Scenario:
Users accessing a non-persistent virtual desktop use an application via an RDP connection to a server.
Problem:
When users launch the RDP shortcut, they are prompted for credentials. All users need to use the same service account local to the server but:
- Users should not have to remember the service account username.
- Users should not need to know the password.
- Users should be automatically logged in.
The username/password can no longer be entered into the .rdp file by one user and read by another.
Solution:
Use a combination of Ivanti Enviroment Manager and Powershell to add an entry to the users' Credential Manager.
For this example, I will assume the reader has knowledge of Ivanti EV. I have a Reusable Node for creating desktop shortcuts where these steps are stored. The reusable node is then added under User > Logon > Pre-Desktop so all shortcuts are available immediately after logon to the VDI desktop:
- Create a Powershell script to launch the RDP session:start-process -filepath "mstsc" -argumentlist "/v:servername"
exit - Save the script to whatever share used to copy files to desktops in Environment Manager
- In EV, Create a User Group condition for the AD group that will need the shortcut (Optional if not all users need this shortcut)
- Under that condition, create a Copy File action to copy the script created in step #1 to the desktop
- Under that action, create a Create Shortcut action to place a shortcut on the users' desktopThe target of the shortcut is the path to Powershell (eg. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe)
Parameters: <Path to Powershell Script copied in step 2> -windowstyle hidden - Under the condition in step 3, create a Session Variable action. Enter a session variable name and set it's value to the password of the RDP user.
Note - This does mean that the password is being stored on the Ivanti service in plain text. Make sure proper NTFS and/or SQL permissions are set to prevent unauthorized users from opening the configuration file. Actions in next steps prevent the plaintext password from being accessible on the client. - Under the session variable action, create a custom action of type Powershell and add the following code to the bottom of the script substituting in the user nane and server name for the RDP session, as well as the session variable created in step 6:$user = "Domain\RDP_Username"
$server = "RDP_Servername"
$password = (Get-SessionVariable "sessionVariable")
cmdkey /delete:"$server" # clears the credentials
cmdkey /generic:"$Server" /user:"$user" /pass:"$password"
Remove-Variable password # deletes plaintext password in memory - Under the custom action, create a Delete Session Variable action. Specify the same session variable created in step 6.
