5.4 Virtual Channel

A virtual channel is a session-oriented and bidirectional error-free transmission connection that application layer code can use to exchange custom data packets between a terminal server and a terminal client.

SecureLogin employs this technology to allow users to use single sign-on to various Published Application or Remote Desktop logins.

5.4.1 Virtual Channel Components

SecureLogin Terminal Server single sign-on (SSO) has three major components:

Table 5-1 The Virtual Channel Components

Component

Description

Client login extension

Collects users’ login credentials for single sign-on.

Virtual Channel Driver (VCD)

The center of SecureLogin Terminal Server single sign-on. The VCD is the liaison between the server login extension and single sign-on to perform all terminal session single sign-on processes.

Server login extension

Requests users’ login credentials from the VCD and initiates the login process. After authentication, the login extension returns credentials to the VCD to update the single sign-on.

SecureLogin uses the following processes:

  1. A user enters a username and password, a domain (optional), an eDirectory context, and an eDirectory tree. This information is encrypted and stored in the registry.

  2. SecureLogin slbroker.exe consumes the registry information and destroys the data in the registry. Login credentials are saved under a generic and hidden platform name.

  3. When the user starts the Citrix ICA client or a published application through a .ica file, the SecureLogin VCD is loaded. This driver receives the domain or preferred tree name of the server. To retrieve the username, password, domain, eDirectory context, and tree, the driver then reads the platform name from slbroker.exe.

    If the platform does not exist, the VCD reverts to the generic platform name.

    If the generic platform name does not match the requested platform (tree or domain), the VCD displays a dialog box to prompt the user to enter NDS, eDirectory, or NT credentials. The credentials that are expected depend on whether the request is coming from a server with a Novell Client or from an NT/2000 server. The collected credentials are then sent to the server for verification.

    When the user enters and accepts the credential dialog box, a hidden application is created for the next authentication request.

    If the user chooses to cancel entering credentials, the server login box appears as usual.

    NOTE:SecureLogin does not currently handle the actual password change process. Therefore, SecureLogin does not send back the new password when it is changed on the Citrix server. However, when the password stored in slbroker.exe is invalid because of a recent password change done on the Citrix Server, the user is prompted to enter login credentials again. After the new password is verified, it is then sent back to the VCD to update slbroker.exe.

  4. After a successful authentication, the server login extension always sends the user's login credentials back to the workstation. If an application does not exist, this procedure creates a new application in slbroker.exe. If the password has recently been changed and the application already exists, this procedure updates the new password to slbroker.exe.

5.4.2 Auto-Detecting the Client Protocol

The server detects whether the ICA protocol is present or not. If the ICA protocol is present, the server loads it. If the client is trying to establish a session by using the RDP protocol, the server loads the RDP protocol and the session begins. After the server is installed, it automatically responds to the RDP or ICA protocol.

By default, the Auto Detection feature is on.

Windows NT 4.0 Terminal Server Edition (RDP 4.0) does not support the virtual channel operation. If the client tries to establish a session by using the RDP protocol, Windows NT 4.0 Terminal Server Edition won’t respond to the client.