none
RDWEB SSO not working through UAG RRS feed

  • Question

  • RemoteApps are working OK through the UAG portal. And, anticipating objections, I'm setting up a new system, prefer the RDWEB portal to the UAG portal, and want to see it work both ways to make an informed decision before moving forward. That said...

    I have followed this blog--

    http://isinghblog.wordpress.com/2010/01/25/forefront-uag-2010-creating-single-sign-on-for-the-remote-desktop-web-access-rdweb/

    --to enable SSO for the WS2008 R2 RDWEB site through UAG. The RDWEB logon page appears but no creds are entered.

    Since backslashes seem to be MIA on this page, I tried substituting

       <DEF_VALUE>sitedomainsiteuser</DEF_VALUE>

    with

       <DEF_VALUE>sitedomain\siteuser</DEF_VALUE>

    I've no idea if that's syntactically correct, but regardless, it made no difference.

    Application type is "RDWEB", which I gather from context will tell UAG it needs to run this script.

    Is there anything else I need to do besides what's on this page? Settings in the Application properties? The portal? What I have now in Authentication is--

    Use SSO
    Use credentials for SSO with my domain selected
    HTML For

    Sunday, April 10, 2011 12:45 AM

All replies

  • Hello,

     

    Given the information you shared, you modified the formlogin.xml file in correctly.  There is a value called domain user which will pass the  DOMAIN\USERNAME format, this value goes under USERNAME.  Typing in sitedomain\siteuser in the def value will not do what you need.

     

    Thank you
    Dennis Lee

    Friday, April 15, 2011 10:35 PM
  • Thanks, Dennis!

    I changed sitedomain\siteuser to username; still doesn't log on to RDWEB. The credential page loads, but username and password remain blank, waiting for me to type my creds and click Sign In.

    On a hunch, I then tried it with username and with password in lieu of sitepassword. Same result...empty username and password fields. My suspicion is that the script isn't being run. Is there a way to add a "Hello world!" message box to find out?

    Here's the current formlogin.xml--

     

    <WHLFILTFORMLOGIN ver="1.0">
     <APPLICATION>
      <APPLICATION_TYPE>RDWEB</APPLICATION_TYPE>
      <USAGE description="form_login"> 
      <PRIMARY_HOST_URL4><![CDATA[.*/RDWeb/Pages/en-US/login.aspx.*]]></PRIMARY_HOST_URL>
      <SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>
      <USER_AGENT>
       <AGENT_TYPE search="group">all_supported</AGENT_TYPE>
       <POLICY>multiplatform</POLICY>
       <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
      </USER_AGENT>
      <MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>
      <LOGIN_FORM>
       <NAME></NAME>
       <METHOD>POST</METHOD>
       <CONTROL handling="dummy_value">
        <TYPE>USER_NAME</TYPE>
        <NAME>DomainUserName</NAME>
        <DEF_VALUE>username</DEF_VALUE>
       </CONTROL>
       <CONTROL handling="dummy_value">
        <TYPE>PASSWORD</TYPE>
        <NAME>UserPass</NAME>
        <DEF_VALUE>sitepassword</DEF_VALUE>
       </CONTROL>
      </LOGIN_FORM>
      </USAGE>
     </APPLICATION>
    </WHLFILTFORMLOGIN>
    

     


    Friday, April 15, 2011 11:52 PM
  •    <CONTROL handling="dummy_value">
        <TYPE>DOMAIN_USER</TYPE>
        <NAME>username</NAME>
        <DEF_VALUE>sitedomain\siteuser</DEF_VALUE>
        <SEPARATOR>\</SEPARATOR>
       </CONTROL>

    The above is what you need... replace  this

     <CONTROL handling="dummy_value">
        <TYPE>USER_NAME</TYPE>
        <NAME>DomainUserName</NAME>
        <DEF_VALUE>username</DEF_VALUE>
       </CONTROL>

    Thanks

     

    Saturday, April 16, 2011 12:20 AM
  • OK, changed it and activated again. Same result.
     
    The reason I think it's not running is that if Sign In was programatically pressed--whether by a human or by UAG and with any invalid input including empty name or password--RDWEB would post the same creds page, but with The user name or password that you entered is not valid. Try typing it again. added to it.
     
    It's not doing that...it's not doing anything. it's just sitting there, waiting patiently for someone to enter SOMETHING and click Sign In.
     
    FWIW, viewing the RDWEB logon page's HTML shows this:
    <label><input name="<strong>DomainUserName</strong>" type="text" id="<strong>DomainUserName</strong>" class="textInputField" size="25" autocomplete="off" /></label>
    
    
     
    But even editing your XML to say--
     <CONTROL handling="dummy_value">
     <TYPE>DOMAIN_USER</TYPE>
     <NAME>DomainUserName</NAME>
     <DEF_VALUE>sitedomain\siteuser</DEF_VALUE>
     <SEPARATOR>\</SEPARATOR>
     </CONTROL>
    
    --does not help. So we may be getting closer, but we're not there yet.
     
    To make sure I understood you, here's the complete XML, your way:
    <WHLFILTFORMLOGIN ver="1.0">
     <APPLICATION>
     <APPLICATION_TYPE>RDWEB</APPLICATION_TYPE>
     <USAGE description="form_login"> 
     <PRIMARY_HOST_URL4><![CDATA[.*/RDWeb/Pages/en-US/login.aspx.*]]></PRIMARY_HOST_URL>
     <SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>
     <USER_AGENT>
      <AGENT_TYPE search="group">all_supported</AGENT_TYPE>
      <POLICY>multiplatform</POLICY>
      <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
     </USER_AGENT>
     <MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>
     <LOGIN_FORM>
      <NAME></NAME>
      <METHOD>POST</METHOD>
      <CONTROL handling="dummy_value">
       <TYPE>DOMAIN_USER</TYPE>
       <NAME>username</NAME>
       <DEF_VALUE>sitedomain\siteuser</DEF_VALUE>
       <SEPARATOR>\</SEPARATOR>
      </CONTROL>
      <CONTROL handling="dummy_value">
      <TYPE>PASSWORD</TYPE>
      <NAME>UserPass</NAME>
      <DEF_VALUE>sitepassword</DEF_VALUE>
      </CONTROL>
     </LOGIN_FORM>
     </USAGE>
     </APPLICATION>
    </WHLFILTFORMLOGIN>
    
    And my way:

    <WHLFILTFORMLOGIN ver="1.0">
      <APPLICATION>
        <APPLICATION_TYPE>RDWEB</APPLICATION_TYPE>
        <USAGE description="form_login"> 
        <PRIMARY_HOST_URL4><![CDATA[.*/RDWeb/Pages/en-US/login.aspx.*]]></PRIMARY_HOST_URL>
        <SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>
        <USER_AGENT>
          <AGENT_TYPE search="group">all_supported</AGENT_TYPE>
          <POLICY>multiplatform</POLICY>
          <SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>
        </USER_AGENT>
        <MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>
        <LOGIN_FORM>
          <NAME></NAME>
          <METHOD>POST</METHOD>
          <CONTROL handling="dummy_value">
             <TYPE>DOMAIN_USER</TYPE>
             <NAME>DomainUserName</NAME>
             <DEF_VALUE>sitedomain\siteuser</DEF_VALUE>
             <SEPARATOR>\</SEPARATOR>
          </CONTROL>
          <CONTROL handling="dummy_value">
            <TYPE>PASSWORD</TYPE>
            <NAME>UserPass</NAME>
            <DEF_VALUE>sitepassword</DEF_VALUE>
          </CONTROL>
        </LOGIN_FORM>
        </USAGE>
      </APPLICATION>
    </WHLFILTFORMLOGIN>

    Saturday, April 16, 2011 1:16 AM
  • I am also interested in a solution. Back in W2008 (pre-R2) this worked fine!

    Maybe it was changed due to security concerns? Or, to give more room to Citrix?

    • Marked as answer by Erez Benari Friday, August 26, 2011 11:54 PM
    • Unmarked as answer by JRV529088 Friday, August 26, 2011 11:55 PM
    Tuesday, June 21, 2011 3:28 AM
  • To Ben Ari:

    Sergey's post is DEFINITELY not an answer! It's a "me too" post. I don't have an answer, yet, and I'll bet Sergey doesn't either.

    [editorial]I see a lot of posts on the Technet boards marked as answers by MS mods when they're not in fact answered at all. Diminishes the value of the "answered" checkmark on a thread to pretty near zero.[/editorial]

    Saturday, August 27, 2011 12:00 AM
  • Hi folks,

    so i managed to get RDWeb working with SSO and Autosubmit. Tomorrow there will be a blogpost on my microsoft-iag blog with a step-by-step guide on how to configure and publish RDWEB via UAG using custom form login and a bit more, because there are some issues after this is setup correctly. Please be patient for a few hours. I will post the link in this thread when i finished the post. Then there is a solution.

    Cheers

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Saturday, August 27, 2011 8:04 PM
  • I had an absolutely hellish job getting this working using direct RDP (not RDweb) and RemoteApp but it works well if anyone is interested.  I couldnt face getting RDWEB to work when UAG has built in RDG functionality.

    If it helps anyone:

     - This was not at all reliable before SP1 so use SP1
     - Beware - login.asp changed from SP0/update 1 to SP1.  If you have a customised login.asp you must take the new version and customise it again.  SSO fails without this.
     - Certificates are key to it all working.  The certificate installed on the RD Server must present a certificate with the correct FQDN that can be checked by the client.  That may mean installing a certificate on the RD server that is created by an external CA.  The detail is fiddly - If anyone wants to know more I can mail them to you

    --Zuzzy

    Wednesday, August 31, 2011 1:11 PM
  • Hi Folks,

    i have finished my blog-post on How tho access Remote Desktop Web Access using SSO on my blog. You can find a step by step instruction here:

    http://microsoft-iag.blogspot.com/2011/08/uaghow-to-access-remote-desktop-web.html

    Hope this helps!

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Friday, September 2, 2011 12:13 PM
  • Thanks, Andreas! I will give this a try, shortly. In your prior post here, you said "there are some issues after this is set up correctly." What are the "issues?" This was not discussed in your blog.
    • Edited by JRV529088 Friday, September 2, 2011 3:11 PM
    Friday, September 2, 2011 3:11 PM
  • Hi,

    the issue is, that the published applications wont run when they are opened via rdweb, so we have to find another trick for that :-)

    Cheers,

    Andreas


    Andreas Hecker - Blog: http://microsoft-iag.blogspot.com/ Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.
    Friday, September 2, 2011 4:29 PM
  • Well, yes, I agree that would be an "issue," Andreas!

    I appreciate your efforts, and you certainly got farther with your project than I did with mine.

    But may I suggest that until one can actually run a RemoteApp from RDWEB published through UAG, that you post a warning in BOLD ALL-CAPS at the top of your article so people don't spend time following it, only to find they can't use it?

    Friday, September 2, 2011 4:38 PM
  • Hi Andreas,

    to give you some ideas where the application may break (didn't looked into it so far) i want to share some thoughts with you.

    1.) Switch the application template over to "application specific hostname" since rdp clients / ActiveXs are getting invloved in this scenario. Those can't be touched using appwrap/sra.

    2.) You have to publish the HTTP/RPC Proxy, too

    3.) You have to make sure the rdp client can authenticate to UAG. If its failing then it would be most likely a problem releated to persistant cookies (UAG dont set them for you without additional customizations).

    4.) You have to instruct the RDP application to use forms pre-authentication using additional *.rdp options.

    In the end of the week i may find some time to have a look into it^^ Publishing RDWeb is a common scenario with TMG (e.g. using TMG for OTP/RSA pre-auth) and on a paper i dont see reasons why UAG shouldn't support this application, too.

    BTW: Thanks! Your forms engine article gave me some impression for a new development. I will try to reuse a self written UAG-to-TMG SSO 302 redirect page to support UAG-to-RDWeb. If yor're familiar with UAG & Siteminder, then you already got an idea what i want to achive^^ I hope i get this thing up and running...

    -Kai

    Saturday, September 3, 2011 8:17 AM
  • Hi Andreas,

    today, i found some time to see if i could get RDWeb/RDGW up and running. In the end i was able to use the internal RDWeb/RDGW and have some manuall connections using MSTSC (should be enought proof for a quick PoC).

    I used a custom *.asp as application/authentication ramp to set the needed cookies for UAG and RDWeb. Here is a quick overview of the *.asp i've used..

    1.) Retrieve UAG session cookie from Request Header

    2.) Fetched Lead User Session credentials (AD) for SessionID

    3.) Build POST String for the RDWeb Login Page using fetched Lead User credentials.

    4.) Used WinHTTP to logon the user on behalf to RDWeb

    5.) Retrieved RDWeb Cookies from WinHTTP responce (TSWAAuthClientSideCookie, TSWAAuthHttpOnlyCookie)

    6.) Set-Cookie: TSWAAuthClientSideCookie, TSWAAuthHttpOnlyCookie as responce to client.

    7.) Formated Persistant UAG Cookie and finaly Set-Cookie: NLSessionSaccesstrunkPersistForOffice (non-domain, valid for 2 hours) as responce to client.

    8.) 302 Redirect the User to /rdweb/ and got instant SSO access (without using UAG Forms engine).

    The UAG publishing part was pretty simple...

    1.) https://rdweb.contoso.de/redirect/srv-1.contoso.de.asp single File publishing rule for the ramp code. The *.asp file was stored on UAG under C:\inetpub\wwwroot\Redirects (Default Site).

    2.) https://rdweb.contoso.de/rdweb/ and https://rdweb.contoso.de/rpc/ as RDWeb/RDGW publishing rule.

    3.) Manual URL rerouting rule for https://srv-1.contoso.de/rpc/rpcproxy.dll.* (aka. name of the internal RDGW server)

    4.) Application 1.) gots a portal link, and 2.) didn't . When the user starts the 1.) Link the logon and persistant cookies are getting placed on the client and then the user gets SSO redirected to RDWeb.

    The MSTSC connection was configured this way...

    1.) Used "pre-authentication server address: s:https://rdweb.contoso.de/rdweb/" and "require pre-authentication:i:1" for MSTSC connection.

    2.) Verified the monitoring of RDGW to see if the user used the internal RDGW.

    -Kai




    • Edited by Kai Wilke Monday, September 5, 2011 4:40 PM
    Monday, September 5, 2011 4:27 PM
  • Hi Kai & Andreas

    From what little I understand of Kai's last post, sounds like maybe you've solved it. But I've no idea how to implement it myself. However, this would be a MUCH better solution for me than UAG's RemoteApp publishing, and I remain very interested.

    In particular, the "Private Computer" setting on RDWEB would allow bypassing the "This web site wants to run a RemoteApp" prompt. I'm sure you know this is something of a Holy Grail for UAG/RemoteApp admins and would be appreciated by many.

    Any chance of this being documented step-by-step on your blog?

    Tuesday, October 25, 2011 5:34 AM