Virtual Channel

A virtual channel is a session-oriented and bidirectional error-free transmission connection that can be used by application layer code to exchange custom data packets between a terminal server and a terminal client.

SecureLogin employs this technology to allow users to single sign-on to various Published Application or Remote Desktop logins.


Virtual Channel Components

SecureLogin Terminal Server single sign-on has three major components:

Component Description

Client login extension

Collects users' login credentials for single sign-on

Virtual channel driver (VCD)

The heart of SecureLogin Terminal Server single sign-on. Liaises between the server login extension and single sign-on to perform all terminal session single sign-on processes

Server login extension

Requests users' login credentials from the VCD and initiates the login process. After authentication, the login extension returns credentials to the VCD to update single sign-on.

The three components use the following process:

  1. A user enters a username and password, a domain (optional), an NDS or eDirectory context, and an NDS or eDirectory tree. This information is encrypted and stored in the registry.
  2. SSO Combroker consumes the registry information and destroys the data in the registry. Login credentials are saved under a generic and hidden platform name.
  3. When the user starts the Citrix ICA client or a published application through an ICA file, the SecureLogin virtual channel driver is loaded. This driver receives the domain or preferred tree name of the server. To retrieve the username, password, domain, NDS or eDirectory context, and tree, the driver then reads the platform name Combroker.

    If the platform does not exist, the VCD reverts to the generic platform name.

    If the generic platform name does not match the requested platform (tree or domain), the VCD displays a dialog box to prompt the user to enter NDS or eDirectory or NT credentials. The expected credentials depend on whether the request is coming from a server with a Novell Client or from an NT/2000 server. The collected credentials are then sent to the server for verification.

    When the user enters and accepts the credential dialog box, a hidden application is created for the next authentication request.

    If the user chooses to abort entering credentials, the server login box appears as usual.

    NOTE:  SecureLogin does not currently handle the actual password change process. Therefore, SecureLogin does not send back the new password when changed on the Citrix server. However, when the password stored in Combroker is invalid due to a recent password change done on the Citrix Server, the user will be prompted to enter login credentials again. After the new password is verified, it will then be sent back to VCD to update the Combroker.

  4. After a successful authentication, the server login extension always sends the user's login credentials back to the workstation. If an application does not exist, this procedure creates a new application in Combroker. If the password has recently been changed and the application already exists, this procedure updates the new password to Combroker.

Auto-Detecting the Client Protocol

The server detects whether the ICA protocol is present or not. If the ICA protocol is present, the server loads the ICA protocol. If the client is trying to establish a session by using the RDP protocol, the server loads the RDP protocol and the session begins. After the server is installed, it automatically responds to the RDP or ICA protocol.

By default, the Auto Detection feature is on.

Windows NT 4.0 Terminal Server Edition (RDP 4.0) does not support the virtual channel operation. If the client tries to establish a session by using the RDP protocol, Windows NT 4.0 Terminal Server Edition won't respond to the client.