locked
SSO in RDWeb and RemoteApps RRS feed

  • Question

  • Currently I am looking to utilize a SSO solution in both RDWeb and Published Remote Apps. Right now, I have implemented the SSO for the remote desktop client, so when I access my terminal server it uses the credentials provided at the domain logon. This however does not work when you either attempt to open a remote app in RDWeb or a published App on the computer.

     

    Any assistance would be greatly appreciated.

     

    -Jared

    Wednesday, December 21, 2011 4:48 AM

Answers

  • Hi, Jared.

    As I understand SSO (using logged on credentials) works for you if you connect directly using MSTSC, but does not work when you use an RDP file.

    SSO should work in both cases as long as you use the same target name format. Please check that your RDP file contains the target server name exactly as you entered it in GPO. Then open the RDP file for edit and MSTSC will tell you immediately if it's going to send your logged no credentials to the server or is going to prompt. If MSTSC says that that t's going to use logged on credentials, but still prompts, read carefully the text on the credential prompt. It might prompt, for example, when it fails to authenticate the server. In this case you might need to apply workarounds described here: http://blogs.msdn.com/b/rds/archive/2008/04/30/problems-using-default-credentials-with-vista-rdp-clients-with-single-sign-on-enabled.aspx . Also notice the name of the server it is prompting for; it might be the gateway server. SSO for the gateway is configured differently through a different GP setting.

    Thx,

    Sergey.


    Sergey A. Kuzin
    • Marked as answer by Jaredr80 Saturday, January 14, 2012 2:18 PM
    Monday, January 9, 2012 6:48 PM

All replies

  • Hi,

    Thank you for posting here.

    Did u meet the requirements for a Web SSO?

    •To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.
    •In order for Web SSO to work:
    a. The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.
    b. RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.
    c. Client operating systems must trust the certificate with which the RemoteApp programs are signed.

    This guide explains the process of setting up Web Single Sign On for Remote Apps:
    http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    Hope the references help you!

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, December 21, 2011 8:52 AM
  • Thanks Clarence. 

     

    I have managed to get the RDWeb SSO to work, by installing the cert manually on a computer to test. I also in host config changed the Security from negotiate to SSL. However, I want to make it so, when a person has remote apps published to their desktop computers, that it does the same thing?

     

    Please advise.

    -Jared

    Wednesday, December 21, 2011 12:34 PM
  • Jared,

    If installing the cert manually fixed it, than the fact that the cert is not trusted on the client could be the issue. As Clarence states, RemoteApps needs to be signed with a cert that is trusted by the client in oder to achieve SSO.


    Kind regards,
    Freek Berson
    The Microsoft Platform
    Twitter
    Linked-in
    Wortell company website
    Wednesday, December 21, 2011 1:52 PM
  • Freek,

     

    I tested this to make sure I was stating the information correctly, and the info still stands. The cert is installed on the client. When the client goes into the RDWeb app, they can launch the app using SSO and they are not prompted again for username and pw. However, I publish an app using the same cert, digitally signed, and I am still being prompted for a username and password.

     

    Thanks!

    -Jared

    Wednesday, December 21, 2011 2:02 PM
  • Hi Jared,

    Where are you getting the "Published App", are you talking about a computer that has RemoteApp and Desktop Connections setup and is launching through the Start menu?

     

    For SSO the way it is implemented, you must provide your Username/Password once.  In the case of RDWA, you are using your Username/Password when logging into the webpage and then when you click on an application it re-uses this for launching, assuming the Workspace is identical and the RDP file is signed properly.

    From the start menu, your first application will prompt for username/credentials and then subsequent launches will re-use that username/password, assuming they match the workspace of the original and are signed with an identical cert.

     

    The above is independant of using logged on credentials, if you set the proper GPOs, your logged on credentials will be delegated to the computers you are signing into and you will never get prompted.

     

    Let me know which scenario you are trying to achieve and I will give you more details.


    Thanks,
    Kevin

     

    Wednesday, December 21, 2011 11:41 PM
  • Kevin,

     

    I appreciate the response back. By published apps I mean either published through creating an .rdp file or through an MSI to place it in a folder. I have set the proper GPOs so that it uses my logged on credentials for when I RDP into this server, but not in anything else.

     

    Any advice would be greatly appreciated. 

     

    Please let me know if you have any questions!

    -Jared

    Wednesday, December 21, 2011 11:51 PM
  • Are the published apps hosted on the RDSH server(s) or VDI?  I am assuming you have all GPOs set to delegate credentials to all the servers.  Can you verify by opening up mstsc and just connecting to the server directly?  If this doesn't work then the GPO needs to be fixed (Also verify that you don't have any saved credentials for the server through the Credential Manager).

     

    If the above works, are you going through a Gateway, if so make sure the credential delegation is on for that as well.

     

    I will talk with the SSO expert on the team to see if there are any other gotcha's with the GPO for credential delegation, but he may be away for holidays, so it may be a week or so.

     

    Here is a webpage that talks more about SSO, from a Web perspective but touches on the Credentials.

    http://blogs.technet.com/b/mrsnrub/archive/2010/03/22/remote-desktop-services-websso.aspx

     

    Thursday, December 22, 2011 12:38 AM
  • Kevin,

     

    I appreciate the help. It is basically narrowed down at this point to published apps hosted on the RDSH server. Currently my setup is a SBS 2011 server as the DC, and then I have a secondary RDSH server running on Server 2008r2. On any client computer where I have the GPO being applied to delegate credentials to all servers, I can open mstsc and connect to the server using the logged on credentials. In RD web access like you suggested previously, it uses the web form, which again does not prompt for a pw after entering it in the web form. 

     

    I only have the gateway on my SBS 2011 server. However, all authentication seems to be done through the RDS server. Does that mean that there is a gateway on there as well?

     

    My major question is, if it works with mstsc with no problem, why is the published app still prompting for a pw?

     

    Thanks!

    -Jared

    Thursday, December 22, 2011 12:59 AM
  • Hi Jared,

    Authentication happens in 2 places, at the Gateway as well as the end-point.  My theory is that with mstsc it works because you are bypassing the gateway.  You can verify this by opening up the RDP file you are using to connect to the application and remove the Gateway lines and then try connecting. 

    If it is the Gateway, you just need to configure the GPO for delegation of credentials to the Gateway.  There is some slight differences in the RemoteApp versus desktop connection sequence, but the authentication should be the same.

     

    Thanks,
    Kevin

    Thursday, December 22, 2011 1:22 AM
  • I have added the gateway as well to that GPO, and still am seeing similar results. I attempted to edit the rdp file, and no matter what line was edited, the rdp file would not open and state it was corrupted.

     

    -Jared

    Thursday, December 22, 2011 1:46 AM
  • Sorry I forgot you were signing the files :)  Change the Gateway settings to not use Gateway in RemoteApp Manager.  Refresh the RDP file with this new setting and then try connecting.
    Thursday, December 22, 2011 10:54 PM
  • Also, I sent an email to our SSO expert, he is gone until the second week of January, so I will loop him in at that time if I can't resolve your issue.
    Thursday, December 22, 2011 10:55 PM
  • No luck. Changed gateway, created new .rdp file and still was prompted for pw.

     

    Though I don't think this will change anything just because it works in MSTSC and RDWeb, but it is a self-signed cert, if that changes anything.

     

    -Jared

    Friday, December 23, 2011 2:38 AM
  • Kevin,

     

    Just wanted to bump this to you once again. I wanted to see if you have spoken to your SSO expert. 

     

    I am looking to deploy this week, but I am at a standstill at this point, until I can get this resolved.

     

    Thanks in advance!

    -Jared

    • Marked as answer by Jaredr80 Saturday, January 14, 2012 2:18 PM
    • Unmarked as answer by Jaredr80 Saturday, January 14, 2012 2:18 PM
    Wednesday, January 4, 2012 1:30 AM
  • Hi, Jared.

    As I understand SSO (using logged on credentials) works for you if you connect directly using MSTSC, but does not work when you use an RDP file.

    SSO should work in both cases as long as you use the same target name format. Please check that your RDP file contains the target server name exactly as you entered it in GPO. Then open the RDP file for edit and MSTSC will tell you immediately if it's going to send your logged no credentials to the server or is going to prompt. If MSTSC says that that t's going to use logged on credentials, but still prompts, read carefully the text on the credential prompt. It might prompt, for example, when it fails to authenticate the server. In this case you might need to apply workarounds described here: http://blogs.msdn.com/b/rds/archive/2008/04/30/problems-using-default-credentials-with-vista-rdp-clients-with-single-sign-on-enabled.aspx . Also notice the name of the server it is prompting for; it might be the gateway server. SSO for the gateway is configured differently through a different GP setting.

    Thx,

    Sergey.


    Sergey A. Kuzin
    • Marked as answer by Jaredr80 Saturday, January 14, 2012 2:18 PM
    Monday, January 9, 2012 6:48 PM
  • Sergey,

     

    I changed my GPO for terminal server creds and did not include the domain name in the GPO. After entering that and updating the group policies, I was able to succesfully do SSO with entering any pws.

     

    Thanks!

    -Jared

    Monday, January 9, 2012 7:31 PM
  • Hi,

    Windows Remote Desktop Services 2012 requires DTLS, and RDP 8.0 support before SSO will work.

    You would also be required to enable the MsRdpClientShell Class (ActiveX Control) if you want to use SSO from the website.

    • Ensure that you have Windows 7 SP1
    • Download and install KB2574819 and restart the windows 7 client.
    • Download and install KB2592687 and restart the Windows 7 client.
    • Reset the internet explorer settings to the default configuration by navigating to advanced internet options settings.
    • Load the Remote Desktop website from internet explorer using a version 9 browser.
    • You should then be prompted with a popup stating the webpage wants to run the following add-on: ‘Microsoft Remote Desktop Services Web Access Con.. ‘ from‘ Microsoft Corporation’.
    • Allow this.
    • You can check whether the add-on is enabled by navigating to manage add-ons within the options menu. Look for the MsRdpClientShell Class ActiveX Control version 6.2.9200.16398.

    You should now be able to load the Remote Desktop services 2012 website and launch remote apps and desktops using single sign on (SSO)

    Best Regards,

    Ryan

    • Proposed as answer by Ryan Mangan Thursday, December 27, 2012 11:29 PM
    Thursday, December 27, 2012 11:29 PM