locked
WAP to AD FS to RDWeb - guides on best way to authenticate users for RDWeb/RemoteApps via AD FS. RRS feed

  • Question

  • Hi everyone,

    I have the following three servers:

    dc.domain.x (Domain Controller)

    adfs.domain.x (ADFS Server)

    wap.domain.x (WAP Proxy Server)

    rdweb.domain.x (RDWeb/RemoteApp Server) IIS redirects to RDWeb\Pages automaticallt.

    This is my third attempt to get this to work - I have four clean servers with matching SSL certs ready to go.  I got stuck last time because I had IIS with certs on ADFS server which was causing problems visible in netstat which I will avoid this time.

    I've done a lot of Googling and followed several guides and haven't quite find what I'm after - first two rounds were failures with getting WAP to redirect to ADFS to Authenticate.  In the few times I did get AD FS to Authenticate I then couldn't get the redirect to RDWEB to occur..  I'm after a guide that can best help me work through the following:

    1.  Best setup of ADFS on a single server knowing it will receive requests via a WAP server.

    2.  Best setup of WAP on a single server knowing it will receive requests on 443 from the public internet.

    3.  Best setup of RDWeb Remoteapp on a single server knowing it will receive users after being authenticated via WAP/ADFS.  Does 3389 need to be open to the public web on this one like in a non-adfs RemoteApp deployment or does everything stream via the WAP?

    Essentially, initially, I want to achieve the ability for domain users to hit the WAP server, be authenticated then redirected to the RDWeb server.  Finally once this works, I want to set up a claim trust with a another company's server so their users can hit our WAP, authenticate, and be directed and logon to our RDWeb/RemoteAPP servers.  I understand SSO is difficult with AD FS and RemoteApp so I'm not making this a requirements, its just an extra if I can pull it off later.

    If anyone has any advice it would be much appreciated.

    Cheers,

    Tim


    Wednesday, December 7, 2016 2:15 AM