Authentication
How does Ephemeral Cert/Smart Card authentication work for Windows RDP targets?
When accessing via PrivX GUI
-
The Windows Active Directory is configured to trust the PrivX CA -> the trust anchor has been imported to the Windows CA on the AD - PrivX acts as a subordinate Cert authority
-
A user initiates a connection to a target host within the domain
-
The RDP proxy component asks our internal CA for an ephemeral certificate
-
Authorizer checks the user’s roles and makes a decision if he should be allowed to connect to the target host
-
If yes, an ephemeral certificate (valid for 5 mins) with a baked-in principal name is given to the RDP proxy
-
The certificate is used to authenticate the RDP session to the target host
-
The target host makes a CRL check to the CRL endpoint defined in the certificate
-
User is logged in, there are no per-session keys or certificates to be rotated since the virtual smart card certificate used for login is short-lived.
Updated about 3 years ago