none
SSO to RemoteApp using a different namespace RRS feed

  • Question

  • Hi, thanks for any help with this query.

    So, we have a domain where the internal namespace is different to the external/public namespace. We have a wildcard certificate for the public namespace. At the moment we are testing deployment of RemoteApps. We want Credential Delegation and automatic app opening to work. We have followed the necessary processes for this. We have set up delegation to the TermSrv SPN etc. Now, for us to be able to use the external wildcard cert we need to run the "Change published FQDN for Server 2012 or 2012 R2 RDS Deployment" script, and set this new connection broker fqdn in there. All good to this point, but when we make this change it isnt possible to seamlessly connect to the published remoteapp... We get error around the fact the server we are connecting to isnt that of the one published...

    Now, that aside, is there a single post that someone can point me to that deals with a scenario such as this - where the delegation is to a different SPN and it works... I should add that we have also tried to add the changed connection broker SPN to the computer account, and also added it to the places in the GPO for auto pass-through of credentials...

    Hope this makes sense...

    Regards


    Phil


    • Edited by Philip Luke Wednesday, October 16, 2019 11:04 AM
    Wednesday, October 16, 2019 9:54 AM

All replies

  • HI
    1 "We have followed the necessary processes for this."
      what's document did you follow the necessary processes  ?
    2 can you detail explain your RDS environment now ?
    3 "set this new connection broker fqdn in there. All good to this point, but when we make this change it isnt possible to seamlessly connect to the published remoteapp.."
    what's external/public namespace and internal namepace for your RDSH,RDCB,RDWEB,RDgateway ,We can use the unreal domain name to represent ?
    in general,we set below
    server 1:for rdsh , the internal FQND: rdsh.mydomain.local
    server 2: for rdcb , the internal FQND: rdcb.mydomain.local
    server 3: for rdweb, the internal FQND: rdweb.internaldomain.local ,external FQDN: rdweb.externaldomain.com
    server 4: for rdgateway the internal FQND: rdgateway.internaldomain.local ,external FQDN: rdgateway.externaldomain.com

    Remote Desktop Web Access single sign-on now easier to enable in Windows Server 2012
    https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Remote-Desktop-Web-Access-single-sign-on-now-easier-to-enable-in/ba-p/247389
    How to enable Single Sign-On for my Terminal Server connections
    https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/How-to-enable-Single-Sign-On-for-my-Terminal-Server-connections/ba-p/246523

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, October 17, 2019 3:22 AM
    Moderator
  • HI
    Is there any progress on your question?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, October 20, 2019 10:04 PM
    Moderator
  • Hi Andy, sorry for the delay. Ive been busy with other projects. I hope to get back to this sometime this week and will update then. Regards.

    Phil

    Tuesday, October 22, 2019 5:44 AM
  • HI
    Thanks for your reply. I hope everything goes well.


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 22, 2019 10:06 AM
    Moderator