| title | description | videoBanner |
|---|---|---|
Desktop Access with Active Directory |
Integrate Teleport Desktop Access to your Active Directory Domain |
v36tlB8D5kk |
The features documented on this page are available in Teleport 10.2.6 and higher.
This guide will help you configure Teleport and Active Directory in order to provide secure, passwordless access to Windows desktops.
Teleport Desktop Access is designed to be a secure access solution for Windows environments. Teleport implements a minimal feature set of the RDP protocol with security as a priority, and may not be as performant as standard RDP clients. Consider Desktop Access to manage access to your most sensitive Windows environments, not as a drop-in replacement for other tools to provide general access to Windows desktops.
(!docs/pages/includes/edition-prereqs-tabs.mdx!)
- A server or virtual machine running a Windows Server operating system. In this guide, we'll install Active Directory on this server in order to support passwordless logins with Teleport to the Windows desktops in the Active Directory domain.
- A Linux host where you will run the Teleport Desktop Service. <ScopedBlock scope={["oss", "enterprise"]}> This guide assumes that you will run Teleport's Windows Desktop Service on a dedicated host. To install Desktop Access into an existing Teleport instance running other services, see the Manual Setup guide for Desktop Access.
- An Active Directory domain, configured for LDAPS (Teleport requires an encrypted LDAP connection). Typically this means installing AD CS.
In your web browser, access the teleport Web UI at <ScopedBlock scope={["oss", "enterprise"]}>
teleport.example.com<ScopedBlock scope={["cloud"]}>
mytennant.teleport.sh. Click on your user name at the top right
and select Manage Access, Select "Desktop" from the main menu, then NEXT.
If you already have Active Directory installed, skip to the next step. Otherwise, copy and paste the first command provided into a Windows PowerShell window. If you aren't already running AD Certificate services, copy and paste the second command after the first one completes and the server restarts:
Once the server is restarted from one or both command executions, click NEXT.
Copy and paste the provided command into a Windows PowerShell window to download and run the "configure Active Directory" script:
Click NEXT.
The PowerShell script will output a Teleport configuration block. Copy this block to a temporary location. Click Next.
On the Linux host you installed Teleport to run as the Desktop Access connector,
edit /etc/teleport.yaml and paste the configuration provided by the output of
the previous step. Review and edit the addition as necessarily for your environment:
version: v3
teleport:
auth_token: (=presets.tokens.first=)
proxy_server: teleport.example.com:443
auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no
windows_desktop_service:
enabled: yes
ldap:
addr: '10.10.1.50:636'
domain: 'windows.teleport.example.com'
username: 'WIN\svc-teleport'
server_name: 'windows-server-hostname'
# insecure_skip_verify prevents teleport from authenticating the LDAP CA
# against the systems trust store.
insecure_skip_verify: false
ldap_ca_cert: |
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIQT/UIn+MT4aZC9ix/QuiV9zANBgkqhkiG9w0BAQsFADBi
...
31qA4dO3if7RdikD9hVbiIF9jQ==
-----END CERTIFICATE-----
discovery:
base_dn: '*'
labels:
teleport.internal/resource-id: 42d8859c-60d0-4d7f-9767-bdd66b63fce6Click Next.
Once you've saved /etc/teleport.yaml, start Teleport:
This command assumes the root user. Prepend sudo otherwise.
$ systemctl start teleport.service
From the directory containing the Teleport binary:
$ ./teleport start --config=/etc/teleport.yaml
The access wizard will detect when the new Teleport instance has joined the cluster, and you can then click Next.
Teleport will discover available Windows desktops in the domain, and list them under Desktops. Click Finish then BROWSE EXISTING RESOURCES to see them:
If you hit any issues, check out the Troubleshooting documentation for common problems and solutions.