Best Practice Terminal Server User Setup

[jp]

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

I have a terminal server hosting a web application accessed by 20 thin
clients. Currently, there is only 1 terminal server user account set up.
Whoever connected to the terminal server will be using the same credential
for authenticating to the TS. Users will then be authenticated to the
application by entering their specific name set up at the application level.

The advantage of this set up is simplicity. I don't have to create new user
name for additional thin clients. No matter there are 20, 30 or even 50
terminals, 1 user account on the server can do the job.

The disadvantage I can see so far is mainly the difficulties in managing the
connected clients. You cannot easily identify them as they are all using
the same user name. Even the IP addresses are dynamically assigned. Also, I
realized that when I logged on to the server console using the shared
account, I found that the performance is much slower than when I logged on
as administrator or another non-generic user. I am worrying about some
specific application data being mixed up as well when having one generic
account with multiplie sessions logged on concurrently.

Now I have to decide should I continue to use one generic account for all
terminal users, or create separate one for each terminal. Can some experts
please shed some light?

Cheers,

Joe

 

[Guest]

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

that throws security and auditing right out the window.

Rick

 

[jp]

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

> that throws security and auditing right out the window.

Rick,

Thanks for your opinion. That's why I said I needed advice from experts.
But I cannot agree totally that security would be completely neglected. In
my situation, IE6. would be started automatically when a user connects. I
have locked down the browser completely and force it to run in kiosk mode.
The session will be closed when the browser terminates. Second, the
application will authenticate users when the browser load up the application
page.

In the case of Citrix, it generates a lot of anonymous users.
Administrators still cannot easily determine who is anon001.

Joe

 

[Guest]

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

yours might be a special case

so you are using TS to serve IE6 to anon users to autheticate via Citrix
web interface to published apps? When autheticating to the published
app are they then using a unique username and secure password?

what are they interfacing to the TS with? I asked b.c. they could run
their browser locally and attached to the published apps that way and
save some CPU cycles.

Rick

 

[Guest]

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

Do the applications inherit the Windows Account for authenication?

If so then any activity logged int hat application will be logged as one
user - could be problematic if you need to tack user behavoiur metrics in
that application.

Security is non-exisitent. Authentication, Access and Auditing are all
assigned to one user.

New Moon (Tarantella) Canaveral Allows you to easily set up applications and
user accounts. Relativiely Cheap compared to Citrix - less complicated to
manage as administrator. It has built in security model.

Lindsay



"JP" <NO_SPAM_PLEASE_pangjo@netzero.com> wrote in message
news:%23D3EtWqIEHA.3308@tk2msftngp13.phx.gbl...
> I have a terminal server hosting a web application accessed by 20 thin
> clients. Currently, there is only 1 terminal server user account set up.
> Whoever connected to the terminal server will be using the same credential
> for authenticating to the TS. Users will then be authenticated to the
> application by entering their specific name set up at the application
level.
>
> The advantage of this set up is simplicity. I don't have to create new
user
> name for additional thin clients. No matter there are 20, 30 or even 50
> terminals, 1 user account on the server can do the job.
>
> The disadvantage I can see so far is mainly the difficulties in managing
the
> connected clients. You cannot easily identify them as they are all using
> the same user name. Even the IP addresses are dynamically assigned. Also,
I
> realized that when I logged on to the server console using the shared
> account, I found that the performance is much slower than when I logged on
> as administrator or another non-generic user. I am worrying about some
> specific application data being mixed up as well when having one generic
> account with multiplie sessions logged on concurrently.
>
> Now I have to decide should I continue to use one generic account for all
> terminal users, or create separate one for each terminal. Can some
experts
> please shed some light?
>
> Cheers,
>
> Joe
>
>