Dispatcher Paragon Client on Azure AD connected devices

From release version 6.0.66, The Dispatcher Paragon Client works on Azure AD connected devices.

To use a domain username in user principal name format (e.g. john.doe@company.com) which is used to log into Azure AD, follow the guide below.

The required configuration

  • Authentication method: DOMAIN_USERNAME

  • Username format: DS_USER_PRINCIPAL_NAME

Other requirements

The "whoami.exe", which is a standard part of every Windows installation, must have enough permission so the user process can execute it as it is in default Windows installation.

The "whoami.exe" must be accessible from:

  • PATH (by default, the %SYSTEM_ROOT%\System32, where the whoami.exe is, is on the PATH)

  • Custom location

    • If the "whoami.exe" is not on PATH, you must provide its location by setting the property "whoamiLocation" in spooler.config. E.g.:

Spooler.config
{
"whoamiLocation": "C:\somefolder\whomai.exe"
}

When Dispatcher Paragon Client is retrieving the username, it will first check the Active Directory Domain Service. If it is unsuccessful (it will be if only Azure AD is used), the Dispatcher Paragon Client will try to find and execute "whoami.exe" on PATH, and if this also fails, it will try to use custom location from spooler.config file. If the "whoamiLocation" location in spooler.config is not overridden, the default is "C:\Windows\System32\whoami.exe".

Security considerations

"whoami.exe" is launched by DesktopInterface.exe so it will run under the user account with the user permissions. In a multi-user environment, an administrator should not weaken the default Windows security (do not allow users to change PATH) and make sure that nobody can change whoami.exe or manipulate it.