How User Authentication works in DeskDirector

This article gives a brief overview of how authentication works for the DeskDirector Desktop Portal for AD auto-login and for SSO login.

There may be small inaccuracies. Please review our wider documentation on Authentication in DeskDirector.

DeskDirector uses two different methods to authenticate a user when it starts up the very first time.

Inside an AD Domain (for DeskDirector Desktop Portal)

The first method is used when a user's PC is part of a domain and DeskDirector can query the Active Directory.

  1. User launches DeskDirector from the PC. DeskDirector automatically checks if the PC is a part of a Domain and contacts the nearest domain controller.
  2. DeskDirector retrieves relevant user information from Active Directory including default Email Address. It also determines the domain SID as part of this process.
  3. DeskDirector now contacts the DeskDirector server over HTTPS passing the user’s email address and the domain SID. DeskDirector server checks the domain SID against its internal database to confirm it is an authentic client. It also retrieves the ConnectWise CompanyID or Autotask Account from its internal database based on the domain SID.
  4. DeskDirector server uses the company detail along with the user’s email address to check if that user exists in ConnectWise or Autotask. If there is no contact found , it creates the contact in ConnectWise or Autotask. However, if there is a match it will use that information to determine the security rights for that user for various DeskDirector modules.
  5. Based on user permissions, different modules will be displayed on DeskDirector client. These permissions determine which tickets users are able to view in DeskDirector.
  6. Once the client is authenticated by DeskDirector server, an encrypted cookie is stored on the PC for future access server.
Outside an AD Domain (for both DeskDirector Desktop and Web Portal)

The second method is used when a user's PC is not part of domain, cannot contact the AD on first launch or they have no email address in AD. 

  1. User launches DeskDirector from the PC. 
  2. If Passwordless is enabled see here for details.
  3. If this is the first time user is launching DeskDirector, they will be asked for their ConnectWise portal username or Autotask email address, and the password set through the DeskDirector Admin Console. If the user does not know the password, he/she will be given an option to have it sent to their email address.
  4. DeskDirector contacts the DeskDirector server over the internet passing the portal username/password. 
  5. DeskDirector server uses the portal username/password provided to determine the security rights for that user for various DeskDirector modules.
  6. Based on user permissions, different modules will be displayed on DeskDirector client. These permissions determine which tickets users are able to view in DeskDirector.
  7. Once the client is authenticated by DeskDirector server, an encrypted cookie is stored on the PC for future access. Therefore subsequent authentications from the DeskDirector client do not require a username/password and rely on the encrypted token.

 

How did we do?

Contact