How to support non-AD environments
How to support non-AD environments
TruGrid has two types of Secure RDP products:
TruGrid BASIC allows individuals to sign up with any valid email address and grants access to that email address for up to 10 RDP workstations. TruGrid BASIC does not require Windows Active Directory. TruGrid BASIC versions are individual single-user licenses and cannot be managed by MSPs (Managed Service Providers) accounts.
TruGrid BUSINESS allows an organization to manage and determine who is authorized to connect to company machines running RDP. More than one user within the same domain can use the service to connect to machines within the domain. TruGrid BUSINESS requires Windows Active Directory for authentication into the TruGrid portal.
What are my options?
Some business customers would like to leverage the functionality of TruGrid BUSINESS but do not have a Windows Active Directory environment. For these customers, their Service Providers can provide Windows Active Directory services for their users to authenticate to TruGrid (via the website or desktop connector or mobile apps) and connect to their non-AD machines from TruGrid.
How is this accomplished?
We have a component called TruGrid Secure Connect, which is an agent that can be deployed directly to non-AD machines, to report them into the TruGrid portal. You can then assign these machines to users on the assignments page, just like you would with AD machines. Users will then login to the TruGrid Portal and launch their non-AD desktops. The TruGrid Secure Connect agent can also be used on AD machines, for example, machines that are not local to the TruGrid Sentry Agent.
Step by Step Guide
Below is a step-by-step guide on how MSPs can provide Active Directory services to their customers. We will assume the following for the purpose of this guide.
MSP domain = msp.com
Customer domains are: customer1.com, customer2.com, msphosting.com, etc.
An MSP can use one generic domain (example msphosting.com) to provide AD services for all customers, or use the actual public domain name (where customers get their company emails) owned by the customers. UPN aliases can be added for any domains.
Login to the Active Directory domain controller owned / hosted by the MSP and do the following:
Open Active Directory Domain and Trusts
Right-click on Active Directory Domain and Trusts
Add the UPNs that you would like to provide Active Directory services for. In this case, customer1.com, customer2.com, msphosting.com. See example below:
Ask TruGrid to associate the UPN aliases of customer1.com, customer2.com, and msphosting.com to msp.com. See further instructions here on how to setup UPN aliases.
Install the latest the TruGrid Secure Connect agent onto the Windows machines at customer locations and activate each with the TG-XXXXXX code for the MSP (msp.com).
Logon to your TruGrid Portal and assign machines to users. See further instructions here on assigning users to machines.
Enable RDP on the Windows machine you installed the TruGrid Secure Connect agent onto and ensure the Windows OS firewall RDP port 3389 is open. Make sure you can connect from another machine on the local network to validate this is working ok.
When end users authenticate to TruGrid Web or Native Connector and then launch desktops, they will be asked for the local credential of the standalone machines that they are connecting to. This is because these machines are not part of AD. However, when they get the usual RDP logon prompt, they can choose the ALLOW ME TO SAVE CREDENTIALS checkbox so that they will get the experience of SSO in subsequent logons.
The endpoint must be running a version of Windows that allows remote RDP into it. For example, Windows Home does not support inbound RDP. A user can connnect FROM a Windows Home machine but Windows Home cannot accept inbound RDP connections.
Updated on: 08/03/2023