HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

Authentication

How does Ephemeral Cert/Smart Card authentication work for Windows RDP targets?

When accessing via PrivX GUI

  1. The Windows Active Directory is configured to trust the PrivX CA -> the trust anchor has been imported to the Windows CA on the AD - PrivX acts as a subordinate Cert authority

  2. A user initiates a connection to a target host within the domain 

  3. The RDP proxy component asks our internal CA for an ephemeral certificate 

  4. Authorizer checks the user’s roles and makes a decision if he should be allowed to connect to the target host 

  5. If yes, an ephemeral certificate (valid for 5 mins) with a baked-in principal name is given to the RDP proxy

  6. The certificate is used to authenticate the RDP session to the target host

  7. The target host makes a CRL check to the CRL endpoint defined in the certificate

  8. User is logged in, there are no per-session keys or certificates to be rotated since the virtual smart card certificate used for login is short-lived.