Sign In

Sign in to Teleport

Teleport Cloud LoginLogin to your Teleport AccountDashboard LoginLegacy Login & Teleport Enterprise Downloads
Get Started
Fork me on GitHub

Teleport

Desktop Access with Active Directory

Version 12.x
Improve
Teleport Windows Access with Active Directory

Teleport Windows Access with Active Directory

Length: 19:21

The features documented on this page are available in Teleport 10.2.6 and higher.

This guide will help you configure Teleport and Active Directory in order to provide secure, passwordless access to Windows desktops.

Teleport Desktop Access is designed to be a secure access solution for Windows environments. Teleport implements a minimal feature set of the RDP protocol with security as a priority, and may not be as performant as standard RDP clients. Consider Desktop Access to manage access to your most sensitive Windows environments, not as a drop-in replacement for other tools to provide general access to Windows desktops.

Prerequisites

  • A running Teleport cluster. For details on how to set this up, see one of our Getting Started guides.

  • The tctl admin tool and tsh client tool version >= 12.1.1.

    tctl version
    Teleport v12.1.1 go1.19
    tsh version
    Teleport v12.1.1 go1.19

    See Installation for details.

  • A running Teleport Enterprise cluster. For details on how to set this up, see our Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 12.1.1, which you can download by visiting the customer portal.

    tctl version
    Teleport Enterprise v12.1.1 go1.19
    tsh version
    Teleport v12.1.1 go1.19
Cloud is not available for Teleport v.
Please use the latest version of Teleport Enterprise documentation.
  • A server or virtual machine running a Windows Server operating system. In this guide, we'll install Active Directory on this server in order to support passwordless logins with Teleport to the Windows desktops in the Active Directory domain.
  • A Linux host where you will run the Teleport Desktop Service. This guide assumes that you will run Teleport's Windows Desktop Service on a dedicated host. To install Desktop Access into an existing Teleport instance running other services, see the Manual Setup guide for Desktop Access.
  • An Active Directory domain, configured for LDAPS (Teleport requires an encrypted LDAP connection). Typically this means installing AD CS.

Step 1/2. Run the discovery wizard

In your web browser, access the teleport Web UI at teleport.example.com. Click on your user name at the top right and select Manage Access, Select "Desktop" from the main menu, then NEXT.

If you already have Active Directory installed, skip to the next step. Otherwise, copy and paste the first command provided into a Windows PowerShell window. If you aren't already running AD Certificate services, copy and paste the second command after the first one completes and the server restarts:

Install Active Directory

Once the server is restarted from one or both command executions, click NEXT.

Copy and paste the provided command into a Windows PowerShell window to download and run the "configure Active Directory" script:

Configure Active Directory

Click NEXT.

The PowerShell script will output a Teleport configuration block. Copy this block to a temporary location. Click Next.

On the Linux host you installed Teleport to run as the Desktop Access connector, edit /etc/teleport.yaml and paste the configuration provided by the output of the previous step. Review and edit the addition as necessarily for your environment:

version: v3
teleport:
  auth_token: abcd123-insecure-do-not-use-this
  proxy_server: teleport.example.com:443

auth_service:
  enabled: no
ssh_service:
  enabled: no
proxy_service:
  enabled: no

windows_desktop_service:
  enabled: yes
  ldap:
    addr:     '10.10.1.50:636'
    domain:   'windows.teleport.example.com'
    username: 'WIN\svc-teleport'
    server_name: 'windows-server-hostname'
    # insecure_skip_verify prevents teleport from authenticating the LDAP CA
    # against the systems trust store.
    insecure_skip_verify: false
    ldap_ca_cert: |
        -----BEGIN CERTIFICATE-----
        MIIDnzCCAoegAwIBAgIQT/UIn+MT4aZC9ix/QuiV9zANBgkqhkiG9w0BAQsFADBi
        ...
        31qA4dO3if7RdikD9hVbiIF9jQ==
        -----END CERTIFICATE-----

  discovery:
    base_dn: '*'
  labels:
    teleport.internal/resource-id: 42d8859c-60d0-4d7f-9767-bdd66b63fce6

Click Next.

Step 2/2. Start Teleport

Once you've saved /etc/teleport.yaml, start Teleport:

This command assumes the root user. Prepend sudo otherwise.

systemctl start teleport.service

From the directory containing the Teleport binary:

./teleport start --config=/etc/teleport.yaml

The access wizard will detect when the new Teleport instance has joined the cluster, and you can then click Next.

Teleport will discover available Windows desktops in the domain, and list them under Desktops. Click Finish then BROWSE EXISTING RESOURCES to see them:

Desktops Discovered

Troubleshooting

If you hit any issues, check out the Troubleshooting documentation for common problems and solutions.

Have a suggestion or can’t find something?
IMPROVE THE DOCS