Implementing Automated Sign-On for Host Access
The Automated Sign-On for Host Access (ASO) Add-On allows MSS to obtain a time-limited, one-time password (OTP) for a user, which can subsequently be submitted to the host computer instead of a persistent password.
When a user authenticates to the MSS server with their domain credentials, and then connects to a host computer, a Reflection macro requests the host user ID and a temporary password for the host logon. The user's enterprise identity is mapped to the user's host identity and a one-time password is generated. Then the macro transmits the user ID and the temporary password to the host instead of the user's persistent password. The temporary password can be used only once, and automatically expires after a short time. These features help increase the security of host logons.
To implement Automated Sign On for a host system, you'll need to configure the host, the MSS Administrative Server, and Reflection Desktop as follows:
-
Enable the use of one-time passwords on the host. This requires custom programming on the host computer. To learn more about the MSS ASO protocol and the functionality that you must provide on your host computer, contact your Rocket Software sales representative.
-
Edit settings on the MSS server and in the Administrative Console as shown in Configuring MSS Automated Sign-On for Host Access.
-
Set up a Reflection Desktop session for automated sign-on to a host system, as shown below.
Set up a Reflection Desktop Session for Automated Sign-on to a Host System
Configure Reflection Desktop for Centralized Management
This global setting establishes a connection between the client and the MSS Administrative Server, which is needed to request and deliver the OTP for automated sign-on.
-
On the File menu, open the Reflection Workspace Settings.
-
Click Configure Centralized Management.
-
Select Enable Centralized Management.
-
Enter the Server URL for your MSS Administrative Server and click OK.
-
Select Enable automated sign-on.
This setting is needed to use Automated Sign-on for Host Access when sessions are created by users and saved on their individual desktops. When enabled, the automated sign-on macro inserts a time-limited OTP to log the user on to the host session.
Create an Automated Sign-on Macro
The automated sign-on macro must:
-
Request a host user ID and an OTP from the MSS Administrative Server.
-
Insert the user's credentials (host computer user ID and OTP) that are returned from the MSS Administrative Server (to the client) into the data that is transmitted to the host. This action logs the user on to the host application.
Option 1: Use the Automated Sign-On Parameters dialog box
note
The Automated Sign-On Parameters dialog box is supported in IBM, VT, UTS, and T27 sessions.
Launch the desired session from the Administrative Console to configure Automated Sign-On and follow the steps below:
-
Gather the application ID (if required for your host) and valid logon credentials for the host application.
-
From the Quick Access Toolbar, select the Record Auto Sign-On icon ().
This icon will launch the Automated Sign-On Parameters dialog box.
-
Enter the Host Application ID into the respective field in the dialog box.
Enable the User ID and Password are in same field setting if applicable. When enabled, specify the Delimiter separating User ID and Password and enter the user id and password after selecting the Record Field button. Proceed to step 6 for further instructions.
-
From the terminal screen, once focus is on the User ID field select the Record User ID Field button in the dialog box.
Proceed to enter the User ID in the terminal window and press Enter.
-
When focus in the terminal window is in the password field section select the Record Password Field button in the dialog box.
Proceed to enter your password in the terminal window and press Enter.
-
Once the dialog box is showing all fields populated and accompanied by a green check icon (), select the Record Auto Sign-On icon () on the Quick Access Toolbar to close the dialog.
The dialog will close prompting the Recording Complete dialog box to open.
-
In the Recording Complete dialog box do the following:
- Select the Save in the current document's project option.
- Name the macro.
- Select the Make this the Connect Macro option and select OK.
-
Sign out of the terminal session and close the workspace. Select Yes when prompted to send the settings for this session to the Administrative Server.
Once the session has been saved to the Administrative Console, users and groups can be assigned to the session that has been configured with an Automated Sign-On macro that will run upon connection.
Option 2: To create a macro that automatically logs on a user to a host session
-
Gather the application ID (if required for your host) and valid logon credentials for the host application.
-
In Reflection Desktop, create a session and configure it to connect to the host you want users to automatically log on to.
-
On the Tools tab Macros group, click Record VBA Macro.
-
Log on to the host application with valid credentials, and then click Stop Recording.
-
In the Recording Complete dialog, save the macro in the current document’s project. Name the macro according to these requirements:
-
To apply the macro to all sessions connecting to this host, name it
SignOn
. -
To apply this macro only to sessions connecting to a specific port on this host, append the name with
_<port number>
, (for example,SignOn_102
).
-
-
To ensure the session VBA Project component has the required name, save the session document file as
ASM.iuts
. -
In the VBA Editor, open the ASM project, open Modules, and then open the Recorded module.
-
Edit the macro code to add this line after the variable declarations:
osCurrentTerminal.GetDASOPassTicket ("APPID")
where
APPID
is replaced with the host application ID (noted in step 1). This application ID may or may not be required, depending on your ASO host implementation. However, you must pass a string to this method. The value can be an empty string but not null. -
Replace your user name with the user ID retrieved by the
GetDASOPassTicket
method:osCurrentScreen.SendKeys (osCurrentTerminal.DASOUserID)
This sends your user ID instead of your user name.
-
Comment out or delete the line that uses the PasswordBox function to prompt the user for the password.
' Password was removed from this macro for security. ' Prompt for (what is assumed to be) a password. ' password = osCurrentTerminal.Macro.PasswordBox("", "") ' If (password = "") Then ' Err.Raise 11002, "Password", "No Value Provided.", "VBAHelp.chm", "11002" ' End If
-
Add this line to send the OTP to the host:
osCurrentScreen.SendKeys (osCurrentTerminal.DASOPassTicket)
-
Save the macro. When you are done, your macro should look something like this example:
Sub ASO()
' Generated by the Reflection Macro Recorder on 08-10-2024 13:08:54.89.
' Generated by Rocket Software Reflection Desktop (18.0.509.0).
Dim osCurrentScreen As Screen
Dim osCurrentTerminal As Terminal
Dim returnValue As Integer
Dim password As String
Dim hosttype As String
Const NEVER_TIME_OUT = 0
Dim LF As String ' Chr(rcLF) = Chr(10) = Control-J
Dim CR As String ' Chr(rcCR) = Chr(13) = Control-M
Set osCurrentTerminal = ThisFrame.SelectedView.control
Set osCurrentScreen = osCurrentTerminal.Screen
LF = Chr(10)
CR = Chr(13)
hosttype = "UNIX"
osCurrentTerminal.GetDASOPassTicket ("APPID")
' Password was removed from this macro for security.
' Prompt for (what is assumed to be) a password.
' password = osCurrentTerminal.Macro.PasswordBox("", "")
' If (password = "") Then
' Err.Raise 11002, "Password", "No Value Provided.", "VBAHelp.chm", "11002"
' End If
'osCurrentScreen.SendKeys "myUserName"
osCurrentScreen.SendKeys (osCurrentTerminal.DASOUserID)
osCurrentScreen.SendControlKey ControlKeyCode_Return
ThisFrame.StatusBarText = "Waiting for Prompt: Password:"
'Wait for a string on the host screen before continuing
If (Trim(osCurrentScreen.GetText(osCurrentScreen.CursorRow, 1, osCurrentScreen.DisplayColumns)) <> "Password:") Then
returnValue = osCurrentScreen.WaitForString3(LF & "Password: ", NEVER_TIME_OUT, WaitForOption.WaitForOption_AllowKeystrokes)
If (returnValue <> ReturnCode_Success) Then
Err.Raise 11001, "WaitForString3", "Timeout waiting for string.", "VBAHelp.chm", "11001"
End If
End If
ThisFrame.StatusBarText = ""
'osCurrentScreen.SendKeys password
osCurrentScreen.SendKeys (osCurrentTerminal.DASOPassTicket)
osCurrentScreen.SendControlKey ControlKeyCode_Return
' Recording stopped at 13:09:06.93.
End Sub
Tip
To add another macro for a specific port on this host, disconnect this session and connect on that port. Then repeat the steps in this procedure to record another SignOn macro and save it with the port number appended to the SignOn name (for example, SignOn_3782).