Solved: Cisco ASA, RDP plugin authentication

ofwegen · ‎03-23-2008

Hello,

I've installed an ASA 5505 (8.0.3) with WEBVPN. I've managed to get everything working with SSO (Single Sign On) except for the terminal rdp session. Owa, sharepoint, filebrowsing, SSO is no problem, but I don't seem to get it working with RDP. Somehow it doesn't translate the variables to the rdp session. I'm using CSCO_WEBVPN_USERNAME and CSCO_WEBVPN_PASSORD, but they appear just like that in the username/password field. Is there any way to make SSO work for RDP?

snooter · ‎04-16-2008

ofwegen, just so you know I'm not using a single signon server, just auto signon, and I got this to work with the rdp plugin by editing the bookmarks to have the "csco_sso=1" option in there:

rdp://myterminalserver/?csco_sso=1

This works for both ICA and the RDP plugins.

View solution in original post

htarra · ‎03-28-2008

First try fixing asdm, go to firewall command line and see where your asdm upgrade image landed "dir", most likely it landed in disk0, if that is the case do " show run | inc asdm" to see current firewall asdm statement and correct as follows.

asa for ssh follow this link.( use aaa authentication local )

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs

ofwegen · ‎03-28-2008

Hello Htarra,

Thank you for your reply. I don't think it's an AAA issue. The WEBVPN rdp plugin does not use the AAA model of Cisco. I just need to forward the Cisco Username/Password credentials to the RDP plugin.

My ASDM version is: asdm image disk0:/asdm-611.bin

snooter · ‎04-03-2008

ofwegen, sorry I don't have a fix for you, but if you happen to find the fix for SSO using RDP, please post what you find. I've been working on this same thing now for about two months.

I'll post back of couse if I find the remedy.

ofwegen · ‎04-07-2008

If I find the fix, I will. I've noticed that the variables used by the RDP plugin differ from the variables used by Cisco. Maybe there is a way to transfer these value's?

snooter · ‎04-16-2008

ofwegen, just so you know I'm not using a single signon server, just auto signon, and I got this to work with the rdp plugin by editing the bookmarks to have the "csco_sso=1" option in there:

rdp://myterminalserver/?csco_sso=1

This works for both ICA and the RDP plugins.

ofwegen · ‎04-16-2008

Cool! That did the trick, great! Now, last question, do you also know how to avoid the printer/drive sharing popup? Normally there's a check box to not show that message anymore, but that's missing.

patrick.weichmann · ‎05-29-2008

Hi,

Does anybody know what csco_sso=1 really does? How does it work?

ofwegen · ‎06-06-2008

Hello Patrick,

For as far as I know, it's not documented anywhere near the RDP plugin. What is does is simple. It translates the Cisco username/password variable to the variables used in the RDP plugin (this is thirt party software). The csco_sso feature is documented near the Citrix plugin, you could see if any usefull information can be found there.

Regards,

Leon

Farrukh Haroon · ‎06-06-2008

Its documented over here (for Citrix):

Under the "Providing a Bookmark and Optional SSO Support for Citrix Sessions" section:

http://cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1232666

Also it seems the SSH plugin also supports SSO, as it also has a sso.conf file.

Regards

Farrukh