locked
Enabling SSO with RemoteApp on UAG, can anyone confirm this is still an issue RRS feed

Answers

  • I think what ever domain name is entered into the default domain name on the authentication server on the UAG management is ignored. If you sign into the portal with domain\username that seems to solve the remoteapps sso.
    • Marked as answer by Erez Benari Friday, July 30, 2010 6:03 PM
    Thursday, July 29, 2010 2:06 PM

All replies

  • Yep, still an issue to my knowledge...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 29, 2010 9:07 AM
  • Thanks, do you know which file and line needs to be edited so I can enter the domain name in?

    Many thanks

    Thursday, July 29, 2010 9:45 AM
  • What what I remember, it is not quite as simple as that...hopefully someone has better detail on specifics...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 29, 2010 11:04 AM
  • Thanks, I found this but still cant pass through to work http://technet.microsoft.com/en-us/library/ff607330.aspx
    Thursday, July 29, 2010 11:59 AM
  • I think MS are fully aware of the issue, hence why it is included in the release notes...hopefully they can fix it soon!


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 29, 2010 12:38 PM
  • I think what ever domain name is entered into the default domain name on the authentication server on the UAG management is ignored. If you sign into the portal with domain\username that seems to solve the remoteapps sso.
    • Marked as answer by Erez Benari Friday, July 30, 2010 6:03 PM
    Thursday, July 29, 2010 2:06 PM
  • After digging throught the code, I came up with a quick fix though not supported or recomended will work as long as users sign in with just their username and not upn or domain\username syntax. If you go to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\scripts\rdsbase.js and change the code so it places the domain in front of the username before UAG sends credentials to RDS the user can logon to UAG with just their username. when you launch RemoteApp and click the more info you will see if now is authenticating with domain\username instead os just username.

    At around line 47

    function rds_sso_in_hook(wspid, cert_hash) {
        wspid = jsHTMLDecode(wspid).replace(/:.*$/,"");
        cert_hash = jsHTMLDecode(cert_hash).replace(/\s+/g,"");

        if (rds_sso_relevant_login(true)) {
            var wspace = workspace();
            var uname = "domainname\\" + rds_sso_uname_hook();
            var pwd = rds_sso_pwd_hook();
            var tmout = rds_sso_tmout_hook();

    At around line 95

    function rds_sso_in_done(is_on, wspid, user_name) {
        is_on = unescape(jsHTMLDecode(is_on));
        wspid = jsHTMLDecode(wspid).replace(/:.*$/,"");
        user_name = "domainname\\" + unescape(jsHTMLDecode(user_name));

        if (is_on == "on") {
            try {
                var wspace = workspace();

    We are looking at a seperate custom update script that will do this without having to modify original code as time permits. This was just a quick workaround till we or MS get a permanent fix. Word of caution, if users are using UPN or domain\username to login, this will break their RemoteApp login as domain will get added to front of these.

     

    Monday, August 9, 2010 2:41 PM
  • netman711:  Thank you for posting the snippet.   It looks elegant compared to what we are attempting now.

    I tried it in our setup and when we launch RemoteApp I still see the username without a domain name.    

    Thoughts on what I might be doing wrong?    

    Is anybody else able to try this?

    Thx.

    Wednesday, August 11, 2010 5:16 AM
  • It works for us, just now battling with "a website wants to run a remoteapp program" its like pulling teeth

    Wednesday, August 11, 2010 7:48 AM
  • Open up UAG and reactivate/deploy site. Do not remember if I had to do this or not.  

    Wednesday, August 11, 2010 5:27 PM
  • No way to get rid of that message that I have found yet, That's an RDP/RDS application message thats been discussed all over the forums. One possible solution that I have not yet tried if running Win 7/vista is adding the UAG and RDS certs to local trusted publisher and there are some new reg keys for RDS where you can define trusted RDS servers and define the trusted cert hash.

    Wednesday, August 11, 2010 5:37 PM