Skip to main content
This is a fake video link, YouTube API key is not available
This is a fake video link, YouTube API key is not available

Length: 03:44

Desktop Access with Active Directory

This guide will help you configure Teleport and Active Directory in order to provide secure, passwordless access to Windows desktops.

Azure AD

Microsoft's Azure Active Directory (Azure AD) offering does not support the Kerberos authentication protocol, which is required for Teleport's certificate-based authentication.

At this time, Teleport does not support integration with Azure AD, however Teleport Enterprise customers can access Windows desktops (including those joined to Azure AD) using local accounts via the process described in Getting Started with Desktop Access.

Compare Desktop Access to other RDP clients

The Teleport Desktop Service is designed to be a secure access solution for Windows environments. Teleport implements a minimal feature set of the RDP protocol with security as a priority, and may not be as performant as standard RDP clients. Consider the Desktop Service to manage access to your most sensitive Windows environments, not as a drop-in replacement for other tools to provide general access to Windows desktops.

Prerequisites

  • A running Teleport cluster version 14.3.33 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • A server or virtual machine running a Windows Server operating system. In this guide, we'll install Active Directory on this server in order to support passwordless logins with Teleport to the Windows desktops in the Active Directory domain.
  • A Linux host where you will run the Teleport Desktop Service.
  • An Active Directory domain, configured for LDAPS (Teleport requires an encrypted LDAP connection). Typically this means installing AD CS.

Step 1/2. Run the discovery wizard

In this step, you will use the Teleport Web UI to download and run two scripts:

  • An Active Directory installation script to run on your Windows Server host
  • An installation script for the Teleport Desktop Service, which you will run on your Linux host

Install Active Directory

In your web browser, access the Teleport Web UI at the address of your Proxy Service host, e.g., example.teleport.sh. Go to the Desktops section, then select Add Desktop. Select Active Directory resource to start the guided enrollment from the Enroll New Resource section.

If you already have Active Directory installed on your Windows Server host, skip to the next step. Otherwise, copy and paste the first command provided into a Windows PowerShell window on your Windows Server host. If you aren't already running AD Certificate services, copy and paste the second command after the first one completes and the server restarts:

Once the server is restarted from one or both command executions, click NEXT.

Copy and paste the provided command into a Windows PowerShell window to download and run the "configure Active Directory" script:

Click NEXT.

The PowerShell script will output a Teleport configuration block. Copy this block to a temporary location. Click Next.

Install the Teleport Desktop Service

On the Linux host where you will run the Teleport Desktop Service, create a file called /etc/teleport.yaml and paste the configuration provided by the output of the previous step.

tip

If you would like to run the Teleport Desktop Service from a Teleport process that is already running other services, copy and paste only the windows_desktop_service section.

The configuration file will resemble the following:

version: v3
teleport:
auth_token: abcd123-insecure-do-not-use-this
proxy_server: teleport.example.com:443

auth_service:
enabled: no
ssh_service:
enabled: no
proxy_service:
enabled: no

windows_desktop_service:
enabled: yes
ldap:
addr: '10.10.1.50:636'
domain: 'windows.teleport.example.com'
username: 'WIN\svc-teleport'
server_name: 'windows-server-hostname'
# insecure_skip_verify prevents teleport from authenticating the LDAP CA
# against the systems trust store.
insecure_skip_verify: false
ldap_ca_cert: |
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgIQT/UIn+MT4aZC9ix/QuiV9zANBgkqhkiG9w0BAQsFADBi
...
31qA4dO3if7RdikD9hVbiIF9jQ==
-----END CERTIFICATE-----

discovery:
base_dn: '*'
labels:
teleport.internal/resource-id: 42d8859c-60d0-4d7f-9767-bdd66b63fce6

Install the Teleport Desktop Service on your Linux host.

Select an edition, then follow the instructions for that edition to install Teleport.

The following command updates the repository for the package manager on the local operating system and installs the provided Teleport version:

$ curl https://cdn.teleport.dev/install-v14.3.33.sh | bash -s 14.3.33

In the Teleport Web UI, click Next.

Step 2/2. Start Teleport

Once you've saved /etc/teleport.yaml, start Teleport:

Configure the Teleport Desktop Service to start automatically when the host boots up by creating a systemd service for it. The instructions depend on how you installed the Teleport Desktop Service.

On the host where you will run the Teleport Desktop Service, enable and start Teleport:

$ sudo systemctl enable teleport
$ sudo systemctl start teleport

You can check the status of the Teleport Desktop Service with systemctl status teleport and view its logs with journalctl -fu teleport.

The access wizard will detect when the new Teleport instance has joined the cluster, and you can then click Next.

Teleport will discover available Windows desktops in the domain, and list them under Desktops. Click Finish then BROWSE EXISTING RESOURCES to see them:

Troubleshooting

If you hit any issues, check out the Troubleshooting documentation for common problems and solutions. For information about configuring Windows-specific role permissions, see Role-Based Access Control for Desktops.