I`m trying to publish RemoteApp with authentication by smartcards and SSO working. Users have to input pin only once and able to launch remote application without any additional credential prompts.
Certificates have mapped to user accounts in Active Directory.
I`ve done this steps for certificate authentication: i`ve copiedcert, login, validate, repository files to von\InternalSite\inc\CustomUpdate\, then I’ve changed it as it is described in the manual.
As a result, after user successful authenticated on uag-portal with smartcard and clicked on the remote application`s icon, user prompted with additional credential dialog for windows authentification. So, SSO isn`t working.
I know i can achieve working SSO with smartcard using KCD (Kerberos constrain delegation) but I don`t know how. Is there any guides or examples of such configuration
The RemoteApp SSO is working differently then the regular web SSO.
When using WEB SSO, the UAG reply on behalf of the user to the backend web server using HTTP authentication (i.e. web server sends 401 respond and UAG reply back with authorization header). This allow use of KCD, as the UAG can request the user's Kerberos
ticket without knowing the user's full credentials.
In the RemoteApp scenario, the SSO is done at the client side, as part of the login process, some scripts on the client catch the user's credentials and store it on a workspace (ActiveX) that later used by the Remote Desktop application
(mstsc) to authenticate against the backend server. Unlike the WEB SSO, in this scenario the UAG does not reply to the backend server on behalf of the user, so KCD cannot be used here.
So in short: In order to establish SSO with RemoteApp, the user must provide their credentials at the login phase, and if no credentials provide at login phase (as with Certificate based authentication, or other method) - RemoteApp SSO cannot be