In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.
This post describes how to configure RD Session Host and RD Connection Broker servers to take advantage of the Web SSO feature when launching RemoteApp programs from RD Web Access.
In Windows Server 2008 TS Web Access, a major pain point for users was receiving multiple credential prompts, first when logging on to TS Web Access and then when launching a RemoteApp program from a terminal server.
In Windows Server 2008 R2, using the new RD Web Access Forms Based Authentication (FBA), users will now have to enter credentials only once in the login page of RD Web Access and will not be prompted again for entering credentials on launching subsequent apps from the RemoteApp Programs page of RD Web Access.
RD Web Access can access RemoteApp programs in two modes (details about these modes can be found in this post):
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed: http://support.microsoft.com/kb/2524668.
The steps for configuring Web SSO and setting up a digital signature for RemoteApp programs for RD Session Host and RD Connection Broker modes are described below.
There are 2 steps required to configure Web SSO when using RD Session Host.
Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
There are 5 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server
Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server
Step 4: Digitally sign RemoteApp programs on each RD Session Host server
Use the following steps to sign RemoteApp programs by using RemoteApp Manager. The procedure assumes that you are working from a central administrator workstation, the certificate is stored on the central administrator workstation, and the central administrator workstation has the RemoteApp Manager tool installed.
Repeat the steps in the procedure for each RD Session Host that is providing RemoteApp programs through RemoteApp and Desktop Connection.
Step 5: Specify certificate on RD Connection Broker server
If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.
If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the RD Session Host and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the RD Session Host, and RD Connection Broker machines.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.
The configuration of Web SSO for RD Gateway assumes that:
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.
The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.
Do any changes need to be made to the RPC or RPCWITHCERT IIS7 Apps Authentication settings for this to work correctly? Also, what should the "authentication settings" be set to for these apps. Anything special for them to use the cookies from the FBA on the login.aspx?
this is not working, i do everything you say but its not working at all
Do I need to use the RD Web Access Form page, or can I use the ISA 2006 Form page?
I have changed to Basic authentication on RD Web on my Windows 2008 R2 server.
And then published the page thru ISA 2006
My client is Win 7, but WebSSO is not working.
Sorry, but in order to get WebSSO, you must use the RDWeb logon page.
Will it be possible with the next version of ISA Firewall?
Or will a future patch to 2008 R2 solve it?
I prefer to have everything behind the ISA server.
I do no have a RD Connection Broker so I skipped that part, and it doesn't work at all. How do I set it up if I only have one session host?
Please follow these steps for one Session Host Mode:
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
Please see this post 'http://blogs.msdn.com/rds/archive/2009/06/05/publishing-in-windows-server-2008-r2.aspx' to point RD Web Access to RD Session Host mode.
Those are not related to 'RD Web Access'.
This works great on my Win7 machines but not on my WinXPs (none are domain-joined). Could you shed some light on RDP Client version requirements for this solutions? Will there be an RDP 7.0 client for Windows XP?
It's already set up like that. The Web access and session host are the same server.
Having setup the r2 server with web forms it will now authenticate without needing to enter the domain name but still have to enter username and password twice on xp and windows 7, have tried all reg changes hot fix etc but still no joy am using rdp 6.1
Anyone know how to make the client default to the remoteapp program? This would be very helpful so that when a user clicks on an applicateion file, the computer will open the remoteapp running on the terminal server the runs the application file.
You can do this by publishing RemoteApp MSIs that take over file extensions, but not with RDWeb or RemoteApp and Desktop Connections.
can anyone confirm that you can use single sign on with the web form when a client is xp sp3 using rdp 6.1
it constantly requires user to enter details twice
i have heard you need rdp 7 which isnt available yet
@Dave & @Mike P.
For Web Single Sign-On to work, the requirement is to have RDP Client 7.
Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.