none
Integrating RD Web SSO with external authentication through SAML based SSO from a related site (Active Directory Federation Services) RRS feed

  • Question

  • I am looking for help configuring (or more probably writing an extension for) RD Web of Windows Server 2008 R2 so that a user that has previously been authenticated at a related site can be mapped to a local user in our Remote Desktop farm and get access to RemoteApp applications without an additional signon. I have got it working to use a single signon in the RD Web site so far (sign on to RD Web, and no additional sign on after clicking a RemoteApp). But I want to use the SAML authentication token from the other site so that when they link a user to us that has already been authenticated by them, the user does not have to enter a username/password at all at our site.

    Any advice? Where can I find documentation for reconfiguring the SSO authentication or writing my own authentication module that supports SSO? I have dug around the RD Web files but I have so far been unable to determine how the login credentials are passed from the login in the web browser to the rdp client. I can see the signed RDP file contents sent from the server urlencoded, but they do not seem to contain any credentials token.

    Wednesday, March 23, 2011 9:22 AM

Answers

  • Well, I did some reverse engineering and figured out how it is done.

    Basically, javascript in the login page in the rdweb site creates an instance of the client side ActiveX MsRdpClient, retrieves the MsRdpWorkspace property and calls a method on that called StartWorkspace. The login page passes in a workspace id, the username, password and the hash of the certificate signing remoteapps that are allowed to use this username/password information. This is done when the login form is submitted, before the login is validated by the server. That information is stored in the background process that shows up in the tray telling you you are connected.

    When the login is processed on the server, if successful, a special cookie is set and passed back to the client.

    When control returns to the client web browser and default.aspx, another instance of the same ActiveX control is created and the OnAuthenticated method of the MsRdpWorkspace is called, assuming the login was successful. This lets the background process know that it has a valid username and password. After this point, any rdp file representing a remoteapp that has been signed with the certificate indicated in the StartWorkspace call, and connecting to a server identifying itself with that same certificate, will automatically authenticate using the username/password combination without asking the user for a login. I noticed that even if you double click the rdp file from the explorer, it will use the saved username/password, until you log out of the rdweb site (or disconnect using the tray icon).

    So it is quite possible to automatically log a user in without asking for a password. The unfortunate part is that you need to pass the username/password to use to a javascript running in the browser, I have not seen a way to generate some form of one-off or time-limited token on the server to pass to the rdp connection.

    However, with an appropriate service running on the rdp server it seems very possible to implement the desired behaviour - set the user password to a random string when the user has been authenticated using SAML and then pass that random password to the client side javascript. I will be working on implementing this in our site.

     


    Thursday, June 9, 2011 5:52 PM

All replies

  • Hi,

     

     

    Technically, it’s possible. But there is not built-in way to pass the external credential to the RemoteApp.

     

     

    Personally, I want to share the following method that helps you to use the logged-on user’s credentials to logon to RD Web Access page.

     

    Please change RD Web Access to use Windows Integrated Authentication instead of Forms Based Authentication.

     

    To modify RD Web Access to use Windows Authentication:

     

    Go to: C:\Windows\Web\RDWeb\Pages\web.config

     

    Below is my web.config the only modifications i made i've highlited/underlined and are in bold. You should be able to just copy and past the test in you web.config
     
     
              To turn on Windows Authentication:
                  - uncomment <authentication mode="Windows"/> section
                  - and comment out:
                  1) <authentication mode="Forms"> section.
                  2) <modules> and <security> sections in <system.webServer> section at the end of the file.
                  3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
                     Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
                     click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
          -->
     
     
          <authentication mode="Windows" />
         
          <!-- <authentication mode="Windows">
              <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
          </authentication> -->
     
          <webParts>
              <personalization defaultProvider="TSPortalProvider">
                <providers>
                  <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider" />
              </providers>
              <authorization>
                  <allow users="*" verbs="enterSharedScope">
                  </allow>
              </authorization>
            </personalization>
          </webParts>
      </system.web>
     
      <system.webServer>
       <!--  <modules runAllManagedModulesForAllRequests="true">
          <remove name="FormsAuthentication" />
          <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormsAuthentication" />
        </modules>
     
        <security>
            <authentication>
                <windowsAuthentication enabled="true" />
                <anonymousAuthentication enabled="true" />
            </authentication>
        </security> -->
        <httpRedirect enabled="false" />
      </system.webServer>
     
      <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
          <dependentAssembly>
            <assemblyIdentity name="TSPortalWebPart" publicKeyToken="31bf3856ad364e35" culture="neutral" />
            <bindingRedirect oldVersion="6.0.0.0" newVersion="6.1.0.0" />
          </dependentAssembly>
        </assemblyBinding>
      </runtime>
     
      <location path="rdp">
        <system.web>
          <authorization>
            <deny users="?" />
          </authorization>
        </system.web>
       </location>
    </configuration>

     

     

    Hope this helps.

    Friday, March 25, 2011 2:57 AM
    Moderator
  • Ah, I am sorry, this does not work in our environment. This is for external use, we are a service provider with a SPLA agreement and the customers can log in from any computer in the world where they are most likely not locally logged in with the correct credentials to authenticate against our server. We are selling access both directly to end users who will continue to log in directly to our system (for which the current authentication works perfectly fine) but we are also selling access through another company who have their own web portal solution where users are authenticated using Active Directory Federation Services. It is for these other users that we need to provide a unified single sign-on solution.

    You say there is no built-in way to pass external credentials to the RemoteApp. But somehow, the RD Web Access is passing credentials authenticated in the web browser using Windows Forms Authentication to the RDP client. It is how this passing of credentials is accomplished that I must understand in order to pass the correct RD login credentials associated with the user account from the external web portal login. I would have expected that these were passed to the RDP client through scripting setting some of the properties but I just cannot see a place where they are set.

    Any ideas?

    Friday, March 25, 2011 10:46 AM
  • Hello:

    You said

    "I have got it working to use a single signon in the RD Web site so far (sign on to RD Web, and no additional sign on after clicking a RemoteApp"

    I also have this working internally.. But am looking for help getting external access to work.. 

    Can you get to your Remote Apps externally? 

    I do not have a TS Gateway involved, just a TS having the RDApp Role and the RDWeb Role on the SBS2011 box.  

    I can access RDWeb using single sign on to apps on that TS internally from various domains because I can manipulate the DNS servers to point at the terminal servers AD Domain Name .local DNS entry when referncing the Terminal server RD Host Services Server. 

    Basically what I am saying is that the Remote App 'Server' that I reference in the Remote App manager has to be the FQDN of that local machine of the apps or i CANNOT cannot authticate.

    The event log gives me errors about trying to authenticate TERMSERVER\<public domain name>..  If I referEnce the public domain name in that server name it give me errors speaking to pkt_privacy WMI Stuff..  I feel like if I could manipulate the CERT being used. I could make this work without needing a TS Gateway and the related Group Policy Config.

    Sooo..  How did you do it.. TS gateway and Group Policy?  or is there a way to modify that Terminal server to trust a login from an external public domain directly using certs installed on that TS Box?

    This is the article I have found on that topic..

    http://technet.microsoft.com/en-us/library/dd983941(WS.10).aspx and

    http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

    I realize I am riding on your thread..  But basically I once I get this figured out.. I would Love to be able to pass credentials from other domains as well.. so I am following your progress closely..

    Any help would be appreciated

    Saturday, May 21, 2011 1:52 PM
  • Sadly I have made no progress with my problem. I was hoping that someone else would have been in the same situation and have a suggestion for how to do it so I have not been doing much reverse engineering myself yet. I do however need to solve this so I will be investigating it further in the near future.

     

    As for your problem, is what you are saying that you are accessing the server using a public dns name that is different from the name the server knows itself as?

    When I was testing this, I was using the same server name externally and internally because that is how we set our servers up normally. Though I was actually just using an entry in the hosts file on the external test computer - that test server was not listed in our public dns entries.

    Friday, May 27, 2011 7:57 AM
  • Well, I did some reverse engineering and figured out how it is done.

    Basically, javascript in the login page in the rdweb site creates an instance of the client side ActiveX MsRdpClient, retrieves the MsRdpWorkspace property and calls a method on that called StartWorkspace. The login page passes in a workspace id, the username, password and the hash of the certificate signing remoteapps that are allowed to use this username/password information. This is done when the login form is submitted, before the login is validated by the server. That information is stored in the background process that shows up in the tray telling you you are connected.

    When the login is processed on the server, if successful, a special cookie is set and passed back to the client.

    When control returns to the client web browser and default.aspx, another instance of the same ActiveX control is created and the OnAuthenticated method of the MsRdpWorkspace is called, assuming the login was successful. This lets the background process know that it has a valid username and password. After this point, any rdp file representing a remoteapp that has been signed with the certificate indicated in the StartWorkspace call, and connecting to a server identifying itself with that same certificate, will automatically authenticate using the username/password combination without asking the user for a login. I noticed that even if you double click the rdp file from the explorer, it will use the saved username/password, until you log out of the rdweb site (or disconnect using the tray icon).

    So it is quite possible to automatically log a user in without asking for a password. The unfortunate part is that you need to pass the username/password to use to a javascript running in the browser, I have not seen a way to generate some form of one-off or time-limited token on the server to pass to the rdp connection.

    However, with an appropriate service running on the rdp server it seems very possible to implement the desired behaviour - set the user password to a random string when the user has been authenticated using SAML and then pass that random password to the client side javascript. I will be working on implementing this in our site.

     


    Thursday, June 9, 2011 5:52 PM
  • Hi Adron1111

    first, good job!

    I have a question: in the RDWeb where is performed the validation against Active Directory?

    I want to know the code or the mechanism that perform it.

     

    Thanks in advance!

     

    Srv11

    Sunday, July 31, 2011 8:16 PM
  • Check your folder permissions.

    C:\windows\web\RDweb\

    Give Read & Execute to "Authenticated Users".

    • Proposed as answer by Saimon_SP Wednesday, February 19, 2014 7:11 PM
    • Unproposed as answer by Adron1111 Wednesday, February 19, 2014 7:13 PM
    • Proposed as answer by Saimon_SP Wednesday, February 19, 2014 7:14 PM
    • Unproposed as answer by Adron1111 Wednesday, February 19, 2014 7:18 PM
    Wednesday, January 15, 2014 6:28 PM
  • I too am looking for a similar solution.  I am trying to integrate a local RD Web Server into an Office 365/SharePoint environment.  Currently users can log in to O365 using their local domain credentials via Federation Services.  THis gives them authentication to SharePoint/Lync/Exchange on O365.  In my head I believe this same authentication should be usable by the RDWeb Apps on our local server, since the user is authenticated on the domain at o365 sign in.  Any additional ideas would be appreciated!

    Mark

    Wednesday, April 23, 2014 3:40 PM