none
RemoteApps Programs in Web Browser and Domain Auth

    Question

  • Does anyone have any ideas on how to get the remoteapp programs when launched from the RDweb access to use the same credentials as when you logged in instead of having to re-enter or atleast to remember the domain and not default to localhost.
    Wednesday, October 14, 2009 9:18 AM

Answers

  • Hi,

    This feature is called Single Sign On (SSO)

    http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx


    сила в справедливости
    Wednesday, October 14, 2009 9:54 AM
  • Hello Alex,

     

    Kudrat is correct, Web Single Sign-On (SSO) for the RemoteApp is the solution to resolve your question. However, according to your feedback, the additional credential is still prompted when clicking the RemoteApp application, even though SSO is configured. Based on my experience, this issue may be caused by unsupported RDC client or incorrect SSO configurations.

     

    As the first step, please note that the Web SSO is only supported by RDP 7.0 so far. In the same while, the Remote Desktop Connection client software supporting RDP 7.0 is not yet released for Windows Vista or previous versions of Windows platform. Therefore, even if the SSO is correctly configured, the SSO only works for the clients based on Windows Server 2008 R2 or Windows 7 with RDP 7.0 supported. You can refer to the RDS team blog for more information.

     

    Note: To check if the Remote Desktop Connections supports RDP 7.0, please run mstsc.exe, right-click the computer icon at the top-left corner, and then select About. The last section of the About information tells the RDP version supported by the RDC client.

    If you’re using Windows Server 2008 R2 or Windows 7 with RDP 7.0 supported RDC to do the test, and the issue persists, you could go on to check if there is anything wrong during the SSO configurations. As the most notable part, please ensure if the RemoteApp certificate is trusted by the client user/computer. As the team blog cited by Kudrat tells:

     

    If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.”

     

    I’d like to provide further assistance on how to configure the certificate on the server and client computers, but the process depends on the specific situation and requirement in your environment. Please include the following information to me and I can give you the detailed steps:

     

    ·          Do you use Session Host or Session Broker mode to host the RemoteApp Web Access?

    ·          Is the certificate used by the RemoteApp programs from a public CA of Microsoft Root Certificate Program Members program, or not?

    ·          Are you using RD Gateway to work with RemoteApp too?

     

    Thanks for your cooperation and patience. I’m looking forwards to hear from you.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd @ microsoft.com

    Thursday, October 15, 2009 10:17 AM
  • Hello Alex,

     

    It’s nice to hear from you again.

     

    In the update, you mentioned two questions:

     

    1.     You still cannot use SSO. The credential prompt still occurs;

    2.     You want to hide the warning window about “A website wants to run a RemoteApp program.”

    For the first question, I highly recommend you to double-check the version of your client system. Currently, RDP 7.0 is not supported by Windows Vista or previous versions. In such a case, even though the certificate for the RemoteApp is installed, you cannot use SSO feature. If you have already used Windows 7, please check the status of the certificate using the following steps:

     

    1.     Run mmc.exe and add the Certificates snap-in via File – Add or Remove Snap-ins – Certificates – Add.

    Note: Choose “Current User” or “Current Computer” based on the requirement to use SSO for the user or all the users using this computer.

    2.     Expand Trusted Root Certificates\Certificates, check if the certificate issued by the RemoteApp server or the root certificate you used for the certificate exists here. If so, double-click it to check the status.

     

    If the certificate doesn’t work correctly or exists, please re-import the certificate.

     

    For the second question, the prompt appears because the computer doesn’t trust the publisher listed in the “Publisher” part. To hide this prompt, I am afraid that using SSO is the prerequisite. After you ensure that the SSO is working correctly, you can import the same certificate to the Trusted Publisher using the following steps:

     

    1.     Run mmc.exe and add the Certificates snap-in via File – Add or Remove Snap-ins – Certificates – Add.

    2.     Expand Trusted Publishers\Certificates\

    3.     Click Action – All Tasks – Import…

    4.     Browse to find the certificate and choose to “Place all certificates in the following store: Trusted Publishers”. Finish the wizard.

    5.     Restart the Internet Explorer.

     

    In the login page of the Web Access, select This is a private computer and sign into the page. Click any one of the RemoteApp application, the prompt window appears. But this time, you can find a option Don’t ask me again for remote connections from the publisher, check it, and the window won’t appear again.

     

    For more information about trusted publisher topic, please refer to:

     

    Unknown Publisher”? Where did this dialog box come from?

    http://blogs.technet.com/askperf/archive/2008/09/23/unknown-publisher-where-did-this-dialog-box-come-from.aspx

     

    Hope the information above helps. Thanks for your patience and cooperation again.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    • Marked as answer by A13x Saturday, October 31, 2009 9:13 PM
    Thursday, October 22, 2009 10:56 AM

All replies

  • Hi,

    This feature is called Single Sign On (SSO)

    http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx


    сила в справедливости
    Wednesday, October 14, 2009 9:54 AM
  • Hmm still getting the login auth box whenever i click remote app as it is still defaulting to localhost rather than domain. The first web login box works fine and auto auth with domain
    Wednesday, October 14, 2009 1:35 PM
  • What OS are you using? SSO is available only in 2008 R2
    сила в справедливости
    Wednesday, October 14, 2009 2:16 PM
  • 2008 R2
    Wednesday, October 14, 2009 2:57 PM
  • Hello Alex,

     

    Kudrat is correct, Web Single Sign-On (SSO) for the RemoteApp is the solution to resolve your question. However, according to your feedback, the additional credential is still prompted when clicking the RemoteApp application, even though SSO is configured. Based on my experience, this issue may be caused by unsupported RDC client or incorrect SSO configurations.

     

    As the first step, please note that the Web SSO is only supported by RDP 7.0 so far. In the same while, the Remote Desktop Connection client software supporting RDP 7.0 is not yet released for Windows Vista or previous versions of Windows platform. Therefore, even if the SSO is correctly configured, the SSO only works for the clients based on Windows Server 2008 R2 or Windows 7 with RDP 7.0 supported. You can refer to the RDS team blog for more information.

     

    Note: To check if the Remote Desktop Connections supports RDP 7.0, please run mstsc.exe, right-click the computer icon at the top-left corner, and then select About. The last section of the About information tells the RDP version supported by the RDC client.

    If you’re using Windows Server 2008 R2 or Windows 7 with RDP 7.0 supported RDC to do the test, and the issue persists, you could go on to check if there is anything wrong during the SSO configurations. As the most notable part, please ensure if the RemoteApp certificate is trusted by the client user/computer. As the team blog cited by Kudrat tells:

     

    If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.”

     

    I’d like to provide further assistance on how to configure the certificate on the server and client computers, but the process depends on the specific situation and requirement in your environment. Please include the following information to me and I can give you the detailed steps:

     

    ·          Do you use Session Host or Session Broker mode to host the RemoteApp Web Access?

    ·          Is the certificate used by the RemoteApp programs from a public CA of Microsoft Root Certificate Program Members program, or not?

    ·          Are you using RD Gateway to work with RemoteApp too?

     

    Thanks for your cooperation and patience. I’m looking forwards to hear from you.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd @ microsoft.com

    Thursday, October 15, 2009 10:17 AM
  • Hello Alex,

    How are you? What's going with the case now? Please don't hesitate to let us know if I can provide any further help.

    Thanks and wish you a nice day.

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Monday, October 19, 2009 8:04 AM
  • I had a few more goes and i have followed the page and have the certificate installed but still there is a login prompt and it needs domain\username still. Is it also possible for remote app to avoid the disclaimer notice by default when logging in as users need to enter login information and sometimes click ok
    Wednesday, October 21, 2009 8:35 PM
  • Hello Alex,

     

    It’s nice to hear from you again.

     

    In the update, you mentioned two questions:

     

    1.     You still cannot use SSO. The credential prompt still occurs;

    2.     You want to hide the warning window about “A website wants to run a RemoteApp program.”

    For the first question, I highly recommend you to double-check the version of your client system. Currently, RDP 7.0 is not supported by Windows Vista or previous versions. In such a case, even though the certificate for the RemoteApp is installed, you cannot use SSO feature. If you have already used Windows 7, please check the status of the certificate using the following steps:

     

    1.     Run mmc.exe and add the Certificates snap-in via File – Add or Remove Snap-ins – Certificates – Add.

    Note: Choose “Current User” or “Current Computer” based on the requirement to use SSO for the user or all the users using this computer.

    2.     Expand Trusted Root Certificates\Certificates, check if the certificate issued by the RemoteApp server or the root certificate you used for the certificate exists here. If so, double-click it to check the status.

     

    If the certificate doesn’t work correctly or exists, please re-import the certificate.

     

    For the second question, the prompt appears because the computer doesn’t trust the publisher listed in the “Publisher” part. To hide this prompt, I am afraid that using SSO is the prerequisite. After you ensure that the SSO is working correctly, you can import the same certificate to the Trusted Publisher using the following steps:

     

    1.     Run mmc.exe and add the Certificates snap-in via File – Add or Remove Snap-ins – Certificates – Add.

    2.     Expand Trusted Publishers\Certificates\

    3.     Click Action – All Tasks – Import…

    4.     Browse to find the certificate and choose to “Place all certificates in the following store: Trusted Publishers”. Finish the wizard.

    5.     Restart the Internet Explorer.

     

    In the login page of the Web Access, select This is a private computer and sign into the page. Click any one of the RemoteApp application, the prompt window appears. But this time, you can find a option Don’t ask me again for remote connections from the publisher, check it, and the window won’t appear again.

     

    For more information about trusted publisher topic, please refer to:

     

    Unknown Publisher”? Where did this dialog box come from?

    http://blogs.technet.com/askperf/archive/2008/09/23/unknown-publisher-where-did-this-dialog-box-come-from.aspx

     

    Hope the information above helps. Thanks for your patience and cooperation again.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    • Marked as answer by A13x Saturday, October 31, 2009 9:13 PM
    Thursday, October 22, 2009 10:56 AM
  • Hello Alex,

    What's going with the case now? Feel free to follow up here and I'll try my best to provide further assistance.

    Thanks and have a nice day.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Wednesday, October 28, 2009 7:18 AM
  • amazing that answer did it and it all works perfect! is there any chance of making 'This is a private computer' the default option
    Saturday, October 31, 2009 9:14 PM
  • Hello Alex,

     

    I’m glad to hear that the issue has been resolved.

     

    Regarding your new question on setting “This is a private computer” to be the default choice, you can achieve this goal by customizing the RDWeb related pages, but please notice that we don’t recommend you to do that because:

     

    ·          The modifications in the system folder can result in instabilities of your environment.

    ·          The modifications is possibly be overwritten by the software updates in future.

     

    After said that, please refer to the following method to set the default choice to “This is a private computer”:

     

    1.     On the Web Access server, navigate to the following folder:

    %windir%\Web\RDWeb\Pages\en-US\

    2.     Backup the file logon.aspx to another place.

    3.     Right-click the login.aspx file and select Edit, the file will be open with Notepad or other default HTML editor.

    4.     Use Find feature to find the following code snippet:

    <label><input id=”rdoPblc” type=”radio” name=”MachineType” value=”public” class=”rdo” onclick”onClickSecurity()”  checked /></label>

    and remove the checked from the code:

    <label><input id=”rdoPblc” type=”radio” name=”MachineType” value=”public” class=”rdo” onclick”onClickSecurity()” /></label>

    5.     Use Find feature to find the following code snippet:

    <label><input id=”rdoPrvt” type=”radio” name=”MachineType” value=”private” class=”rdo” onclick”onClickSecurity()” /></label>

    and add a checked properties in the label:

    <label><input id=”rdoPrvt” type=”radio” name=”MachineType” value=”private” class=”rdo” onclick”onClickSecurity()” checked /></label>

    6.     Save the change.

     

    By these steps, the page will use “This is a private computer” as the default choice.

     

    Please give it a try and let me know if I can provide any further assistance. Have a nice day, Alex.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Monday, November 02, 2009 3:00 AM
  • Hello Alex,

    How's going with the case now? I'd like to assist you further if you have any more questions or difficulties on this topic.

    Thanks and a have a nice day.

    ·         Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Wednesday, November 04, 2009 8:01 AM
  • I do not understand why it is failing again and i found out that the fix did not fix it completly. If i login and click on any remote app once it will prompt for username and password again, after entering it in a second time it will no longer prompt. I think it will only prompt when the RD connection to the RDS has either timed out.

    The SSL certificate is not registered in the name of the server but instead the url which points to the server, there is a mention of the server name in the ssl also and it can be added fine to the certificates. will this effect the sso?

    Wednesday, November 04, 2009 11:03 AM
  • Hello Alex,

     

    Thanks for your feedback.

     

    Based on your description, I suspect that the SSO is still not working correctly. Please generally describe the following information to me:

     

    ·          The version of your client OS and the Remote Desktop Connection.

    ·          The version of the client Internet Explorer.

    ·          How did you get the certificate to digitally sign the RemoteApp Programs and the SSL? Please briefly describe it.

    Thanks for your cooperation.

     

    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com

    Friday, November 06, 2009 9:32 AM
  • Hello Alex,

    How's are you?

    Does the issue still occur? If it persists, please let me know the information above and I'm always glad to help you.

    Thanks.


    Lionel Chen

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfd@microsoft.com


    Wednesday, November 11, 2009 3:42 AM