How to configure TruGrid SecureRDP for Hybrid Authentication

How to configure TruGrid SecureRDP for Hybrid Authentication



Estimated Time: 10-20 minutes

TruGrid SecureRDP can be configured to authenticate against Active Directory, Azure AD, or Hybrid mode (combination of Active Directory and Azure AD). This help guide provides steps to configure TruGrid SecureRDP for Hybrid Authentication.

When configured for Hybrid Authentication, end user login to TruGrid SecureRDP is via Azure AD. End users can then open Desktop and RemoteApp resources from Active Directory and authenticate. SSO is currently not supported.


Below are pre-requisites for configuring TruGrid SecureRDP for Hybrid Authentication

The domain suffix or suffixes in Azure AD and Active Directory must be the same
End user accounts (UPN) must be the same in both Azure AD and Active Directory. This process can be simplified by using Microsoft Azure AD Connect to facilitate synchronization of user accounts from Active Directory to Azure AD


Steps to Enable Hybrid Authentication for TruGrid SecureRDP

Get started by configuring TruGrid for either Active Directory or Azure AD by following Step 1 or 2 of this guide

From the TruGrid Dashboard, click DOMAIN MANAGEMENT.

* OPTION 1
If you configured TruGrid SecureRDP for Active Directory in step 1 above, you will see below option asking you to Connect to Azure AD. Here is the step-by-step guide to Connect to Azure AD

Domain Management - Ready to Connect to Azure AD


* OPTION 2
If you configured TruGrid SecureRDP for Azure AD in step 1 above, you will see below option displaying Sentry Installer. Installing Sentry in an Active Directory environment is how to enable Active Directory authentication Click here step-by-step instructions

Domain Management - Sentry Installer - Active Directory

When step 2 is duly completed, click DOMAIN MANAGEMENT to verify that TruGrid is now connected to both Active Directory and Azure AD

Domain Management - Hybrid Activated - TruGrid Connected to AD and AAD

You can also click on WORKSPACE to observe that Hybrid Authentication is now active.

Workspace View - Hybrid Authentication Activated

With above 3 steps completed and verified, end users are now able to consume Desktop and RemoteApp resources in Active Directory environment by first authenticating to TruGrid with their Azure AD credentials.


Support for Active Directory Forests with Multiple Domains

When TruGrid SecureRDP is configured for an Active Directory environment, the Sentry software will normally enumerate AD objects only from the domain where it is installed, even when the AD Forest has multiple domains. Beginning with TruGrid Sentry 4.3.0.0 and later, customers can now configure TruGrid to support multiple domains within an Active Directory Forest. Below are the steps to do so.

Install TruGrid Sentry 4.3.0.0 or later in the Active Directory environment. Here is how

After installation is completed, change the TG-USERS security group from DOMAIN LOCAL to UNIVERSAL. See below for example.

TG-USERS group - Change from Domain Local to Universal

On the server or servers where TruGrid Sentry is installed, open Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\TruGrid\Sentry

Add a DomainsIncludedInAdSearch entry with a STRING value of * or the specific domains, separated by semicolon and no space (example: DomainA.com;DomainB.com;DomainC.com) that you wish Sentry to include in enumeration. When specifying specific domains instead of wildcard, do NOT enter domain that TruGrid Sentry is installed. See both examples below.

Enable TruGrid Sentry to support all domains in a forest


Enable TruGrid Sentry to support specific domains in a forest

If end user UPNs vary between the multiple domains in the forest, please use the TruGrid chat to ask TruGrid support to register all the domains with your primary account. Otherwise, your setup is complete

Populate TG-USERS group with resources from preferred domains

Login to TruGrid dashboard. Open RESOURCE ASSIGNMENT page to assign end users to resources




How to deactivate Hybrid Authentication for TruGrid

Please follow the steps below to deactivate Hybrid Authentication for TruGrid SecureRDP

In order to deactivate Azure AD and use only Active Directory, login to TruGrid dashboard. Click DOMAIN MANAGEMENT. Click Reset Azure AD. See example below.

Please note that when Azure AD is disconnected from Hybrid setup, all users will be required to login to TruGrid with Active Directory credentials and will be required to setup MFA if they have not already done so.

How to Disconnect Azure AD from Hybrid Setup


Follow instructions below in order to deactivate Active Directory and use only Azure AD:

a. Uninstall all TruGrid Sentry instances in the domain. You can see all Sentry instances under DOMAIN MANAGEMENT on TruGrid Dashboard; mouse over the greyed out Reset AD

b. When all TruGrid Sentry instances are uninstalled, login to TruGrid Dashboard, DOMAIN MANAGEMENT and click Reset AD to finalize AD deactivation.

Please note that when Active Directory is deactivated in a TruGrid SecureRDP Hybrid setup, end users can still connect to RDS / RDP desktops in Active Directory environment or otherwise, but not RemoteApp. RemoteApp installed in Active Directory environment requires Hybrid Authentication.

Updated on: 21/07/2023

Was this article helpful?

Share your feedback

Cancel

Thank you!