9.4 Remote Hotdesk Authentication (RHA)

9.4.1 How to Disable Remote Hotdesk Authentication
9.4.2 How to Re-enable Remote Hotdesk Authentication

By default, when a user hotdesks, the desktop's screen lock is activated and the user is forced to authenticate again. However, screen locks are inherently insecure in a number of ways. Remote Hotdesk Authentication (RHA) is designed to provide a more secure hotdesk environment instead of the authentication performed by a desktop screen lock in the user's existing session. The "Remote" in RHA refers to the fact that the hotdesk authentication step takes place outside the user's existing session and applications cannot interfere with the authentication. From a user's perspective, there is minimal change if Remote Hotdesk Authentication is enabled.

When RHA is enabled and a reconnection is attempted, the Sun Ray Software creates a temporary new session for the client and uses that session to present an authentication dialog to the user. (This RHA dialog looks very similar to the NSCM authentication dialog.) After the user successfully authenticates through the dialog, the temporary session is dismissed and the user's existing session is connected to the client.

For environments where the in-session screen lock provides acceptable security or where no hotdesk authentication is desired, you can configure Sun Ray Software to disable the RHA security feature.

RHA is enabled for smart cards by default and NSCM automatically provides similar protection as RHA. Authentication does not apply to anonymous Kiosk Mode.

Note

The RHA security feature does not affect token readers. It is assumed that token readers are deployed in physically secure environments.

9.4.1 How to Disable Remote Hotdesk Authentication

Note

Disabling the RHA feature may present a security risk under some circumstances.

  1. To disable RHA configuration for a group, type the following command:

    For example, if your policy allows smart cards and non-smart card logins and failover groups, use the following command and options to disable RHA:

    # utpolicy -a -z both -g -D
    
  2. Perform a cold restart of the Sun Ray services:

    # utstart -c
    

9.4.2 How to Re-enable Remote Hotdesk Authentication

  1. Restate your policy using utpolicy without the -D option.

    For example, to reinstate a policy that allows smart cards and non-smart card logins and failover groups with RHA, use the following command and options:

    # utpolicy -a -z both -g
    
  2. Perform a cold restart of the Sun Ray services:

    # utstart -c