Home
Open OnDemand allows users to access Linux or Windows desktops through a web browser without needing to install any client software. However, if you want to connect directly from your local computer using VNC or RDP, you'll need to install a few additional tools as outlined below.
Coming soon...
To access VNC or RDP desktops directly from Windows, install the following:
Stunnel is used to establish a secure encrypted connection to the HPC cluster.
- Download the installer from the Stunnel Downloads Page.
- Look for a file named like
stunnel-latest-win64-installer.exe.
- Look for a file named like
- Run the installer.
- During installation, a prompt may ask for certificate details:
Country Name (2 letter code) [PL]:
- You can simply hit Enter repeatedly or close the prompt, as this certificate will not be used.
- Choose whether to install for all users (admin privileges) or just the current user.
TurboVNC is the VNC client used to connect to Linux desktops.
- Download TurboVNC from the TurboVNC Releases.
- The file name will look like
TurboVNC-<version>.exe.
- Run the installer.
- Installation requires administrator privileges.
- Follow the standard installer prompts.
The oodproxybyu client downloads a configuration file from the Open OnDemand server and launches a secure connection using VNC or RDP.
- Download the ood_proxy_byu_setup.exe client installer from the latest Github release
- Double-click the installer.
- Ensure Stunnel and TurboVNC are already installed.
- The installation is quick and straightforward.
The ood_proxy_byu client gets the temporary Windows password for your job's 7lbd VM from the Open OnDemand server and inserts it into the local Windows Credential Manager on your client. Once the credentials are in the credential manager, the client attempts to connect to the remote RDP server. Windows clients that are joined to a domain, by default, will not allow users to use credentials in their local credential manager. Instead, the domain wants to encourage the use of domain authentication. Our 7lbd VMs running on an HPC cluster are not a member of a domain, and use temporary once-per-job passwords. In order to allow domain-joined clients to use a temporary password in the Windows Credential Manager, we need to add an exception policy to the local machine to allow authentication to just one IP address using the local credential manager instead of active directory. The IP address 127.12.25.37 is actually the loopback adapter of the local machine, similar to 127.0.0.1. The random 127.12.25.37 loopback IP address was chosen to prevent collisions with other uses of 127.0.0.1. The IP address 127.12.25.37 is used by stunnel when creating a tunnel to the remote machine running on the HPC cluster. This 127.12.25.37 address is hard-coded into the Windows ood_proxy_byu client code and will not change.
The policy installer installs 4 registry keys. This policy could also be added manually by including a local policy with the same exceptions. The ood_proxy_byu installer looks for these four keys if the client is joined to the domain before allowing install of the client.
Root: HKLM; Check: IsDomainJoined; Subkey: "SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"; ValueType: dword; ValueName: "AllowSavedCredentials"; ValueData: 1
Root: HKLM; Check: IsDomainJoined; Subkey: "SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation"; ValueType: dword; ValueName: "AllowSavedCredentialsWhenNTLMOnly"; ValueData: 1
Root: HKLM; Check: IsDomainJoined; Subkey: "SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials"; ValueType: string; ValueName: "1"; ValueData: "TERMSRV/127.12.25.37"
Root: HKLM; Check: IsDomainJoined; Subkey: "SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly"; ValueType: string; ValueName: "1"; ValueData: "TERMSRV/127.12.25.37"
The uninstaller will attempt to remove all of these keys. If you do not have any other similar policies that allow exceptions for other hosts, the uninstaller will remove all of these keys. If you have other similar policies, the uninstaller will only remove the keys for 127.12.25.37.
Once installed, follow these steps to use the oodproxybyu client:
- Launch a desktop job (Linux or Windows) through your HPC cluster’s Open OnDemand interface.
- You will see an Open OnDemand job card similar to the following:
- Click the “VNC” or “RDP” button on the card as highlighted here in red.
- Your browser will download a
.oodproxybyuconfig file. - Click the downloaded config file in your browser’s download menu as highlighted in red below.
- The oodproxybyu client will:
- Create a secure encrypted tunnel.
- Launch TurboVNC or your system's RDP client.
- Connect you directly to your desktop session.
There are a number of reasons why authentication may not on a Windows client
- If the client is a member of a domain, (as explained above) a couple of policies with exceptions will need to be in place for authentication to work. Even if these policies are installed on the local machine, it is possible that a policy from the domain is overriding the exceptions created by the installer.
- The Windows client requires the use of saved credentials in the Windows credential manager to connect to the remote machine. There are a number of policies that can prohibit the use of saved credentials. These could be set on the local machine, or in a domain.
- If the error says "Windows Defender Credential Guard does not allow using saved credentials" then you will need to disable Windows Defender Credential Guard on that machine before authentication will work properly. This error will affect both stand-alone machines and domain-attached machines.