diff --git a/docs/config.json b/docs/config.json index b88bd980e99de..00a85d5821b11 100644 --- a/docs/config.json +++ b/docs/config.json @@ -1245,7 +1245,7 @@ "slug": "/desktop-access/introduction/" }, { - "title": "Getting Started", + "title": "Configure local Windows users", "slug": "/desktop-access/getting-started/", "forScopes": ["enterprise", "cloud"] }, diff --git a/docs/img/desktop-access/desktop-disconnect.png b/docs/img/desktop-access/desktop-disconnect.png new file mode 100644 index 0000000000000..4e8290085722d Binary files /dev/null and b/docs/img/desktop-access/desktop-disconnect.png differ diff --git a/docs/img/desktop-access/non-ad-connect.png b/docs/img/desktop-access/non-ad-connect.png deleted file mode 100644 index eb845e8ad1c7c..0000000000000 Binary files a/docs/img/desktop-access/non-ad-connect.png and /dev/null differ diff --git a/docs/img/desktop-access/passwordless-desktop.png b/docs/img/desktop-access/passwordless-desktop.png new file mode 100644 index 0000000000000..69add4bd0c576 Binary files /dev/null and b/docs/img/desktop-access/passwordless-desktop.png differ diff --git a/docs/pages/desktop-access/getting-started.mdx b/docs/pages/desktop-access/getting-started.mdx index e06aa193aea8a..874979521a93d 100644 --- a/docs/pages/desktop-access/getting-started.mdx +++ b/docs/pages/desktop-access/getting-started.mdx @@ -1,203 +1,240 @@ --- -title: Getting Started with Desktop Access -description: Passwordless access to Windows systems for local users +title: Configure access for local Windows users +description: Use Teleport to configure passwordless access for local Windows users. videoBanner: 9DyKQbg4ORc --- -This guide will help you configure Teleport to provide secure, passwordless access -to Windows desktops. This configuration does not require an Active Directory domain. +This guide demonstrates how to configure Teleport to provide secure, passwordless access +to Microsoft Windows desktops for local Windows users. - -Passwordless access for local users is an Enterprise-only feature. +## Prerequisites -For open source Teleport, consider integrating Teleport with Active Directory -for automatic discovery by reading [Desktop Access with Active Directory](./active-directory.mdx). +To complete the steps in this guide, verify your environment meets the following requirements: -Teleport Enterprise users can also mix the Teleport Active Directory integration -with the static host definitions described below. - +- Access to a running Teleport cluster. +- A Linux server to run the Teleport Windows Desktop Service. + You can reuse an existing server running any other Teleport instance. + However, you must generate a new invitation token to add the Windows Desktop Service + to an existing Teleport instance. +- A physical or virtual machine running Microsoft Windows with Remote Desktop enabled + and the RDP port (typically port 3389) open for inbound connections from the Linux server. +- (!docs/pages/includes/tctl.mdx!) -
-Passwordless access for local users is available starting from Teleport `v12`. -Previous versions of Teleport can implement Windows Access by integrating with -an [Active Directory domain](./active-directory.mdx). -
+## Step 1/4. Prepare Windows -## Prerequisites +Before you can enroll a Microsoft Windows desktop as a resource to be protected by Teleport, +you need to prepare the Microsoft Windows environment with a certificate from the Teleport +certificate authority (CA) and modify the default authentication service for remote desktop +access. -(!docs/pages/includes/commercial-prereqs-tabs.mdx!) +To prepare a Windows computer: -- A Linux server to run the Teleport Desktop Service on. - You can reuse an existing server running any other Teleport instance. -- A server or virtual machine running a Windows operating system with - Remote Desktop enabled and the RDP port available to the Linux server. -- (!docs/pages/includes/tctl.mdx!) +1. Open a Command Prompt (`cmd.exe`) window on the Windows computer you want to enroll. -## Step 1/4. Prepare Windows +1. Export the Teleport user certificate authority by running the following command using your Teleport cluster address: -In this section we'll import the Teleport certificate authority (**CA**) file -to your Windows system, and prepare it for passwordless access through Teleport. + ```code + $ curl -o teleport.cer /webapi/auth/export?type=windows + ``` -### Import the Teleport root certificate +1. Download the Teleport Windows Auth [setup program](https://cdn.teleport.dev/teleport-windows-auth-setup-v(=teleport.version=)-amd64.exe). -Export the Teleport user certificate authority by running the following from -`cmd.exe` on your Windows system: +1. Double-click the executable you downloaded to run the Teleport Windows Auth Setup program +interactively and select the Teleport certificate that you exported when prompted. -```code -$ curl -o teleport.cer https://teleport-proxy.example.com/webapi/auth/export?type=windows -``` + The setup program: + + - Enables Windows to trust the Teleport certificate authority. + - Installs the required dynamic link library (DLL) for Teleport to use. + - Disables Network Level Authentication (NLA) for remote desktop services. -### Install the Teleport service for Windows +1. Restart the computer. -From the Windows system, download the [Teleport Windows Auth -Setup](https://cdn.teleport.dev/teleport-windows-auth-setup-v(=teleport.version=)-amd64.exe). -Run the installer. When prompted, select the Teleport certificate file from the previous step. -Once complete, reboot the system. - -The Teleport Windows Auth Setup can be run in a shell environment with elevated -privileges. You can use this to automate installation, uninstallation, and -certificate updates. The following command will install the Teleport Certificate, -load the required DLL, disable NLA, and reboot the Windows machine: +If you want to automate the installation process, you can run the setup program from +an administrative Command Prompt or PowerShell console with the following command: ```code $ teleport-windows-auth-setup.exe install --cert=teleport.cer -r -Teleport Authentication Package installed ``` -Use the `--help` flag to learn more. +## Step 2/4. Configure the Windows Desktop Service - +Now that you have prepared the Windows computer to enroll in the cluster, the next steps +involve: -## Step 2/4. Install the Teleport Desktop Service +- Generating an invitation token on your administrative workstation. +- Configuring a Linux server to run the Windows Desktop Service. -On your local system, authenticated to your Teleport cluster, generate a -short-lived join token: +To configure the Windows Desktop Service: -```code -$ tctl tokens add --type=windowsdesktop -The invite token: (=presets.tokens.first=) -This token will expire in 60 minutes. +1. Sign in to the Teleport cluster from your administrative workstation to authenticate your identity. -This token enables Desktop Access. See https://goteleport.com/docs/desktop-access/ -for detailed information on configuring Teleport Desktop Access with this token. -``` +1. Generate a short-lived invitation token by running the following command: -Copy the token to the Linux host where you will run the Desktop service as `/tmp/token`. - -(!docs/pages/includes/install-linux-enterprise.mdx!) - -Create `/etc/teleport.yaml` and configure it for desktop access. Update the `proxy_server` -value to your Teleport proxy service or cloud tenant, and put the Windows machine address -under `non_ad_hosts`: - -```yml -version: v3 -teleport: - nodename: windows.teleport.example.com - proxy_server: teleport-proxy.example.com:443 - auth_token: /tmp/token -windows_desktop_service: - enabled: yes - non_ad_hosts: - - 192.0.2.156 -auth_service: - enabled: no -proxy_service: - enabled: no -ssh_service: - enabled: no -``` + ```code + $ tctl tokens add --type=windowsdesktop + ``` + + The command displays information similar to the following: + + ```text + The invite token: (=presets.tokens.first=) + This token will expire in 60 minutes. + ``` + +1. Copy the token from your administrative workstation and paste it into a file on the +Linux server where you want to run the Windows Desktop Service. + + For example, create a file named `/tmp/token` on the Linux server and paste the token + into the file. + +1. Check whether Teleport is installed on the Linux server where you want to run the +Windows Desktop Service by running the following command: + + ```code + $ teleport version + ``` + + If Teleport isn't installed on the Linux server, follow the appropriate [Installation +instructions](../installation.mdx#installation-instructions) for your environment. + +1. Configure the `/etc/teleport.yaml` file on the Linux server with settings similar to the +following for the Windows Desktop Service: -Note that without Active Directory, Teleport cannot automatically discover your -Desktops. Instead you must define the Windows systems configured for access through -Teleport in your config file or manually register them. - -Manual registration can be done via -[`tctl`](../reference/resources.mdx#windows-desktop) or by using Teleport's -[API](../api/introduction.mdx) to build your own integration. An example API -integration is available on -[GitHub](https://github.com/gravitational/teleport/tree/master/examples/desktop-registration). - -
-You can attach labels to your Windows hosts by matching to their hostnames. -For example, to add the `cloud: ec2` label to hosts with EC2 private IP DNS names: - -```diff -version: v3 -teleport: - nodename: windows.teleport.example.com - proxy_server: teleport-proxy.example.com:443 -windows_desktop_service: - enabled: yes - non_ad_hosts: -- - 192.0.2.156 -+ - ip-192-0-2-156.us-east-2.compute.internal -+ host_labels: -+ - match: '.*\.us-east-2.compute.internal' -+ labels: -+ cloud: ec2 -auth_service: - enabled: no -proxy_service: - enabled: no -ssh_service: - enabled: no -``` -
+ ```yml + version: v3 + teleport: + nodename: + proxy_server: + auth_token: + windows_desktop_service: + enabled: yes + non_ad_hosts: + - 192.0.2.156 + + auth_service: + enabled: no + proxy_service: + enabled: no + ssh_service: + enabled: no + ``` -(!docs/pages/includes/start-teleport.mdx service="the Teleport Desktop Service"!) + In this file: -## Step 3/4. Configure Windows access + - Set the `proxy_server` to the address of your Teleport cluster. + - List the Windows IP addresses or host names under `non_ad_hosts`. -In order to gain access to a remote desktop, a Teleport user needs to have the + Teleport can't automatically discover Windows desktops without Active Directory. + Therefore, you must specify the Windows IP addresses or host names that you want to + enroll using the Teleport configuration file or use the Teleport API to build your own + integration. + + You can find an example of API integration on + [GitHub](https://github.com/gravitational/teleport/tree/master/examples/desktop-registration). + +1. (Optional) Add labels for the Windows Desktop Service to the configuration file. + + You can attach labels to Windows computers by matching to their hostnames. + For example, the following adds the `cloud: ec2` label to computers that have + host names ending with `.us-east-2.compute.internal`: + + ```diff + version: v3 + teleport: + nodename: windows.teleport.example.com + proxy_server: teleport-proxy.example.com:443 + windows_desktop_service: + enabled: yes + non_ad_hosts: + - - 192.0.2.156 + + - ip-192-0-2-156.us-east-2.compute.internal + + host_labels: + + - match: '.*\.us-east-2.compute.internal' + + labels: + + cloud: ec2 + ``` + + For more information about using labels and roles, see [Configure Windows-specific + role permissions](./rbac.mdx). + +1. (!docs/pages/includes/start-teleport.mdx service="the Teleport Windows Desktop Service"!) + +## Step 3/4. Configure remote Windows desktop access + +To access a remote desktop, a Teleport user must have a role with the appropriate permissions for that desktop. -Create the file `windows-desktop-admins.yaml`: - -```yaml -kind: role -version: v7 -metadata: - name: windows-desktop-admins -spec: - allow: - windows_desktop_labels: - "*": "*" - windows_desktop_logins: ["Administrator", "alice"] -``` +To configure a role for desktop access: -You can restrict access to specific hosts by defining values for -`windows_desktop_labels`, and adjust the array of usernames this role has access -to in `windows_desktop_logins`. +1. Sign in to the Teleport cluster from your administrative workstation to authenticate your identity. - -Ensure that each Teleport user is only assigned Windows logins that they should -be allowed to access. - +1. Create a `windows-desktop-admins.yaml` file to define a new role: -Apply the new role to your cluster: + ```yaml + kind: role + version: v6 + metadata: + name: windows-desktop-admins + spec: + allow: + windows_desktop_labels: + "*": "*" + windows_desktop_logins: ["Administrator", "alice"] + ``` -```code -$ tctl create -f windows-desktop-admins.yaml -``` + In this file: + + - Set `windows_desktop_labels` to specify any labels you want to use to allow or deny access to specific hosts. + - Set `windows_desktop_logins` to specify the Windows logins that Teleport users assigned to the role + can use to access Windows desktops. + + Depending on how you configure role-based access controls for Windows, Teleport can create local user logins + automatically from the `windows_desktop_logins` you specify. For more information about enabling Teleport + to create local Windows logins, see [Logins](./rbac.mdx#logins). -(\!docs/pages/includes/add-role-to-user.mdx role="windows-desktop-admins" \!) +1. Apply the new role to your cluster by running the following command: + + ```code + $ tctl create -f windows-desktop-admins.yaml + ``` + +1. (\!docs/pages/includes/add-role-to-user.mdx role="windows-desktop-admins" \!) ## Step 4/4. Connect -You can now connect to your Windows desktops from the Teleport Web UI: +Now that you have configured a Linux server to run the Windows Desktop Service and +created a role to allow a Teleport user to connect to Microsoft Windows with a local +Windows login, you can use the Teleport user assigned the `windows-desktop-admins` role +to connect to Windows desktops from the Teleport Web UI. + +To connect to a Windows desktop: + +1. Sign in to the Teleport cluster using an account that's assigned the +`windows-desktop-admins` role. + +1. Select **Resources**. + +1. Click **Type**, then select **Desktops**. + +1. Click **Connect** for the Windows desktop you want to access, then select the +Windows login to use for the connection. + + ![Connect to a Windows desktop from the Teleport Web UI](../../img/desktop-access/passwordless-desktop.png) + + Teleport opens a remote desktop connection and starts recording the desktop session. When you're + finished working with the Windows desktop, click the **More items** menu, then click **Disconnect**. + + ![Disconnect from a Windows desktop ](../../img/desktop-access/desktop-disconnect.png) -![Connecting to a Windows desktop from the Web UI](../../img/desktop-access/non-ad-connect.png) + To view the recording, select **Management** in the Teleport Web UI, then click **Session Recordings** + in the Activity section. -## Next Steps +## Next steps -- See the [RBAC page](./rbac.mdx) for more information about setting up -Windows desktop access permissions. -- See the [Access Controls Getting Started](../access-controls/getting-started.mdx#step-13-add-local-users-with-preset-roles) -guide for instructions on how to create or update a user with a given role. +For more general information about how to create, assign, and update roles, see [Access Controls +Getting Started](../access-controls/getting-started.mdx#step-13-add-local-users-with-preset-roles). +For more specific information about configuring Windows-specific role permissions, see +[Configure Windows-specific role permissions](./rbac.mdx). \ No newline at end of file