Ipad won't Authenticate on HTML5 client

Discussion in 'Parallels Remote Application Server – HTML5 Gateway' started by springbox, Mar 21, 2019.

  1. springbox

    springbox Member

    Messages:
    47
    Hi guys

    We have a weird authentication problem with HTML5 client access via Ipad

    We are running 16.2.4 build 19504 on server

    HTML5 works fine from a pc
    Ipad can log in fine, list applications and run applications when using IOS client
    When trying to log in on Ipad using HTML5 using HTTPS, the Ipad logs in, lists published items but when we try to run a published app, we get a warning dialog saying "User is not authenticated".
    Further attempts to re-click n a published application results in a "Network Error" dialog

    There are no restrictions to HTML5 build number on RAS server and no IP masking etc

    Any thoughts?

    Cheers

    Simon
     
  2. Aesir_IT

    Aesir_IT Bit poster

    Messages:
    2
    Encountered the same issue today. Am able to open applications from Windows or Android sessions (using Chrome) but trying to open an application from Safari gets "User is not authenticated". After a few tries the interface stops responding. It's not my iPad so I can't install Chrome to see if that works around the issue.
     
  3. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    Thanks for your feedback. We will check it now.
    Aesir_IT, could you please name your RAS version too?
     
  4. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    I think we have an answer.
    I suppose you are using a self-signed certificate on your installations. Due to a limitation of iOS self-signed certificates are not allowed to be used with certain web technologies invoked into launching RDP sessions in HTML5 Client.
    I'm afraid we don't yet have a proper solution for that, this is enforcement from Apple side.
    As a workaround (to be honest, this is not even a workaround, but a much better solution) we recommend using Parallels Client from AppStore.
     
  5. Aesir_IT

    Aesir_IT Bit poster

    Messages:
    2
    Eugene_K, Server Console says 16.2.4 (Build 19504). And you're right, we are currently using a self-signed certificate. I inherited the setup from my predecesssor and haven't wanted to mess with it until I properly understand what I'm doing. Are you suggesting that replacing the self-signed certificate with a proper SSL certificate might allow us to connect to the Parallels RAS HTML5 with Safari?

    The Parallels Client has many excellent features and I use it myself to manage our VM environment more conveniently than the browser login allows (it lets me copy-paste files from my PC to the VM desktop instead of having to use the upload/download widget, for example). Unfortunately, at least in the Windows version, it has a serious security flaw in that if you don't set it to remember your password, it forgets your credentials before you can get in; and having set a password, unless you remember to log out manually, no password is required next time someone opens the client. Our field staff are nurses, not technicians, so for their sake and the security of their patient's personally-identifying info, their end needs to be kept as simple and fail-safe as possible. By making them use the HTML5 RAS browser we can set their browser (Chrome) to forget everything when the window is closed. They then need to log back in next time they open their browser. That sometimes means a bit of cleanup at our end when databases are left running in disconnected sessions, but it's the lesser evil.

    We can do that with nurse laptops and phones because we give those devices to the nurses and can control their setup. However, in the case of the iPads, the devices are given to the nurses directly by a company whose products they support, and we have not so far had any say in the setup of those devices. (For example, I just turned the iPad on and brought Safari up and it's still logged into the session I was working with yesterday; nor does there seem to be a setting to tell it to automatically forget cached credentials - the only tool offered is manually clearing cookies or website data through Settings - and from what I read, the alternative, using Private browsing, pretty much stops RAS from working at all.) So we mostly do not have their Apple IDs, passwords, nor, when we do, any means of controlling the setup of the 2-stage verification. A few nurses are technically savvy and can manage that for themselves; the rest, not so much. This makes installing new apps such as the Parallels Client on the devices difficult, as I discovered when I tried downloading Chrome to try to work around Safari.

    The nurses see the convenience of being able to enter patient data without having a bulky laptop sitting between them and the patient. We see that too, but we also see the patient privacy nightmare if we can't be confident that patient personally identifying information is secure by default.
     
  6. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    Hi Aesir, I see your point.
    Did you ever try using RAS Policies? This is a very powerful instrument of enforcing security settings on RAS Clients.
    Policies are availabe in RAS Console under "Policies" category.
    Check this out:
    upload_2019-3-29_10-23-43.png
    Policies are applied on connection to your Farm automatically.
    You can configure if clients can save a password or not. You can configure what Client features are available on a device and many more.
    A policy can be applied to various use groups, so you can have different client behavior for different people "out of the box". To be honest I don't remember if Password policy was available in 16.2 :) please try by yourself.
     
  7. springbox

    springbox Member

    Messages:
    47
    It seems it was our self signed certificates that were causing the issue.

    Before we get involved with buying certificates, is anyone successfully using HTML5 client with IOS (ie no Parallels IOS client)?

    Thanks

    Simon
     
  8. Eugene. K.

    Eugene. K. Parallels Team

    Messages:
    124
    I wouldn't lie to you, springbox.
    At least not on a public forum ;)

    here is a proof from our demo farm that has a valid certificate installed:
    IMG_67A8FF948A82-1.jpeg
     

Share This Page