RD Web Access thru RD Gateway single sign on problem RRS feed

  • Question

  • Hi folks,

    I appreciate a lot any help to my issues with RD web access externally through RD gateway. I have searched quite a lot but do not seem to find suggestions that could solve my problem.

    My setup is a very simple one server (domain member of an internal domain) installed with all the RD services rolls (RD web access, RD gateway, RD session host, no RD session broker). The server has internal domain name and IP. A fire wall is setup at the edge of internal domain, which only pass through port 443. The fire wall captures an external FQDN with fixed IP and passthrough https request to the RD server in the internal domain.

    The RD server (RD web access, RD gateway, RD session host) uses a self-generated certificate to sign everything (RD gateway certificate, Remote Apps, RD session host). the certificate is issued to the external FQDN, which is publicly accessible/routable/registered DNS name/IP.

    Now I have installed this particular certificate also on my client pc under trusted root certification authority. I have no problem to connect to https://FQDN/RDWeb, being asked the RDWeb credential (internal domain admin credential). the Remote Apps list properly. If I click an App, I am asked the credential of RD gateway server. with my internal domain  admin credential, I have no problem to launch RemoteApps.

    My issue is: how can I make single sign on to work. I read at microsoft guide stated that single sign on only works for client and server joined to the same domain. is this the case?

    Please advice. What I have missed, or what I could do to make SSO work?

    Thanks a lot.

    Tuesday, February 12, 2013 7:46 PM

All replies

  • After reading your post, it looks like there is one thing I didn't see you do.

    Did you add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server?  Since it's on the same machine, right-click Computer, Manage.

    Go to Local Users and Groups, then Groups.  Add the computer to the group "TS Web Access Computers".

    Might want to also check out Configuring SSO on Client, Web SSO in Windows Integrated Authentication, and Web SSO with RD Gateway at the bottom of this blog:


    • Proposed as answer by CorrectTech Thursday, July 31, 2014 2:54 PM
    Tuesday, February 12, 2013 10:07 PM
  • Hei Guy,

    thanks for the reply. I did have done what you suggested, added the RD web access server to the TS web access computers group. I have read and followed the instructions of the Configuring SSO on Client, Web SSO blog to the detail. The "use the same user credentials for RD and Session host server" is ticked. I think I have this part working, that is I am not prompted for the session host credential. The problem is it seems that I am being asked credentials both for RD web access and RD gateway. so I wonder what prevented my credential for RD web access to be forwarded to RD gateway.Or have I misunderstood?

    thanks again and look forward to your further suggestions.

    Wednesday, February 13, 2013 7:59 AM
    • Edited by Ryan Mangan Wednesday, February 13, 2013 11:44 AM
    Wednesday, February 13, 2013 11:43 AM
  • Hei Ryan,

    thanks for the reply. I think I should make my setup more detailed than I did.

    I have one RD server running windows server 2008 R2, patched to the latest update. the RD server is running all features except RD connection broker (RD web access, RD gateway, RD session host). the client is window 7 patched to the latest, with RDP 8. The RD server is a member of internal domain rd.internaldomain.local. A firewall passes through a fully qualified domain name (rd.externaldomain.com) https request https://rd.externaldomain.com/RDWeb to the internal RD server's DNS name rd.internaldomain.local, as well as gateway request, through port 443. The RD web access, the RD gateway, and the Remote apps are all signed with a self-generated certificate with CN=rd.externaldomain.com. this certificate is installed on client as trusted root certification authority.In addition, I have enabled all the credential delegation options within the group policy on the RD server. Although in IIS, for RDweb-> pages, I have enabled anonymous authentication as well as form based authentication.

    I am not sure how your post would help me, as I did everything you suggested in your reply to the link you provided above. It seems to me that single sign on works from RD gateway to RD remote apps (I do not need to authenticate both on gateway and session host). But I fail to make SSO work between RD web access and RD gateway. I need to first authenticate with the RD web access to be able to see all the remote apps, then I need to authenticate with the RD gateway again to launch the remote apps.

    Any more suggestions? thanks a lot.

    Wednesday, February 13, 2013 1:53 PM
  • I'm looking at my IIS settings, and it looks like for RDWeb, I have Forms Authentication disabled.  Anonymous Authentication is enabled.  In fact, under Authentication, Anonymous Authentication is the only thing enabled.

    In RD Gateway's IIS, Rpc authentication - I have all disabled except for Basic Authentication and Windows Authentication.

    I hope that helps.

    Friday, February 15, 2013 10:49 PM
  • Hi Guy,

    thanks for reply. I checked my IIS settings. One strange thing I found is that under Default Web site, I have no entry for RD Gateway, only RD Web, rpc, rpcwithcert entries. Is this correct? I looked into a windows 2008 server (with TS gateway role services installed) and I found a TS entry, which you can set for IIS authentication method. But on windows 2008 r2, I dont find the entry of RD gateway under default web site. has microsoft removed this entry?

    anyway, I did what you suggested, only anonymous authentication for RDweb, basic and windows authentication for RPC. no change, I was still prompted for credentials for RD gateway. I notice however that before the prompt appears, I see a window briefly shows " looking for credentials", then my local logon credential (local credential on client pc) is presented and prompted for password, which I have to write internal domain username/password. It seems to me that the RD web's credential is not registered. Or is that because RD gateway is looking for local logon credentials anyway? how to make RD gateway to accept cookie credential of RD Web access page? I figure the logic of the entire RD access is that in principle one has to authenticate three times: 1. RD web, 2. RD gateway, 3. RD session host. I think I manage to let the RD gateway and RD session host to use the same credential (this is obvious as one can choose "use RD gateway credentials for session host" option in remote app settings). but how can I let RD gateway to accept RD web page credential, being that cookies or windows logon credentials?

    thanks for help.

    Saturday, February 16, 2013 9:25 AM
  • There is no entry for "RD Gateway" in IIS.  I mean on your server with RD Gateway role, check your IIS settings.  Since you have all roles on one server, you should see RD Web and rpc.  The rpc entry is for your RD Gateway role.  RD Web is for your (obviously) RD Web role.

    Just for troubleshooting, can you try adding your internal server FQDN in the cert as well?

    Thursday, February 21, 2013 9:14 PM
  • Thanks again Guy. The IIS authentications after following your advice look like this:

    Default web site: only Windows authentication enabled.

    RDWeb: only anonymous authentication enabled.

    RDWeb/Pages: only anonymous authentication and Forms authentication enabled

    Rpc: only Basic authentication and Windows authentication enabled.

    Tried to change RDweb/pages authentication settings to others, still got no luck.

    I tried to use a SAN certificate, with CN=external FQDN, alternative names:DNS=internal domain FQDN, IP4=internal IP address. use this certificate to sign remote apps, and import to client's "trusted root certification authorities". still got the second prompt for credentials for gateway.

    I am totally stuck.

    Friday, March 1, 2013 11:11 AM
  • Is your client Win7 SP1 with all the Windows Updates?

    Asking because I had the same issue with clients until I installed this hotfix:


    I noticed that this hotfix is already included in the latest Windows Updates.  Actually, RDC was upgraded to 8.0 in Windows Update, which included the fix as well as support for Windows 8/Server 2012.

    Tuesday, March 5, 2013 4:17 PM
  • Check your folder permissions.


    Give Read & Execute to "Authenticated Users".

    • Proposed as answer by Saimon_SP Wednesday, July 13, 2016 2:46 PM
    Wednesday, January 15, 2014 6:28 PM
  • Did you ever figure this out, i have same issue, i connect to RDWEB just fine, then i launch app and im prompted to connect to gateway server, it list the FQDN name of gateway. If i type in domain\userID and password i get in, but obviously double login is deal breaker.

    Monday, June 9, 2014 3:29 AM
  • Did you ever figure this out, i have same issue, i connect to RDWEB just fine, then i launch app and im prompted to connect to gateway server, it list the FQDN name of gateway. If i type in domain\userID and password i get in, but obviously double login is deal breaker.

    What have you done so far to troubleshoot?
    • Edited by Guy Techie Wednesday, August 13, 2014 4:47 PM
    Wednesday, August 13, 2014 4:47 PM
  • ***My issue ended up being caused by a customization to the authentication on the WA form***

    I had removed the need for users to enter their domain prefix when logging into Web Access. After rolling the customization back SSO began working again.


    Same issue here;

    Has anyone come up with a solution for RemoteApp SSO via RD Web Access for non domain joined clients? I get prompted at the Web Access form and then again at the Gateway. SSO from the Gateway to the Session Hosts is working as expected for external clients.

    I can cache credentials using credential manager but that is not an ideal solution.

    SSO works internally because we have a GPO allowing clients to delegate their credentials to the Gateway but I don't have that luxury on non-domain joined clients.

    Details about our environment:

    • Public CA issued wildcard cert assigned to all RD roles/servers
    • F5 used to reverse proxy connections
    • Two separate Web Access servers (one for internal and one external)
    • One Gateway server that only external users connect via

    Having the gateway and web access roles on the same server wouldn't help at all would it? My understanding is that the web access server simply hands the client an .rdp file with instructions on how to connect.

    • Edited by xSwadSx Thursday, December 11, 2014 4:12 AM
    Thursday, December 4, 2014 11:28 AM