TSplus Helpdesk

What are TSplus Logon Tickets? Why Use Them?

The TSplus logon ticket is a secure token that can be requested from a TSplus Remote Access server to bypass the built-in login page for the HTML5 client and start an HTML5 session. Logon tickets can be used in cases where you have special authentication requirements, such as SSO, and need to start the HTML5 session after the user has already been authenticated using your own custom login web portal. 

This feature is described in point 32 of the faq.html file available on any TSplus Remote Access server:

C:\Program Files (x86)\TSplus\Clients\www\software\html5\faq.html

So that you know, there is a way to request a login ticket using plain text usernames and passwords. However, this article will not discuss this in favor of the more secure encryption method demonstrated. Below are sample workflows and C# code for demonstrating functionality, which your development and security teams should thoroughly vet and test before using in a live environment. We do not offer support for custom code (even our example), and you would be responsible for maintaining your code. 

Caveats with SSO

The HTML5 client for TSplus Remote Access is more than just a website. It also starts a terminal services session, which requires knowledge of the Windows username and password. Most SSO solutions will redirect the user to a trusted third-party website to enter their credentials, meaning you will likely not be able to capture the user's credentials at login time, creating a need to maintain a list of your user's usernames and passwords. 

Workflows

Below are some diagrams displaying the workflow for using logon tickets in a few different scenarios. 

Example: Using a Standalone TSplus Remote Access Server

1. Request the App Server's Modulus and Exponent and Encrypt Credentials

GET Request: https://{TSplus Server's URL:port}/socket.io/WCREDS?GetRuntimePublicModulusExponent

Once you have the modulus and exponent, you can use these to encrypt the user’s credentials in the following format with RSA encryption. Just replace the username with the user's actual username and the password with the user's actual password. After the credentials are encrypted, they must be converted to Base64 format.

For a local Windows account:

'WinUser=username&WinPassword=password'

For an Active Directory user account:

'WinUser=DOMAIN\\username&WinPassword=password'

Sample code snippet

2. Request Logon Ticket

GET Request: https://{TSplus Server's URL:port}/socket.io/socket.io/LPW?rsabase64nojs=encryptedPassword

The encryptedPassword parameter in the URL above is the Base64 encoded RSA encrypted password from the previous step.

3. Redirect the User to the Application Server with the Logon Ticket

Once you have this token, it can be used to construct a URL that the user can use to access the TSplus Remote Access server and start an HTML5 session. 

Example:

https://{TSplus Server's URL:port}/software/html5.html?user=logonticketgoeshere

Example: Using Logon Tickets With Load Balancing in a TSplus Remote Access Farm

1. Get the Application Server Chosen During Load Balancing

After receiving this information, you can craft a URL to target the application server in the following format. Then, use the same procedure to obtain the login ticket as the process used for the standalone server. For example, if the application server is named app1, the URL format to access that server is: https://{TSplus Gateway Server's URL:port}/~~app1. Please refer to the workflow for an example.

GET Request: https://{TSplus Server's URL:port}/cgi-bin/hb.exe?action=lb&l=username&d=domain

Security Considerations

Below are additional settings.bin options on the application server to make the logon tickets more secure. Update C:\Program Files (x86)\TSplus\Clients\webserver\settings.bin with the following optional options. Please note that modifying settings.bin requires restarting the TSplus Remote Access built-in web server:

logon_type_allowance="3"

This setting, configured on “3”, will only allow the use of the logon ticket for HTML5 connections. Thus, the URL parameters method will be denied, and a connection will be made from the TSplus web portal.

lpw_timeout_list_ip="|{IP ADDRESS}|"

This setting will only allow a certain IP address to request logon tickets. Replace {IP ADDRESS} with the actual IP address. To allow multiple IPs :

• lpw_timeout_list_ip="|{IP ADDRESS}|{IP ADDRESS}|{IP ADDRESS}|{IP ADDRESS}|"

lpw_phrase="my_secret"

This setting will only access logon ticket requests if the request contains a specific secret key (my_secret is an example, please use a more secure string). When encrypting the credentials, you would add &WinLPWphrase=my_secret at the end, like this:

•  WinUser=username&WinPassword=password&WinLPWphrase=my_secret

accept_lpw_only_rsa_secured=true

This setting will only accept logon ticket requests if the request is done using RSA method. Plain text method will be rejected.