Making a RDP connection based on AD attribute

  • I have sort of a special setup that I’d like to get to work if possible, and thought maybe any of you guys on here could provide some feedback on if its even possible.

    I would like to make a Terminal Service (or RDP if you will) bookmark for all my users. However, it shouldn’t be to the same server, but instead always be to their own local machine inside the company network.

    Normally this would require me to make a Terminal Service profile for each users machine, which would take forever.

    However, would it be possible to perhaps enter the users machine name under an attribute in Active Directory and then maybe use that attribute in a genereic Terminal Service profile?

    Any thoughts or feedback appreciated. I’m not sure it’s possible myself, trying to figure out how to maybe reference the attribute right now myself…

  • i have a exisiting link that works and added another one with the same userattr.xxxx and this link is not viewed when i log on. i’m nearly to think its a java-related-problem.


  • all should work

    just make sure the attribute is in the server catalog of your authentication server.

  • hi,

    first of all, we want to use the attribute from the ad eg.: “” in a field to dynamic connect via RDP.

    we currently use the attribute: <userattr.physicaldeliveryofficename>and it works at a glance. now we have to change the field cause they need it….grml…

    i tried <userattr.postofficebox>and .description and non of it worked.

    maybe you have a solution. i’m not sure where i find the working attributes.</userattr.postofficebox></userattr.physicaldeliveryofficename>

  • I have been doing what Haze has been saying for some number of months on 5.5R3.

    Just dip the attrib via LDAP and punch the attribute into the terminal server name instead of the server name.

  • Hi SOC,
    i have AD server and ldap server configured on SA but both are for same AD server. the user.attr will only work if ldap is configured. Do you need help in configuring LDAP?

  • Ahhh, I was not aware that you could have a different type of server for authorization, thanks for pointing that out.

    I have not tried this setup, and I do get some attributes now, as I can see in a Policy Trace. But I am only seeing a fraction of what is actually defined in our AD. And the url attribute for example, is not present, and when I try to use that on a RDP Resource Profile, the bookmark simply doesn’t appear.

    I can use it with one of the attibutes that the Policy Trace lists though, but none of these can be used to store the computername for my users. Anyone got any idea what could be wrong now? How do I get the rest of the attributes to be mapped?

    And thanks for all the help so far guys, it’s much appreciated…

  • It works in 5.5R2 and 6.0

  • hi,
    I forgot to add that is resource policies, the automatic policy that is created for terminal service will not work as it will be permit for source <userattr.url>You will need to click on options and enable “IP based matching for Hostname based policy resources”.
    Can anyone tell me how i can attach screenshots for the configuration. I have done this for 2 sites and it works.
    To recap

    1. LDAP should be configured properly in SA
    2. For each user in AD, u need to configure Web page address(others) and add the computer names u wish to control. no need to add as FQDN, just add as netbios names.
    3. configure terminal service resource profile with hostname as <userattr.url>4) Resource profile “IP based matching for Hostname based policy resources”

    It works!!!</userattr.url></userattr.url>

  • if you look at your AD realm confit, you will see that you can set authentication and authorization separately. Leave AD as the authentcation, but change authorization to LDAP. The LDAP server could be configred to point to one of your AD servers within the Auth Server config. This way your users can cange passwords, youre pulling group membership information and authenticating to the same domain using the same AD server, which provides winbind and ldap services. However, LDAP will fetch more attributes that you could use for different purposes (like the wwwhomepage attribute).

  • Thanks for the replies guys!

    Using the username is not an option Im afraid, as the machines have different names.

    However, reading what you wrote Farhan, I tried doing a policy trace and it didn’t really show any attributes being mapped. Is this because I use the “Active Directory / Windows NT” authentication server type, and not “LDAP Server”? We don’t use LDAP as I find it way too much hassle having to install certificates and what not to be able to change password…

  • If this is working for Haze and not working for SOC, I would suggest looking at a policy trace and checking whether the attribute is being passed from your ldap server to the IVE.

    If you have AD set as authorization for your realm, you may not be able to use all the attributes. You must have LDAP set as the authorization even if you’re authenticating to AD.

    If you’re using an LDAP attribute that is not added by default in the Server Catalog, you need to use the Attribute tab in the Server Catalog page and add the attribute using its LDAP name.

    You can identify the attributes and their values by running a policy trace against yourself. The attribute values are collected from the LDAP server during the sign-in process and are visible in the trace.

    <userattr.url>might have worked for Haze because I see the wWWHomePage LDAP attribute is added to the Server Catalog by default. So, to test the config you received from Haze, you can run a policy trace and check what value the IVE receives for wWWHomePage or userattr.url. I believe the value for wWWHomePage is copied into userattr.url (i may be wrong).

    Hope this helps. Let me know if I confused you :P.


  • How about this one…

    If User Miller has a Computer which is also called MIller (Username and Computername are the same) you could use the <user>Variable Value as Input for the name of the RDP Server where Miller should connect (just an idea flash, maybe its completely stupid… i dont know…).</user>

  • Hi haze and thanks for the reply.

    I tried testing it, just like you described it, but it doesn’t quite work. It does start an RDP session this time, but it only starts it to the last server my machine has connected to before with RDP, not the one I define in the attribute. You sure yours isn’t just doing this too?

    And just to be clear on it, what version of the software are you running? Im on 5.5R3 (build 12029).

  • Hi SOC,
    I have got AD attributes mapped to Terminal service links. This is what i did

    In Active Directory(you need to map the user to computer by putting computer name as attribute inside user)
    1. Open Active directory users and computers
    2. Double click user you wish to map to computer(user properties)
    3. General Tab > Select Other
    4. In New value field > enter the name of the computer the user should RDP to and click add

    In SA
    1.Create terminal service profile
    2.Hostname value will be : <userattr.url>Good luck with testing.</userattr.url>

  • You’ve got a better chance with Citrix since you can configure it in so many different ways.  TS is more limited.
    You may want to consider using a hosted java applet since substitution variables are supported in some places. I’m not sure if they can be used for the address parameter in the HTML, however. This would mean that some substitution variable (like username) would need to match the hostname - which may not be the case.  This is easy to do so it may be worth a try.
    I don’t think you can use substitution variables for a hostname in a TS resource profile.
    One more thing to consider -
    Both Terminal Services sessions and Hosted Java Applets are able to launch directly from a URL placed on an external web site. You may be able to work some magic with the HTML syntax on a portal page - at least it is more flexible than using substitution variables in a TS resource profile. It would be much easier than building a separate TS bookmark in the IVE.
    Check the IVE admin guide for details. Here is the syntax.
    https://<ive_hostname>/dana/term/winlaunchterm.cgi?<param1>=<value1>&<param2>= <value2>Good luck.</value2></param2></value1></param1></ive_hostname>

  • Yeah, I hear what you’re saying. But the thing is, we want to restrict our users use of Terminal Service so they dont start logging on to other machines than their own.

    I tried using <>as the hostname og a Resource Profile Terminal Service setup, and apply it to a role. The Terminal Service bookmark simply doesn’t show though, so that didn’t work…</>

  • I think working with attribute could work.

    On the other side - i think i would simply allow users to create their own RDP Terminalsession on the IVe, so you just have to write a little help website for them. Otherwise, when the User PCs change, you could have more administr. overhead?