A few months ago we started to enforce an incorrect password lockout policy at work, causing a huge spike of phone calls from users to unlock their account. Submitting a helpdesk ticket requires logging on to a pc or emailing from an external source. The problem is - if they can't log on, they can't submit a ticket. The volume of calls for this issue got so bad we had to start trialling an on-call phone, just in-case they were locked out when the office was closed overnight. I took this up as a challenge, there must've been a simpler solution than an on-call phone.
Looking for a software solution, my manager Mandy found
ADSelfService Plus by Manage Engine. It's a really cool piece of software and works really great, adding a link to the logon screen that allows you to unlock your account by answering a few security questions. I deployed it across the network but ran into another problem, we use a Virtual Desktop Infrastructure. It's fine for desktop pc's so what's the problem you ask? Here goes.................
Our Remote Desktop Servers require network level authentication. That means you have to be authenticated before a connection is allowed to the server. If you fail to authenticate from any client, you won't get a logon screen, so no link to reset your password. I could simply turn off NLA, but the servers are clustered using round robin. When an RDP connection is made from a Wyse terminal via hostname, it will connect to the first RDS server that DNS returns. The server will then interrogate the broker and redirect the connection to the RDS server with the least load. Without NLA enabled, users would have to retype their username and password over and over until they hit a server with less load than the others. Not only annoying for users, but a much wider window for users to lock themselves out...............talk about a logical paradox!
It turns out the solution was pretty simple with a bit of C# magic.
All we used to publish to the Wyse desktop was a pop up box asking for a username and password. When the user connects, the Wyse would RDP to the Remote Desktop Farm. If I added a second connection that somehow connected the user to the helpdesk without supplying any credentials, they could submit a ticket if they were locked out! I wrote a program in C# that would simply load the webpage on a windows form. I published the application using Remote App on Server 2008 R2 and deployed a new RDP connection to the Wyse terminals using a generic logon called self service. Now the users could click either an icon called "logon" or another called "Help Desk".
Problem solved?
Nope. Users started to log vague tickets such as "Please help me to log on", leaving no name or contact details - all tickets logged this way from were from the user "self service", even though I coded a message box to pop up and remind users to leave their name.
What next?
Well, we have partners who have their own support company but use our devices from our offices. They are not connected to our network so the only way they can log support calls is by email. Then came the light bulb moment.............I could write a program that emails the helpdesk after verifying that their username exists.
Final Solution:
A really simple program with three text boxes and a button:
- Username
- Subject
- Details of issue
I published the program in Remote App and added the connection to the wyse wnos.ini file and it works like a charm. An elegant solution to a very complex problem, just saying :) .
The program checks the username supplied against Active Directory and if it exists, it appends "@domain.com" to the username and sends and email to the help desk from the user's email address. The help desk will send an email to the support team and also to the user to notify us that a ticket has been logged. A simple function validates the whole form, catching all the exceptions I could find. If all goes well and the email is sent, a message box pops up saying so, then logs the session off. I'll explain in another post on how to verify a username against Active Directory in C# and how to send an email in C#. You can find the Visual Studio 2012 project
here.