RAS Publishing Agent Connection Settings

RAS Publishing Agent connection settings can be accessed from the Connection category.

Choosing Authentication Type

Select the Authentication tab. In the Authentication Type drop-down list, select one of the following options:

• Username/Password. The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log into an RDP session.
• Smart Card. Uses smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it.
• Username/Password or Smart Card. Uses both Windows and smart card authentication.

Note that if smart card authentication is disabled, RAS Publishing Agent will not hook the Local Security Authority Subsystem Service (LSASS).

Smart card support is available on Windows Server 2008 and newer. Smart card authentication can be used in Parallels Client for Windows, Mac, and Linux.

Note: Smart cards cannot be used for authentication if Parallels Client is running inside an RDP session.

Smart card certificate

A valid certificate must be installed on a user device in order to use smart cards. To do so, you need to import the certificate authority root certificate into the device’s keystore.

A certificate must meet the following criteria:

• The "Key Usage" field must contain digital signature.
• The "Subject Alternative Name" (SAN) field must contain a user principal name (UPN).
• The "Enhanced Key Usage" field must contain smart card logon and client authentication.

Configuring Authentication

Once authentication is enforced, you can configure Parallels RAS to authenticate users against a specific domain by entering the domain name in the Domain input field.

• All Trusted Domains. If the information about users connecting to Parallels RAS is stored in different domains within a forest, select the All Trusted Domains option to authenticate against multiple domains.
• Use client domain if specified. If this option is cleared, the domain name specified by the administrator will be automatically populated in Parallels Client.
• Force clients to use NetBIOS credentials. If this option is selected, the Parallels Client will replace the username with the NetBIOS username.

  Note: If a certificate on your smart card does not contain a user principal name (UPN) in the "Subject Alternative Name" (SAN) field (or if it doesn't have the "Subject Alternative Name" field at all) you have to disable the Force clients to use NETBIOS credentials option.

Recommendation: After changing the domain names or some other authentication related changes, click the Clear cached session IDs button on the Settings tab.

Authenticating Against Non Domain Users

In order to authenticate users sessions against users specified on a standalone machine you must enter the [workgroup_name] / [machine_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1.