Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

Automatic User Creation

Teleport's Desktop Service can be configured to automatically create local Windows users upon login.

Configuration

Local users only

Automatic user provisioning is only supported for local users, and does not take effect in Active Directory environments.

This feature is disabled by default, and can be enabled by setting the create_desktop_user role option on one of the user's roles.

kind: role
version: v7
metadata:
  name: allow-user-provisioning
spec:
  options:
    create_desktop_user: true
  allow:
    windows_desktop_labels: { '*': '*' }
    windows_desktop_logins: jane

When a Teleport user connects to a desktop, Teleport checks each of the user's roles that match the desktop. If at least one role matches the desktop but does not include create_desktop_user: true, automatic user creation will be disabled. Roles that do not match the desktop's labels will not be checked.

In order to create the user, the requested username must be present in one of the role's windows_desktop_logins.

User management

By default, the newly-created user will be placed in two Windows groups:

  • Remote Desktop Users: a built-in Windows group allowing remote desktop access
  • Teleport Users: a custom group that Teleport places all automatically-created users in

To add the user to additional groups, specify the desktop_groups role option:

kind: role
version: v7
metadata:
  name: allow-user-provisioning
spec:
  options:
    create_desktop_user: true
  allow:
    windows_desktop_labels: { '*': '*' }
    windows_desktop_logins: jane
    desktop_groups:
    - developers
    # to make the newly-created user an administrator
    - Administrators
    # IdP trait templating is also supported
    - '{{external.desktop_groups}}'

Teleport will never delete users that are created via automatic user provisioning. This ensures that the user's profile is preserved for future logins. The account will be disabled to ensures that it can only be accessed via Teleport.

Stored credentials

Teleport versions prior to 15.3 don't support storing credentials.

You can store credentials for users created by Teleport using Control Panel\User Accounts\Credential Manager or using cmdkey CLI utility.

Teleport will generate encryption keys for these credentials and store them securely on the machine for each user, using mechanisms in LSA. If a password is ever created for the user managed by Teleport and login is attempted using user/password method (outside of Teleport), these keys will get overwritten and all stored credentials will be removed by Windows.

Teleport will never generate keys for users created outside of Teleport to avoid deleting already present credentials. For these users, credentials can't be used at all when logging on via Teleport, as the user's password is required to decrypt them and Teleport doesn't have access to it.