locked
Single Sign on Terminal services web client application RRS feed

  • Question

  • I've created a Terminal services web Client application on IAG 2007 sp2.
    This works fine, but a requirement is single sign on between the RDP client and the IAG portal.
    Currently you have to enter your credentials when the IAG client launches the RDP client.

    The RDP client is the default RDP 6.1 client ib Vista service pack 1 or XP service pack 3.

    Is it possible to have SSO between the IAG portal and the RDP client?

    Thanks.
    Jaco Hanemaaijer
    Monday, June 8, 2009 8:55 AM

Answers

  • Hi Jaco. There are two authentication phases in your scenario. First, the user authenticates to the Terminal Server Web page. And then, when the RDP client is started the user has to authenticate again but this time against the Terminal Services Server. The first application is a web application and so IAG can delegate the credentials on behalf of the user. But the second connection (RDP) is a client/server application and there is no way in the current version of IAG to delegate credentials for a client/server application. KCD is not an option as it can only be used in web applications. And the option of using CredSSP in XP SP3 or Vista enables the RDP client (6.1) to delegate credentials against the Server, but it is something between the user and the client. IAG doesn´t participate either anyway.

    Hope this helps to clarify the answer

    Regards

    // Raúl
    Monday, June 8, 2009 7:03 PM

All replies

  • Hi Undrun,

    IAG could provide SSO only for Web Applications.
    You must use additional requirements for achieve it. For Example use a PKI with a Client Certificate Authentication on your RDP, SmartCard, ...

    Remain at your disposal,

    Regards
    _____________________________ GIRAUD Alexandre MVP Forefront France http://www.alexgiraud.net/blog
    Monday, June 8, 2009 9:01 AM
  • Hi Alex,
    SSO is working between the IAG portal and the Terminal server web Access server, but there is no Terminal Server Gateway involved and therefore RDP traffic is running trough the SSL tunnel, so we need to delegate the credentials to the RDP client.

    I know that it is possible to configure credential delegation to RDP clients in Vista and beyond via Group Policy settings and think that this link refers to a possible solution: http://www.ssl-vpn.de/wiki/(S(l5vsn255uxjyoqusk5m2nfjf))/Credential%20Delegation%20with%20NTLM.ashx.

    I'm wondering is this solution also works for older client (XP) and for the RDP client.

    Thanks.
    Jaco
    Monday, June 8, 2009 9:15 AM
  • Hi,

    Maybe it can be help you : http://blogs.msdn.com/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
    It seem that it's possible with XP with SP3 only

    Regards,
    Alex
    GIRAUD Alexandre - MVP Forefront France - http://www.alexgiraud.net/blog
    Monday, June 8, 2009 9:29 AM
  • Hi Alex,
     
    Credential delegation delegates user credentials from the client computer to the target server. In the case that the credentials on the IAG portal are different then the credentials on the local client computer  this solution is prabably not working.

    Regards,
    Jaco
    Monday, June 8, 2009 10:54 AM
  • Ok,

    So i never used this scenario and don't know if it's really possible.
    Try to read this article about KCD http://technet.microsoft.com/en-us/library/dd278107.aspx
    There is also a gret article on the blog EdgeAcess : http://blogs.technet.com/edgeaccessblog/archive/2009/01/08/intelligent-application-gateway-iag-2007-goes-into-data-center-with-service-pack-2-sp2-part-2.aspx (Section : Authentication delegation and Single Sign-On)

    IAG Server must be in the same domain that your RDP Servers. But When you enable the KCD on an IAG application, it disable the Pass-Trough (basic ou Forms). You must in this case enable KCD delegation in TS Web too.

    I can't provide you additional information, hope a person has already work on this scenario and provide feedback in this forum.

    Sorry to can't help you anymore.
    Alex

    GIRAUD Alexandre - MVP Forefront France - http://www.alexgiraud.net/blog
    Monday, June 8, 2009 11:18 AM
  • Hi Jaco. There are two authentication phases in your scenario. First, the user authenticates to the Terminal Server Web page. And then, when the RDP client is started the user has to authenticate again but this time against the Terminal Services Server. The first application is a web application and so IAG can delegate the credentials on behalf of the user. But the second connection (RDP) is a client/server application and there is no way in the current version of IAG to delegate credentials for a client/server application. KCD is not an option as it can only be used in web applications. And the option of using CredSSP in XP SP3 or Vista enables the RDP client (6.1) to delegate credentials against the Server, but it is something between the user and the client. IAG doesn´t participate either anyway.

    Hope this helps to clarify the answer

    Regards

    // Raúl
    Monday, June 8, 2009 7:03 PM
  • I would agree with Raul - I cannot see how this would be achievedthrough a form of SSO.

    Keith
    Monday, June 8, 2009 7:38 PM
  • IAG could provide SSO only for Web Applications.

    Thank you for your confirmation

    Regards,
    Alex
    GIRAUD Alexandre - MVP Forefront France - http://www.alexgiraud.net/blog
    Tuesday, June 9, 2009 6:52 AM
  • Hi Jaco,

    In RemoteDesktop clients prior to version 7 (currently only available in Windows 7), the only way to do SSO is via client side credentials as described by my esteemed colleagues. But, in RDC 7 there are additional mechanisms that would be explained soon here: http://go.microsoft.com/fwlink/?LinkId=137334 (not yet available). 

    Meir :->
    ___________________________________________ Meir Mendelovich, Sr. Program Manager Microsoft Forefront - IAG/UAG Product Group Anything you can do, I can do anywhere!
    Friday, June 12, 2009 9:32 PM
  • Excellent Topic.

    I created a customization for one of my customers recently.  The user experience is that they to log into IAG >1> Click on a link >2>  See the desktop of thier Terminal Server.

    What happens in transition #2?  through various ASP.NET calls, I take the stored IAG AD Respository credentials and pass them directly into the Windows Server Login and Password prompt.  

    So if you were to RDP into your DC 10.10.2.1 right now, what would you see?  probably a login screen with Windows Server 2003 or Server 2008.   My customization will provide automatic sign on into that challange.  With some login scripts, even launch an application.

    Thanks!
    Dennis Lee
    Thursday, July 2, 2009 6:29 PM
  • Superb news Meir - I can see many requests for this functionality although I don't recall it being discussed on any of the webcasts - open or NDA driven.

    Regards

    Keith
     
    Thursday, July 2, 2009 7:44 PM