# RAS Connection Broker connection settings RAS Connection Broker connection settings can be accessed from the **Connection** category. ## **Choosing authentication type** Select the **Authentication** tab. In the **Allowed authentication types** section, select one of the following options: * **Credentials**. The user credentials are validated by the Windows system on which RAS is running. The credentials used for Windows authentication are also used to log in to an RDP session. * **Smart Card**. Smart card authentication. Similar to Windows authentication, smart card credentials can be shared between both RAS and RDP. Hence, smart card credentials only need to be entered once. Unlike Windows authentication, the user only needs to know the smart card’s PIN. The username is obtained automatically from the smart card, so the user doesn't need to provide it. {% hint style="warning" %} **Note:** Smart card authentication is not supported in Parallels Client for Linux. {% endhint %} * **Web (SAML)**. SAML SSO authentication. For more information, see [**SAML SSO Authentication**](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/saml-sso-authentication.md). * **Web + Credentials**. The same as **Web (SAML)**, but users are prompted to enter credentials when they launch a published application. To enable the **Web + Credentials** method, you must configure your IdP and RAS as described in [**IdP side configuration**](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/saml-sso-authentication/saml-configuration/idp-side-configuration.md) and [**SP side configuration**](/landing/ras-admin-guide/parallels-ras-21-administrators-guide/saml-sso-authentication/saml-configuration/sp-side-configuration-ras-side.md). {% hint style="info" %} **Note:** The **Web + Credentials** method works only in Parallels Client for Windows and User Portal. {% endhint %} Note that if smart card authentication is disabled, RAS Connection Broker will not hook the Local Security Authority Subsystem Service (LSASS). Smart card authentication can be used in Parallels Client for Windows, Mac, and Linux. Please also note that smart cards cannot be used for authentication if Parallels Client is running inside an RDP session. ## **Smart card certificate** A valid certificate must be installed on a user device in order to use smart cards. To do so, you need to import the certificate authority root certificate into the device’s keystore. A certificate must meet the following criteria: * The "Key Usage" field must contain digital signature. * The "Subject Alternative Name" (SAN) field must contain a user principal name (UPN). * The "Enhanced Key Usage" field must contain smart card logon and client authentication. ## **Authentication domain** To specify an authentication domain, select one of the following: * **Specific:** Select this option and type a specific domain name. * **All trusted domains**: If the information about users connecting to Parallels RAS is stored in different domains within a forest, select the **All Trusted Domains** option to authenticate against multiple domains. * **Use client domain if specified**: Select this option to use the domain specified in the Parallels Client connection properties. If no domain name is specified on the client side, the authentication is performed according to the settings above. * **Force clients to use NetBIOS credentials**: If this option is selected, the Parallels Client will replace the username with the NetBIOS username. {% hint style="info" %} **Note:** If a certificate on your smart card does not contain a user principal name (UPN) in the "Subject Alternative Name" (SAN) field (or if it doesn't have the "Subject Alternative Name" field at all) you have to disable the **Force clients to use NETBIOS credentials** option. {% endhint %} **Recommendation:** After changing the domain names or some other authentication related changes, click the **Clear cached session IDs** button on the **Settings** tab. ## **Authenticating against non domain users** In order to authenticate users sessions against users specified on a standalone machine you must enter the \[workgroup\_name] / \[machine\_name] instead of the domain name. For example if you would like to authenticate users against a list of local users on a machine called SERVER1 that is a member of the workgroup WORKGROUP, enter the following in the domain field: WORKGROUP/SERVER1. ## **Changing domain password** You can configure Parallels Client to use a custom URL for changing domain passwords. To make Parallels Client use a custom URL for changing domain passwords: 1. Select **Use a custom link fro the "Change domain password" option**. 2. Add the link to the text field below. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.parallels.com/landing/ras-admin-guide/parallels-ras-21-administrators-guide/connection-and-authentication-settings/ras-connection-broker-connection-settings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.