The default behavior of the Authentication Manager requires users to be authenticated when hotdesking, i.e., upon reconnection to an existing session.
If the Remote Hotdesk Authentication (RHA) feature is enabled and a reconnection is attempted, the Sun Ray Software creates a temporary new session for the client and uses that session to present an authentication dialog to the user. (This RHA dialog looks very similar to the NSCM authentication dialog.) After the user has successfully authenticated to the dialog, the temporary session is dismissed and the user's existing session is connected to the client.
RHA is designed to provide a more secure hotdesk experience than the previous hotdesk authentication model, which relied on authentication performed by a desktop screen lock in the user's existing session. (The "Remote" in RHA refers to the fact that the hotdesk authentication step takes place outside the user's existing session.) However, for environments where the in-session screen lock provides acceptable security or where no hotdesk authentication is desired, Sun Ray Software can be configured to turn the RHA security feature off.
Authentication does not apply to anonymous Kiosk Mode.
The RHA security feature does not affect token readers. It is assumed that token readers are deployed in physically secure environments.
Disabling the RHA feature may present a security risk under some circumstances.
To disable RHA configuration for a group, type the following command:
For example, if your policy allows smart cards and non-smart card logins and failover groups, use the following command and options to disable RHA:
# utpolicy -a -z both -g -D
Perform a cold restart of the Sun Ray services:
# utstart -c
Restate your policy using utpolicy without the -D option.
For example, to reinstate a policy that allows smart cards and non-smart card logins and failover groups with RHA, use the following command and options:
# utpolicy -a -z both -g
Perform a cold restart of the Sun Ray services:
# utstart -c