When a Master connects to a Gateway and requests services from a Host, the Gateway connects to (and authenticates to) the Host on the Master’s behalf (using the Gateway account). However, for maximum security, there are certain services (such as file transfer, remote Host administration, and remote management), that require the Master end-user to authenticate directly to the Host.
We refer to this as end-to-end authentication: If the current credentials (i.e. the credentials the Master used to authenticate to the Gateway) do not suffice at the Host, the user will now be prompted to enter another set of credentials (previously these services were not accessible). The following describes in more detail typical connection scenarios in which end-to-end authentication may be required from the Master:
· If Master connects either peer-to-peer or through a Gateway to a Host configured for simple password authentication, the logged-in console user identity at the Host is the identity used for services that require end-to-end authentication (i.e. the process of simple password authentication is essentially equivalent to end-to-end authentication in this case).
NOTE: Remote management and remote Host administration require the user logged into the Host to have local administration rights. Also note that these connections are disallowed if the option Allow remote administration (peer-to-peer) is not checked on the Security tab in the Host control panel.
· If Master connects peer-to-peer to a Host configured for Windows Authentication, the Master must authenticate with username and password to the Host, and this identity is used for services that require end-to-end authentication (i.e. peer-to-peer connection requires the Master to authenticate directly to the Host, which is essentially the same as end-to-end authentication).
· If Master connects through a Gateway to a Host configured for Windows Authentication, the Master may be required to present two sets of credentials: First, the credentials that the Master used to authenticate to the Gateway will be presented to the Host. If these credentials are accepted by the Host (which would be the case if the Gateway and the Host are in the same domain), no additional credentials are needed, and end-to-end services will be enabled. If the credentials do not work (perhaps because the Host is not in the same domain as the Gateway), the Master end-user will be prompted to present an alternate set of credentials directly to the Host.
NOTE: The alternate credentials will be applicable during the lifetime of the Remote Desktop Window to the Host but will not be saved when the Remote Desktop Window is closed.