Exit Print View

Oracle Secure Global Desktop Administration Guide for Version 4.6

Document Information

Preface

1.  Networking and Security

2.  User Authentication

3.  Publishing Applications to Users

4.  Configuring Applications

Windows Applications

Configuring Windows Application Objects

Creating Windows Application Objects on the Command Line

Configuring Microsoft Windows Terminal Services for Use With SGD

Authentication Settings

Session Resumability and Session Directory

Windows Printer Mapping

Drive Redirection

Encryption Level

Multiple Terminal Services Sessions

Remote Desktop Users

Time Zone Redirection

Audio Redirection

Smart Card Device Redirection

COM Port Mapping

Color Depth

Transport Layer Security

Terminal Services Group Policies

Keep Alive Configuration for Windows Terminal Servers

Licensing Microsoft Windows Terminal Services

Managing CALs From the Command-Line

Microsoft Windows Remote Desktop

Seamless Windows

Notes and Tips on Using Seamless Windows

Key Handling for Windows Terminal Services

Supported Keyboard Shortcuts for Windows Terminal Services

The Windows Key and Window Management Keys

Configuring Windows Keyboard Maps

Returning Client Device Information for Windows Terminal Services Sessions

The SGD Remote Desktop Client

Using a Configuration File

Running Windows Applications on Client Devices

X Applications

Configuring X Application Objects

Creating X Application Objects on the Command Line

Supported X Extensions

X Authorization

X Fonts

Using Your Own X Fonts

Using a Font Directory

Using a Font Server

How to Configure SGD to Use Your Own X Fonts

Keyboard Maps

Character Applications

Configuring Character Application Objects

Creating Character Application Objects on the Command Line

Terminal Emulator Keyboard Maps

Default Mappings

Creating a Keyboard Map

Key Names

Client Device Keys

Application Server Keystrokes

Terminal Emulator Attribute Maps

How to Create Your Own Attribute Map

Editing Character Attributes

Terminal Emulator Color Maps

Examples of Using Color Maps

Dynamic Launch

Dynamic Application Servers

SGD Broker

User-Defined SGD Broker

VDI Broker

Dynamic Applications

How to Create a Dynamic Application

Client Overrides

Using My Desktop

Integrating SGD With Oracle VDI

How to Create a Dynamic Application Server for the VDI Broker

Using SSH

SSH Support

Configuring the SSH Client

How to Set Global SSH Client Options

How to Set Application SSH Client Options

Enabling X11 Forwarding for X Applications

How to Enable X11 Forwarding

Using SSH and the X Security Extension

How to Enable the X Security Extension

Using SSH and X Authorization

Using Advanced SSH Functions

Known Limitation With Client Keys

Application Authentication

Login Scripts

Configuring Application Authentication

The Application Server Password Cache

Managing the Application Server Password Cache

Security and the Password Cache

Windows Domains and the Password Cache

Input Methods and UNIX Platform Applications

Adding Support for System Prompts in Different Languages

Using RSA SecurID for Application Authentication

Tips on Configuring Applications

Starting an Application or Desktop Session Without Displaying a Webtop

Using SGD Web Services

Using Multihead Or Dual Head Monitors

Disabling Shared Resources

Configuring the Correct Desktop Size

Configuring Desktop Size for Client Window Management Applications

Configuring Desktop Size for Kiosk Mode Applications

Setting Up the Monitors

Improving the Performance of Windows Applications

Improving the Performance of Java Desktop System Desktop Sessions or Applications

Configuring the X Application Object for Java Desktop System

Disabling Default Java Desktop System Settings

Documents and Web Applications

Creating a Virtual Classroom

How to Create the Teacher's Application Object

How to Create the Classroom Application Object

Configuring Common Desktop Environment Applications

Configuring a CDE Desktop Session

Configuring a CDE Application

Using CDE and SSH

Configuring VMS Applications

Configuring the Login Script Used for the Application

Configuring the Transport Variable in the Login Script

Disabling X Security

3270 and 5250 Applications

Troubleshooting Applications

An Application Does Not Start

Checking the Configuration of the Application Object

Checking the Launch Details and Error Logs

Increasing the Log Output

Troubleshooting ErrApplicationServerTimeout Errors

Troubleshooting ErrApplicationServerLoginFailed Errors

An Application Exits Immediately After Starting

Applications Fail To Start When X Authorization Is Enabled

Applications Disappear After About Two Minutes

An Application Session Does Not End When the User Exits an Application

Checking the Session Termination Setting

Windows Applications Do Not Close Down

UNIX Desktop Sessions Do Not Close Down After Logging Out

Users Can Start Applications With Different User Names and Passwords

Using Windows Terminal Services, Users Are Prompted for User Names and Passwords Too Often

SGD Prompts the User

Terminal Server Prompts the User

Using Shadowing to Troubleshoot a User's Problem

A Kiosk Application Is Not Appearing Full-Screen

An Application's Animation Appears 'Jumpy'

Font Problems with X Applications

Display Problems With High Color X Applications

The X Application Fails With a Color Planes Error

The Colors Appear Strange

The X Application Uses Too Much Bandwidth

8-bit Applications Exit With a PseudoColor Visual Error

Clipped Windows With Client Window Management Applications

Emulating a Sun Keyboard

Display Update Issues When Shadowing Over a Low Bandwidth Connection

Troubleshooting Mouse Drag Delay Issues

Incorrect Time Zone Name Shown in Windows Applications

5.  Client Device Support

6.  SGD Client and Webtop

7.  SGD Servers, Arrays, and Load Balancing

A.  Global Settings and Caches

B.  Secure Global Desktop Server Settings

C.  User Profiles, Applications, and Application Servers

D.  Commands

E.  Login Scripts

F.  Third-Party Legal Notices

Glossary

Index

Application Authentication

When a user clicks a link to start an application, the login script configured for the application connects to the application server, handles the authentication process, and starts the application.

The Execution Protocol Engine is the SGD component that runs the login script. The login script authenticates the user to the application server by submitting a user name and password stored in the SGD application server password cache. If there is a problem with the user’s credentials, SGD displays an Application Authentication dialog as follows:

Figure 4-1 Screen Capture of the SGD Application Authentication Dialog

Screen capture showing the SGD Application Authentication dialog

The Application Authentication dialog enables users to enter their credentials and store them in the application server password cache so that they are not prompted when they next run an application on that application server.

Users can also force SGD to display the Application Authentication dialog by holding down the Shift key when they click an application’s link on the webtop.


Note - You cannot use the Shift key in this way when the SGD Client is in Integrated mode.


This section includes the following topics:

Login Scripts

SGD uses login scripts to handle the connection to the application server, to run the application, and to perform additional tasks.

Typically a login script performs the following tasks:

The login script takes into account the differences between application servers, and checks for any errors that might occur during the login process. If an error is encountered that cannot be handled, control is passed back to the user.

The SGD login scripts are designed to be as universal and robust as possible. However, you might need to cope with an unusual scenario. For example, if you have a system prompt that is not catered for, you can add it to the list of prompts recognized by the script.

The login scripts supplied with SGD also contain commands and procedures that you can use to customize the display of the Application Authentication dialog, for example by adding your own labels for the Username and Password fields.

If you need to customize a login script, make a copy of an SGD login script and work on the copy. Do not modify the standard SGD login scripts. Appendix E, Login Scripts contains detailed reference information about SGD login scripts.

Configuring Application Authentication

In the Administration Console, the attributes on the Global Settings -> Application Authentication tab control application authentication. These attributes allow you to configure the following:

The Application Server Password Cache

By default, SGD stores the user names and passwords used to run applications in its application server password cache. SGD also stores the user names and passwords used to log in to SGD.


Note - SGD cannot store the user name and password used to log in to SGD if the user is authenticated with third-party authentication.


For Windows applications, the Terminal Server handles the authentication process. No information is returned to SGD indicating whether authentication succeeds or fails, and the details remain in the SGD password cache whether correct or incorrect.

Managing the Application Server Password Cache

In the Administration Console, you can manage the application server password cache as follows:

On the command line, you manage the application server password cache with the tarantella passcache family of commands.

You can use the Administration Console and the command line to list and delete entries in the password cache. You can also create entries in the password cache. With the tarantella passcache command, you can populate the password cache with a batch script.

Each entry in the password cache involves the following elements:


Note - The user’s SGD password can also be stored in the password cache.


Security and the Password Cache

Entries in the application server password cache are encrypted with an encryption key. When starting applications, the passwords are decrypted as they are needed.

By default, the encryption key used for the password cache never changes. You can configure SGD to generate a new encryption key for the password cache whenever an SGD server restarts. In the Administration Console, go to the Global Settings -> Security tab and select the New Password Encryption Key check box. Alternatively, use the following command:

$ tarantella config edit --security-newkeyonrestart 1

Existing entries in the password cache are re-encrypted with the new key.

Windows Domains and the Password Cache

When SGD caches a user’s password for a Microsoft Windows application server, the password cache entry is created using the Windows domain name.

The domain name can be specified using the Domain Name attribute on application server objects, Windows application objects, or user profile objects. Users can also specify a domain name on the Application Authentication dialog.

When a user starts an application, SGD goes through the following process to establish the domain name and password cache entry to use:

  1. Check if a domain name is set on the application server object.

    If a domain name is set, SGD searches the password cache for an entry for the user identity.

    If there is no domain name, or there is no entry in the password cache, move to step 2.

  2. Check if a domain name is set on the application object.

    If a domain name is set, SGD searches the password cache for an entry for the user identity.

    If there is no domain name, or there is no entry in the password cache, move to step 3.

  3. Check if the user typed a domain name type when they logged in to SGD.

    If you are using Windows Domain authentication, users can specify a domain name when they log in to SGD. They do this by typing a user name in the format domain\name, for example example\rusty.

    If a domain name is set, SGD searches the password cache for an entry for the user identity.

    If there is no domain name, or there is no entry in the password cache, SGD displays the Application Authentication dialog.

The Application Authentication dialog has an NT Domain field that enables users to set the domain name. This field is automatically completed if the Domain Name attribute is set for the application server or application object, or if the domain is cached in the password cache. If the Domain Name attribute is set only on the user profile object, the NT Domain field is not completed.

To force users to specify a domain when they start a Windows application for the first time, you must ensure that the Domain Name attribute is blank for the user profile object, the application server object, and the application object.

If a user’s SGD password is also their Windows domain password, the domain name and password can be cached if the following are true:

Input Methods and UNIX Platform Applications

An input method is a program or operating system component that enables users to enter characters and symbols not found on their keyboard.

By default, SGD runs an IM for all locales, apart from C and POSIX.

To change the IM configuration, you can edit variables the vars.exp login script. The variables are as follows:

SGD uses the following environment variables to determine the locale TTA_PreferredLocale, TTA_HostLocale, and LANG. See Login Script Variables.

Adding Support for System Prompts in Different Languages

By default, the login scripts supplied with SGD support English system prompts on application servers. SGD Administrators can add support for system prompts in other languages.

To do this, you edit the vars.exp login script and add a translation for each of the English prompts defined. The vars.exp login script is located in the /opt/tarantella/var/serverresources/expect directory on the SGD server. You do not need to translate every prompt, only the prompts that are different to the English ones. The file contains examples to help you get started. You can also provide translations for the variables, strings, and error message section to match the client or user locale.

In the Administration Console, configure the General tab -> Prompt Locale attribute for your application server objects, to match a locale defined in vars.exp.

Using RSA SecurID for Application Authentication

SGD supports RSA SecurID authentication for X and character applications.

To use SecurID authentication, ensure that users can log in to the application server using SecurID before introducing SGD. When you are ready to use SecurID authentication, configure the application object to use the securid.exp login script.

When logging in to an application server that uses SecurID authentication, users enter a user name and password. When they click OK, they are prompted for a passcode.

In the Administration Console, go to the Global Settings -> Application Authentication tab and deselect the Password Cache Usage check box. This prevents SGD from using SGD login details when logging in to the application server.