Objective

Federated services provide users with single sign-on access to systems and applications located across organizational boundaries. For example, it is the case for users defined in Azure Active Directory. These users are defined externally to the local machine or, if the machine is domain-joined, the Active Directory domain. Although a federated directory of users offers many benefits, it can be challenging to establish a trust relationship between the security realms.

This guide describes the steps to allow an external user to connect to a TSplus application server and open the published applications assigned. Additionally, this guide explains how to enroll an external user in two factor authentication.


Prerequisites

To follow the steps, you will need the following:

  • An up-to-date TSplus application server, with a valid two factor authentication license (optional)
  • Administrative access to the TSplus application server
  • An Azure Active Directory user

The Azure Active Directory account is named azuread\azuretest in this guide. This guide shows the steps for a machine non joined to a domain.


Create a local group to hold external users

  1. From Computer Management > Local Users and Groups > Groups, click on More Actions on the right lateral menu bar, and then Create Group.
  2. Then, type a name, such as “External TSplus Users” and a short description, as shown below, and click on Create to create the local group.

Note: it is not possible to add the external user to this local group at this point.


Add an external user to the local group

  1. Open a CMD or PowerShell prompt as Administrator.
  2. Then, enter the following command:

    net localgroup “External TSPlus Users” AzureAd\AzureTest /add

      where:
  • azuread\azuretest is the name of the external user
  • External TSPlus User is the name of the local group previously created

  1. As a result, a reference to the external user is added to the local group.


Assign local group to a published application

  1. Open the AdminTool program
  2. From Applications > Publish, select the Notepad application, and click on Assign Application. A popup named “Notepad User Assignment” opens.
  3. Then, click on the Add… button and enter the name of the local group holding the external users. Click OK.
  4. Finally, click Save to save your changes.

As a result, the user azuread\azuretest has been assigned to the notepad application and the notepad application will show up during the next logon


You can reuse the already created group which holds external users if all external users will be using two factor authentication. In this case, you can jump to section “Activating two factor authentication for external user“.


Configure an external user by name

  1. Open the Two-factor Authentication Administration program (available from the AdminTool > Addons)
  2. From Manage Users, click on Add Users to enable two-factor authentication for the local group previously created. A popup opens.
  3. Enter the name of the external user enabled for two-factor authentication. Click OK.

Note: It is not possible to browse the external username in the Active Directory object browser.



Create a local group to hold external users

  1. From Computer Management > Local Users and Groups > Groups, click on More Actions on the right lateral menu bar, and then Create Group.
  2. Then, type a name, such as “Two Factor Authentication” and a short description, as shown below, and click on Create to create the local group.

Note: it is not possible to add the external user to this local group at this point.


Add an external user to the local group

  1. Open a CMD or PowerShell prompt as Administrator.
  2. Then, enter the following command:

    net localgroup “Two Factor Authentication” AzureAd\AzureTest /add

      where:
  • azuread\azuretest is the name of the external user
  • Two Factor Authentication is the name of the local group previously created

  1. As a result, a reference to the external user is added to the local group.


Activating two factor authentication for external user

  1. Open the Two-factor Authentication Administration program (available from the AdminTool > Addons)
  2. From Manage Users, click on Add Groups to enable two-factor authentication for the local group previously created. A popup named “Select Users or Groups” opens.
  3. Enter the name of the local group holding the external users enabled for two-factor authentication. Click OK.

  1. As a result, the local group is added to the list.

 

Enabling two factor authentication

The following steps describes briefly how the user will enable two factor authentication from the Web browser. These steps are not specific to external users.

  1. From the Web browser, the user connects to the TSplus Web portal, enter its credentials, and click Log in.

Note: the domain field is not the name of the local machine, but the name of the Azure Active Directory domain.

 

  1. The user is prompted to enroll in two factor authentication following a successful login.



  1. As a result, the user azuread\azuretest is displayed as enrolled in the Two Factor Authentication Administration program, in the Manage Users tab:

 

 

  1. Following its next successful login on the TSplus Web portal, the user azuread\azuretest will be required to enter its verification code:


 

Troubleshooting and Support requests

The most relevant log file to collect when reproducing the issue is the Web portal log file.
Please enable the DEBUG level for the Web portal Logs from AdminTool > Advanced > Logs, as show below:


The View button will open a new window on the log files output folder. The logs use the file extension: log, sometimes followed by a number (ex.: log1, log2, …).