docs: Version 0.20.0 docs (#6085)

* Update documentation to include RDP in credential injection

* Update FAQ on Boundary and Vault integration

Fixed typo.

* update documentation on credential stores and workflows for RDP

* update static credential store documentation to include upd credential creation

* update documentation for credential injection setup

* Update 'credentials create' command documentation for upd credential type

* fixed typo in UPD options

* Update create.mdx with instructions for RDP targets

* Create rdp-testing-and-compatibility-matrix.mdx

* Update rdp-testing-and-compatibility-matrix.mdx

* Update rdp-testing-and-compatibility-matrix.mdx

* Update to mention ldap secrets engine

* Update rdp-testing-and-compatibility-matrix.mdx to get rid of ticket number

* updated to include mention of vault kv and chad suggestions

Updated with Chad's suggestions and vault kv

* Update rdp-testing-and-compatibility-matrix.mdx

Found another place where I neglected the vault kv

* docs: Style updates

* docs: Clean up beta references, adds update commands

* docs: Edits, update domain model topics

* docs: Add target address caveats

* docs: Edit network config section

* docs: Use custom port number to connect

* docs: Adds anchor link, beta tag

* docs: Respond to feedback

* docs: Cleanup for consistency, remove known issue

* docs: Cleanup and minor fixes

* docs: Add link to create issue

* docs: Add direct address note to targets CLI topics

* Update website/content/docs/concepts/credential-management.mdx

Co-authored-by: Irena Rindos <[email protected]>

* docs: Remove beta references from target and credentials

* docs: Remove Vault cred store ID

* docs: Remove SSH cert from brokered creds

* docs: Remove session recording options

* docs: Adds UPD to credential stores domain model topic

* Update website/content/docs/credentials/rdp-testing-and-compatibility-matrix.mdx

Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>

* Update website/content/docs/credentials/rdp-testing-and-compatibility-matrix.mdx

Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>

* docs: Remove session recording options

* docs: Update limitations and configuration

* Update website/content/docs/credentials/configure-credential-injection.mdx

Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>

* docs: Update default port commands

* docs: Add known issue for error

* docs: Fix typo

* Update website/content/docs/credentials/rdp-testing-and-compatibility-matrix.mdx

Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>

* docs: Add certificate acceptance to Windows

* docs: Reorder UPD options

* docs: Add NTLMV2 to cred management statement

* docs: Update Windows Remote Desktop Connection error

* docs: Clarify domain behavior

* docs: Fix back ticks on command options

* docs: Update command format in definition

* docs: Clarify port conflict with Remote Desktop app

* docs: Update RDP target address caveat

* docs: Release notes 0.20.0

* docs: Minor edit

* docs: Vercel build

* docs: Deletes older important changes

---------

Co-authored-by: Dan Rohan <[email protected]>
Co-authored-by: Dan Rohan <[email protected]>
Co-authored-by: Irena Rindos <[email protected]>
Co-authored-by: Johan Brandhorst-Satzkorn <[email protected]>

Author: 4 people

website/content/docs/commands/credentials/create.mdx

@@ -2,7 +2,7 @@
 layout: docs
 page_title: credentials create - Command
 description: >-
-  The "credentials create" command creates new credential resources. You can create JSON, SSH private key, and username-password credentials.
+  The "credentials create" command creates new credential resources. Available types are json, ssh-private-key, username-password, and username-password-domain.
 ---
 
 # credentials create
@@ -76,7 +76,7 @@ You can also specify the credential store using the **BOUNDARY_CREDENTIAL_STORE_
 
 #### Usages by type
 
-The available types are `json`, `ssh-private-key`, and `username-password`.
+The available types are `json`, `ssh-private-key`, `username-password`, and `username-password-domain`.
 
 <Tabs>
 <Tab heading="JSON">
@@ -199,6 +199,48 @@ The following options are specific to username password credentials in addition
 This value can be a reference to a file on disk (`file://`) or an environment variable (`env://`) from which Boundary reads the value.
 - `-username` `(string: "")` - The username associated with the credential.
 
+</Tab>
+<Tab heading="Username password domain">
+
+The `credentials create username-password-domain` command lets you create a username password domain credential type for Active Directory authentication.
+
+Username password domain credentials are primarily used with RDP targets for credential injection.
+
+#### Example
+
+The following example creates a username password domain credential in a credential store with the ID `csst_1234567890`:
+
+```shell-session
+boundary credentials create username-password-domain \
+  -credential-store-id csst_1234567890 \
+  -username administrator \
+  -password env://ADMIN_PASSWORD \
+  -domain company.com
+```
+
+#### Usage
+
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+boundary credentials create username-password-domain [options] [args]
+```
+</CodeBlockConfig>
+
+
+#### Username password domain credential options
+
+The following options are specific to username password domain credentials in addition to the command options:
+
+- `domain` `(string: "")` - The Active Directory domain name. If you include the domain in the `username` field, Boundary automatically fills in the domain information.
+
+  For example, if you enter `admin@mydomain` or `mydomain\admin` in the `username` field, Boundary automatically completes the `domain` field with `mydomain`.
+
+- `password` `(string: "")` - The password associated with the credential. This value can be a reference to a file on disk (file://) or an environment variable (env://) from which Boundary reads the value.
+
+- `username` `(string: "")` - The username associated with the credential. This value can include domain information in `username@domain` or `domain\username` format.
+
+
 </Tab>
 </Tabs>
 

website/content/docs/commands/credentials/update.mdx

@@ -77,7 +77,7 @@ If you don't specify a version, the command performs a check-and-set automatical
 
 #### Usages by type
 
-The available types are `json`, `ssh-private-key`, and `username-password`.
+The available types are `json`, `ssh-private-key`, `username-password`, and `username-password-domain`.
 
 <Tabs>
 <Tab heading="JSON">
@@ -202,6 +202,45 @@ The following options are specific to username password credentials in addition
 This value can be a reference to a file on disk (`file://`) or an environment variable (`env://`) from which Boundary reads the value.
 - `-username` `(string: "")` - The username associated with the credential.
 
+</Tab>
+<Tab heading="Username password domain">
+
+The `credentials update username-password-domain` command lets you update an existing username password domain credential type.
+
+Username password domain credentials are primarily used with RDP targets for credential injection.
+
+#### Example
+
+The following example updates a username password domain credential with the ID `csst_1234567890`:
+
+```shell-session
+boundary credentials update username-password-domain \
+  -id csst_1234567890 \
+  -name devops \
+  -description "For DevOps usage" \
+```
+
+#### Usage
+
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+boundary credentials update username-password-domain [options] [args]
+```
+</CodeBlockConfig>
+
+#### Username password domain credential options
+
+The following options are specific to username password domain credentials in addition to the command options:
+
+- `domain` `(string: "")` - The Active Directory domain name. If you include the domain in the `username` field, Boundary automatically fills in the domain information.
+
+  For example, if you enter `admin@mydomain` or `mydomain\admin` in the `username` field, Boundary automatically completes the `domain` field with `mydomain`.
+
+- `password` `(string: "")` - The password associated with the credential. This value can be a reference to a file on disk (file://) or an environment variable (env://) from which Boundary reads the value.
+
+- `username` `(string: "")` - The username associated with the credential. This value can include domain information in `username@domain` or `domain\username` format.
+
 </Tab>
 </Tabs>
 

website/content/docs/commands/targets/create.mdx

@@ -29,17 +29,68 @@ $ boundary targets create [type] [sub command] [options] [args]
 Please see the typed subcommand help for detailed usage information.
 
 Subcommands:
-    ssh    Create a ssh-type target (HCP only)
+    rdp    Create an rdp-type target (HCP & Boundary Enterprise only)
+    ssh    Create a ssh-type target (HCP & Boundary Enterprise only)
     tcp    Create a tcp-type target
 ```
 
 </CodeBlockConfig>
 
 ### Usages by type
 
-You can create SSH or TCP targets.
+You can create RDP, SSH, or TCP targets.
 
 <Tabs>
+<Tab heading="RDP">
+
+The `targets create rdp` command lets you create RDP targets.
+
+#### Example
+
+This example creates an RDP target with the name `admindc` and the description `RDP target for Admin Domain Controller`:
+
+```shell-session
+$ boundary targets create rdp -name admindc -description "RDP target for Admin Domain Controller"
+```
+
+#### Usage
+
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+$ boundary targets create rdp [options] [args]
+```
+
+</CodeBlockConfig>
+
+#### RDP target options
+
+- `-address=<string>` - An optional valid network address for the target to connect to.
+You cannot use an address alongside host sources.
+
+  If you set a target address for RDP targets that use Kerberos authentication, use the target's hostname and append the domain to it, for example `target-hostname.mydomain.com`. For RDP targets that use NTLM authentication, set the target address to the target's IP address.
+- `-default-client-port=<string>` - The default client port on the target.
+- `-default-port=<string>` - The default port on the target.
+Due to a port conflict on modern Windows operating systems (Windows 11+, Windows Server 2025), transparent sessions cannot use the default RDP port `3389`.
+You must configure a custom port to use transparent sessions with RDP targets.
+
+  Refer to [Using transparent sessions with RDP on Windows](/boundary/docs/credentials/rdp-testing-and-compatibility-matrix#using-transparent-sessions-with-rdp-on-windows) for more information about configuring a custom port for transparent sessions.
+- `-egress-worker-filter=<string>` - A Boolean expression that filters which egress workers can process sessions for the target.
+- `-ingress-worker-filter=<string>` - A Boolean expression that filters which ingress workers can process sessions for the target.
+- `-session-connection-limit=<string>` - The maximum number of connections allowed for a session.
+A value of `-1` means the connections are unlimited.
+- `-session-max-seconds=<string>` - The maximum lifetime of the session, including all connections.
+You can specify an integer number of seconds or a duration string.
+If you do not specfiy a maximum duration, Boundary uses the default value of 8 hours (28800 seconds).
+- `-with-alias-authorize-session-host-id=<string>` - The host ID that an alias uses to authorize sessions for the target.
+- `-with-alias-scope-id=<string>` - The scope ID that you want to create the target and alias in.
+The default is `global`.
+At this time, aliases are only supported for the global scope.
+- `-with-alias-value=<string>` - The value of the alias that you want to use to represent the target.
+Use this parameter to create the alias and target, and associate them with each other, at the same time.
+
+
+</Tab>
 <Tab heading="SSH">
 
 The `targets create ssh` command lets you create SSH targets.
@@ -133,4 +184,4 @@ Use this parameter to create the alias and target, and associate them with each
 </Tab>
 </Tabs>
 
-@include 'cmd-option-note.mdx'
+@include 'cmd-option-note.mdx'

website/content/docs/commands/targets/update.mdx

@@ -29,17 +29,61 @@ $ boundary targets update [type] [sub command] [options] [args]
 Please see the typed subcommand help for detailed usage information.
 
 Subcommands:
-    ssh    Update a ssh-type target (HCP only)
+    rdp    Update an rdp-type target (HCP & Boundary Enterprise only)
+    ssh    Update a ssh-type target (HCP & Boundary Enterprise only)
     tcp    Update a tcp-type target
 ```
 
 </CodeBlockConfig>
 
 ### Usages by type
 
-You can update SSH or TCP targets.
+You can update RDP, SSH, or TCP targets.
 
 <Tabs>
+<Tab heading="RDP">
+
+The `targets update rdp` command lets you update existing RDP targets.
+
+#### Example
+
+This example updates an RDP target with the id `rdp_1234567890` to add the name `devops` and the description `RDP target for DevOps`:
+
+```shell-session
+$ boundary targets update rdp -id trdp_1234567890 -name "devops" -description "RDP target for DevOps"
+```
+
+#### Usage
+
+<CodeBlockConfig hideClipboard>
+
+```shell-session
+$ boundary targets update rdp [options] [args]
+```
+
+</CodeBlockConfig>
+
+#### RDP target options
+
+- `-address=<string>` - An optional valid network address for the target to connect to.
+You cannot use an address alongside host sources.
+
+  If you set a target address for RDP targets that use Kerberos authentication, use the target's hostname and append the domain to it, for example `target-hostname.mydomain.com`. For RDP targets that use NTLM authentication, set the target address to the target's IP address.
+- `-default-client-port=<string>` - The default client port on the target.
+- `-default-port=<string>` - The default port on the target.
+Due to a port conflict on modern Windows operating systems (Windows 11+, Windows Server 2025), transparent sessions cannot use the default RDP port `3389`.
+You must configure a custom port to use transparent sessions with RDP targets.
+
+  Refer to [Using transparent sessions with RDP on Windows](/boundary/docs/credentials/rdp-testing-and-compatibility-matrix#using-transparent-sessions-with-rdp-on-windows) for more information about configuring a custom port for transparent sessions.
+- `-egress-worker-filter=<string>` - A Boolean expression that filters which egress workers can process sessions for the target.
+- `-ingress-worker-filter=<string>` - A Boolean expression that filters which ingress workers can process sessions for the target.
+- `-session-connection-limit=<string>` - The maximum number of connections allowed for a session.
+A value of `-1` means the connections are unlimited.
+- `-session-max-seconds=<string>` - The maximum lifetime of the session, including all connections.
+You can specify an integer number of seconds or a duration string.
+If you do not specfiy a maximum duration, Boundary uses the default value of 8 hours (28800 seconds).
+
+</Tab>
 <Tab heading="SSH">
 
 The `targets update ssh` command lets you update SSH targets.

website/content/docs/concepts/credential-management.mdx

@@ -33,8 +33,8 @@ The credential brokering process works as follows:
 
    The user is authenticated to the target.
 
-You can attach brokered credentials to either TCP targets or SSH targets.
-Brokered credentials can take the form of a token, username and password, SSH private key, certificate, JSON blob, or an unstructured secret stored in Vault, for example.
+You can attach brokered credentials to SSH, TCP, or RDP targets.
+Brokered credentials can take the form of a token, username password, username password domain, JSON blob, or an unstructured secret stored in Vault, for example.
 
 ### Security considerations
 
@@ -87,7 +87,18 @@ The credential injection process works as follows:
    Then the controller passes credentials to the worker.
    The worker authenticates to the target, and the user is then authenticated to the target.
 
-Credential injection is required for the SSH target type, allowing users to inject the following credential types when they access targets using SSH:
+### Target types
+
+Credential injection is required for the RDP and SSH target types.
+
+<Note>
+
+RDP credential injection is currently in beta.
+For more information about known issues, configuration requirements, and compatibility with Windows, refer to [RDP credential injection compatibility](/boundary/docs/credentials/rdp-testing-and-compatibility-matrix).
+
+</Note>
+
+You can inject the following credential types when you access SSH targets:
 
 - SSH certificates
 - Usernames and passwords
@@ -96,7 +107,9 @@ Credential injection is required for the SSH target type, allowing users to inje
 Keyboard-interactive authentication is not supported for credential injection.
 When you use Username password credentials, ensure that your SSH server is configured to allow password authentication.
 
-You can broker additional credentials to SSH targets after the session is established using injected credentials.
+You can inject username password domain credentials when you access RDP targets in Windows environments that use Active Directory or NTLMv2 for authentication.
+
+You can broker additional credentials to RDP or SSH targets after the session is established using injected credentials.
 
 ### Security considerations
 
@@ -124,6 +137,8 @@ Refer to the [Manage SSH keys with HCP Boundary and Vault](/boundary/tutorials/h
 
 ## More information
 
+Refer to [Credentials in Boundary](/boundary/docs/credentials) to learn more about how Boundary centralizes credential management to enhance security.
+
 To configure credential brokering or credential injection with static credentials, refer to the following topics:
 
 - [Create a static credential store](/boundary/docs/credentials/static-cred-boundary)

website/content/docs/credentials/configure-credential-injection.mdx

@@ -10,21 +10,30 @@ description: >-
 <EnterpriseAlert product="boundary">This feature requires <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a></EnterpriseAlert>
 
 The following section provides steps to configure your targets with credential injection.
-Credential injection provides end users with a passwordless experience when they connect to targets.
+Credential injection provides end users with a passwordless experience when they connect to targets by automatically injecting credentials without exposing them to the user.
+
+Credential injection is supported for:
+- **SSH targets**: Protocol-aware SSH connections
+- **RDP targets**: Protocol-aware RDP connections (BETA)
+
+  @include 'alerts/beta.mdx'
 
 ## Requirements
 
 - This feature requires either <a href="https://www.hashicorp.com/products/boundary">HCP Boundary or Boundary Enterprise</a>
-- You must have an existing target available. If you use the SSH target type, the target must be configured with an injected application credential.
-
+- You must have an existing target available that supports credential injection:
+  - **RDP targets**: Must be configured with at least one injected application credential
+  - **SSH targets**: Must be configured with at least one injected application credential
+  - **TCP targets**: Do not support credential injection
 - You must have configured either a static credential store or a Vault credential store:
 
   - To configure a static credential store, refer to [Create static credential stores](/boundary/docs/credentials/static-cred-boundary).
   - To configure a Vault credential store and credential library, refer to [Create Vault credential stores](/boundary/docs/credentials/static-cred-vault).
 
 - You must have a static credential saved in your static credential store or Vault credential store. The credential must correspond to the target to which you want to authenticate.
 
-- Keyboard-interactive authentication is not supported. When you use Username password credentials, ensure that your SSH server is configured to allow password authentication.
+- **For RDP targets**: Network Level Authentication (NLA) is supported. Kerberos and NTLMv2 authentication methods are supported for domain-joined workers. NTLMv2 is supported for non-domain-joined workers.
+- **For SSH targets**: Keyboard-interactive authentication is not supported. When you use username-password credentials, ensure that your SSH server is configured to allow password authentication.
 
 ## Configuration
 
@@ -34,14 +43,14 @@ Complete the following steps to configure targets with credential injection:
 <Tab heading="UI" group="ui">
 
 1. Log in to Boundary.
-1. Select **Orgs** on the navigation pane.
-1. Select your desired org.
-1. Select the project where your target resides.
-1. Click **Targets** on the navigation pane.
-1. Click on your target you want to configure for credential injection.
-1. Click on the **Injected Application Credential** tab.
-1. Click **Managed** and select **Add Injected Application Credential** in the pull down menu.
-1. Do one of the following:
+2. Select **Orgs** on the navigation pane.
+3. Select your desired org.
+4. Select the project where your target resides.
+5. Click **Targets** on the navigation pane.
+6. Click on your target you want to configure for credential injection.
+7. Click on the **Injected Application Credential** tab.
+8. Click **Managed** and select **Add Injected Application Credential** in the pull down menu.
+9. Do one of the following:
    - **If you are using a static credential store**: Select the credential that corresponds to your target and click **Add Injected Application Credential**.
    - **If you are using a Vault credential store**: Select the credential library that corresponds to your target and click **Add Injected Application Credential**.
 
@@ -56,11 +65,11 @@ Complete the following steps to configure targets with credential injection:
   Please enter the password (it will be hidden):
   ```
 
-1. Add credential injection to target.
+2. Add credential injection to target.
 
   ```shell-session
   $ boundary targets add-credential-sources \
-    -id ttcp_vO60a7TwpI \
+    -id trdp_vO60a7TwpI \
     -injected-application-credential-source csvlt_Xqa6V6QwfM
   ```