none
RD Web Access - AD FS 2.0

    Dotaz

  • Hi,

    We have an internet facing deployment of CRM 2011, ADFS 2.0 is the claims provider. Some of the users are using RD web access as well (remote desktop services servers in the same domain, as the AD FS 2.0 claims provider).

    Is there a way to use the AD FS login screen for authentication to the RD Web Access?

    Asked other way: does the RD Web Access (W2K8 R2) support Claims Based authentication?

    If yes, how can I configure it?

    Thanks

    Peter

    26. června 2012 14:21

Odpovědi

  • Hi,

    For ADFS issue, please redirect to the following forum:

    Claims based access platform (CBA), code-named Geneva

    http://social.msdn.microsoft.com/Forums/en/Geneva/threads

    Best regards,

    Clarence

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    27. června 2012 8:09
  • Hi Peter,

    RDWeb and the Remote Desktop Client do not have support for claims based auth.  RDWeb does have support for using windows authentication for displaying the icons to users which means you may be able to get ADFS working using the Claims to Windows Token Service, however, there would still be a credentials prompt when the user launches a RemoteApp.

    The only way to get rid of the second credential prompt would be if you enabled Allow Delegating Default Credentials via group policy on the client PCs and this requires that the local user account they are using is the correct one for your domain, which is often not the case for users connecting from the Internet.

    -TP

    28. června 2012 6:01
  • Hi,

    As TP noted,it seems that RDWeb do not have support for claims based auth.

    Even if  RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.

    Regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    10. července 2012 6:01

Všechny reakce

  • Hi,

    For ADFS issue, please redirect to the following forum:

    Claims based access platform (CBA), code-named Geneva

    http://social.msdn.microsoft.com/Forums/en/Geneva/threads

    Best regards,

    Clarence

    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    27. června 2012 8:09
  • Hi Peter,

    RDWeb and the Remote Desktop Client do not have support for claims based auth.  RDWeb does have support for using windows authentication for displaying the icons to users which means you may be able to get ADFS working using the Claims to Windows Token Service, however, there would still be a credentials prompt when the user launches a RemoteApp.

    The only way to get rid of the second credential prompt would be if you enabled Allow Delegating Default Credentials via group policy on the client PCs and this requires that the local user account they are using is the correct one for your domain, which is often not the case for users connecting from the Internet.

    -TP

    28. června 2012 6:01
  • Hi,

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,
    Clarence
    Forum Support
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contacttnmff@microsoft.com.

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    6. července 2012 7:24
  • Hi, Clarence,

    Thanks for the contribution.

    I understand the workarounds for RDWeb not supporting the claims authentication.

    Anyway, this workarounds don't seem to be helpful:

    - the first suggestion is not really an SSO solution, credentials are the same, but must be entered multiple times

    - applying a policy is not an option, because this is (I did not mention) a hosting scenario, we are providing Dynamics CRM services for Customers.

    As I see, the root of the problem is that we need to pass the credentials to the remote app control, and using Claims based authentication the last time it is available is the ADFS login page, where the user types it in the fields, after that only encrypted tokens are present in cookies.

    So  can't see an easy way now, how a real SSO experience could be achieved using ADFS and RD Web Access.

    Best regards

    Peter

    6. července 2012 9:06
  • Hi,

    As TP noted,it seems that RDWeb do not have support for claims based auth.

    Even if  RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.

    Regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    10. července 2012 6:01