Windows SSO (PLAP) client

  • 4 minute read
Prev Next

The SSO client enables users to authenticate to the network before logging on to Windows with a local account.

Single Sign-On (SSO) represents a secure means of obtaining Extensible Authentication Protocol (EAP) method-specific credentials for a network user or computer account. This enables the user to not have to log in multiple times to the PC and then into the network.

The AppGate ZTNA SSO client is a version of the Windows client that adds a custom AppGate ZTNA sign-in screen. This screen captures the Windows (domain) credentials for use by AppGate ZTNA. These credentials are used for provisioning authenticated access and for Windows to then perform network authentication. This allows the user to enter their credentials just once and not have to log in to AppGate ZTNA after logging in to Windows.

NOTE

When installed, it is not possible to use the client normally. SSO-mode must be used at all times.

Windows 10

To access the AppGate ZTNA SSO sign-in page:

  1. Enter the Windows sign-in screen.

  2. Press the following icon on the lower left of the screen:

Network sign-in option displayed in a computer interface with additional icons.

  1. You will then see the AppGate SSO sign-in page:

AppGate SDP login screen with fields for username and password.

  1. Enter the username and password. The username should consist of both the domain and user in the following format: domain\user

  2. Once the user has logged in to Windows, the AppGate ZTNA client will run similarly to the normal AppGate ZTNA client.

When using the AppGate ZTNA SSO sign-in, the user will be logged in to the client and have limited options. The user can't quit or log out from the client. This is done automatically when the user logs out from Windows.

System limitations for the Windows SSO client

  • Join the machine to the domain or you will not be able to use the SSO client to sign-in even with valid domain credentials.

  • The SSO client will fail to on-board if the user has already on-boarded using the normal AppGate ZTNA. On-boarding has to be done from the AppGate ZTNA SSO client for a user on a specific computer.

  • Set the Windows security policy to show the last logged in username / user profiles from the sign-in screen.

  • Local users can't use the normal AppGate ZTNA client once the AppGate ZTNA SSO client is installed.

Standard executables used by the Windows SSO client

The Windows SSO (PLAP) client uses standard executables:

  • Service Configurator. Included to configure the SSO client. Requires that the AppGate SDP Service is running.

Installing the Windows SSO client

To install the client as an SSO service, the installation must be run with the switch /L. It is recommended to run it using the /S (silent installation) switch. Refer to the Windows client section for a full explanation of all installation switch options.

Run the following command from a command prompt to install the Windows SSO (PLAP) client using silent mode, and then wait until installer is finished:

start "" /WAIT "Appgate-SDP-x.y.z-Installer.exe" /L /S /G /P="appgate://url.com"

PowerShell requires slightly different syntax:

start "Appgate-SDP-x.y.z-Installer.exe" -ArgumentList ' /L /S /G /P="appgate://url.com" '

NOTE

The profile link included after the /P switch can be obtained from the Client Profiles UI.

An existing AppGate ZTNA installation can be upgraded to run as a Windows SSO client by simply running installer with /L and additional parameters (e.g. /P). The client will be upgraded and the Windows SSO client installed. Any existing configuration set for the normal client will not be transferred to the SSO sign-in screen.

NOTE

Always provide the /L flag every time the AppGate ZTNA client is installed, upgraded or reinstalled to keep the AppGate ZTNA SSO functionality installed.

Once installed there will be an “Appgate SDP” folder in the start menu of Windows. This will contain the uninstaller for the client and a shortcut to the configurator.

Use services.msc to make sure both the Appgate SDP Client SSO (PLAP) Service (appgateplapservice) and Appgate SDP Driver Control (cxdriver) exist as a service and that both are running.

Configuring Domain access

The Windows SSO (PLAP) client is designed to work as if the PC was on the LAN and able to talk to the domain Controller. For this to happen when the LAN is only accessible through an AppGate ZTNA Gateway, the right entitlements must be in place. Refer to Allowing full 'network like' access for users for more information.

How to set or change the configuration

The configurator is an optional tool that can be used to create and test configurations of the Windows SSO (PLAP) client, such as testing that the controller URL, certificate, and provider is working correctly. The user will need to sign in again after using the set or reset commands. Refer to the configurator tool section for more information.

Uninstalling the Windows SSO client

You can uninstall the Windows SSO client in the following ways:

  • Run the uninstaller from the Start menu shortcut

  • Use the Add or Remove Programs option in Windows

NOTE

Any configurations of the SSO client will not be removed on uninstall, only the client binaries.

Log files location

See the Windows headless client section for the location of log files.

Related articles
  • Windows Clients
    Admin Guide > Admin Guide v6.6 > General administration > Client deployment and management > Windows Clients
  • Windows SSO (PLAP) Client
    Admin Guide > Admin Guide v6.6 > General administration > Client deployment and management > Windows Clients
  • Windows SSO (PLAP) Client
    Admin Guide > Admin Guide v6.5 > General administration > Client deployment and management > Windows Clients