SSO (Single Sign On) thoughts on RDS (Remote Desktop Services) 2012

Recently for one of my enterprise banking customers, I configured SSO for Windows Server 2012 Remote Desktop Services solution.

But, while I was searching for a possible solutions, I figured out that very first thing you need to make sure is “for which part of RDS do you  want to enable SSO”? This is a critical question since if you search for a SSO solution in RDS, most probably you will come up with the following article:

http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

Actually yes, this is the correct article which allows you to configure SSO for the new version of RDS. Let’s discuss a little bit.

If you want to enable SSO for your Remote App programs you need to modify “Credentials Delegation Group Policy” setting to add server lists as “TERMSRV/ TSNAMES”. You can reference following article to configure this specific policy:

http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

If you configure above settings you will have  a SSO feature for Remote App sessions. For instance if your domain users log on their computers using domain credentials, they will not need to re-enter their credentials for RemoteApp programs.

But you may want to enable SSO for one another component of your RDS design: RD WEB ACCESS web page.

If your users will browse RD Web Access page to start RemoteApps, you may want prevent additional credential form on RDWEB page. Because even you configure above SSO settings, users still will need to authenticate using IIS form based authentication. see below,

image

If you want to enable SSO for above form based authentication page you need to hack web.config file of your RDWEB site. To achieve this:

  • Navigate C:WindowsWebRDWebPagesweb.config
  • To turn on Windows Authentication:
                  – uncomment <authentication mode="Windows"/> section
                  – and comment out:
                  1) <authentication mode="Forms"> section.
                  2) <modules> and <security> sections in <system.webServer> section at the end of the file.

After that on ISS Manager, for RDWEB directory, enable Windows Authentication and disable Anonymous Authentication, restart IISADMIN service.

Now if your users browse rdweb page, their logged on credentials will be used to authenticate across IIS.

But I figure out one another problem for this scenario. If I configure SSO for both components (RemoteApp and Form Page), Remote App SSO is not working as expected. Your users should tick following checkbox if they want to enable SSO for RemoteApp.

clip_image002

You can also configure default.aspx located in the RDWebPagesen-US directory.

change below line

public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = false;

to

public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = true;

or in body tag add bold text below

<body onload="onPageload(event); document.getElementById(‘WebPartManager1_TSPortalWebPart1PublicCheckbox’).checked=true;" onunload="onPageUnload(event)">

now checkbox will be enabled by default.

9 thoughts on “SSO (Single Sign On) thoughts on RDS (Remote Desktop Services) 2012

  1. Excellent ! I have one question.. any idea how enabling integrated authentication will affect users that will try to use rdweb from outside? I.e. from the internet and devices that are not logging into the domain (i.e. personal, RT etc..)?

  2. Another question as well.. there seems to be quite a few folks, myself inlcuded that are trying to get WinTPC to start RDP/VDI directly … This cannot happen since the web authentication must take place first.. In other words .. WinTPC is domain joined… user logs in with AD credentials.. Then they much open a web browser to get to a pooled VDI desktop. Is there a way to craft an RDP file that passes currently logged on users credentials? I can steal the .rdp file but without first authentication through the browser the user gets promped for credentials.

  3. Nevermind.. I found a solution… Credential Delgation must be setup in GPO on the WinTPC machines. Then the .rdp stolen from RDWEB .. Then set GPO for the WinTPCs to use a custom interface that runs a powershell script with a wait statement loop that rund the .rdp file…

    When the mstsc process is killed it runs logoff…

    Voila ! WinTPC that goes straight to 2012 VDI session from login.. We still get the spat about the connection not being trusted but I think that just requires either a signed .rdp or certificate on the rdcb..

  4. more detailed question:

    In IIS Manager, I choosed -> Sites -> Default Web Site -> RDWeb -> IIS authentication. There I disabled: “Anonymous Authentication”, “ASP.NET Imperstonation”, “Basic Authentication”, “Forms Authentication”.
    “Windows Authentication” is enabled. Response Type = “HTTP 401 Challenge”.
    “Windows Authentication -> Advanced Settings” I set: “Extended Protection: Accept”. And “Kernel-mode authentication” is enabled.
    Do you know if that setting is correct?

  5. Hi.
    After I have enable pass-throgh authentication on RDWeb site, I need to re-enter credentionals when connect to RemoteApp or Remote Desktop.
    How can I fix it?

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − 12 =