Virtual machine platforms enable simultaneous execution of multiple guest operating systems on a physical machine by running each operating system within its own virtual machine. One exemplary service that can be offered in a virtual machine is a virtual desktop session. A virtual desktop session is essentially a personal computer environment run within a virtual machine that has its user interface sent to a remote computer. This architecture is similar to a remote desktop environment, however instead of having multiple users simultaneously connect to an operating system, in a virtual desktop session each user has access to their own operating system executing in a virtual machine in a virtual desktop environment.
Single sign-on is a property of access control across related but distinct computer systems. With single sign-on, a user can log in once and gain access to multiple, independent, computer systems. Unlike most of scenarios, where users only need to prove their identity to the server to get access, when accessing a remote presentation session server, i.e., a virtual desktop server or a remote desktop server, user credentials actually need to be sent to the remote presentation session server for validation. This requirement demands severe restrictions on which remote resources the credentials be send to, especially when the credentials are sent without the user's consent, as it is usually the case with single sign-on. Usually a list of such remote resources is regulated by a domain policy and each remote resource has to be authenticated before the credential can be sent to it. In the environment where the set of such remote resources is big and constantly changing, maintaining such a policy becomes a huge burden for administrators. In the cases where remote resources are created for users on the fly maintaining such a policy is impossible.
Accordingly, techniques for allowing a user to single sign-on to a remote presentation session in an environment where servers are dynamically added to a datacenter and/or to simplify the maintenance of such a domain policy are desirable.