parallels Remote Application Server to authenticate users against a specific domain by entering the domain name in the Domain input field.

Note: If the Use client domain if specified option is cleared, the domain name specified by the administrator will be automatically populated in the Parallels Client.

Recommendation: After changing the domain names or some other authentication related changes, click the Clear cached session IDs button.

• Force clients to use NetBIOS credentials . If this option is enabled, the Parallels Client will replace the username with the NetBIOS username.
• Declare session idle after . This option affects reporting statistics, whereby a session is declared idle after the amount of time specified without any activity.
• Cached Session Timeout . Specify the amount of time that a session is cached for (higher amount of time reduces AD transactions).
• Authenticating Against Multiple Domains . If the users connecting to the Parallels Remote Application Server are stored in different domains within a forest, select the All Trusted Domains option.

Authenticating Against Non Domain Users

In order to authenticate users sessions against users specified on a standalone machine you must enter the [workgroup_name] / [machine_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1.