In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.
This post describes how to configure RD Session Host and RD Connection Broker servers to take advantage of the Web SSO feature when launching RemoteApp programs from RD Web Access.
In Windows Server 2008 TS Web Access, a major pain point for users was receiving multiple credential prompts, first when logging on to TS Web Access and then when launching a RemoteApp program from a terminal server.
In Windows Server 2008 R2, using the new RD Web Access Forms Based Authentication (FBA), users will now have to enter credentials only once in the login page of RD Web Access and will not be prompted again for entering credentials on launching subsequent apps from the RemoteApp Programs page of RD Web Access.
RD Web Access can access RemoteApp programs in two modes (details about these modes can be found in this post):
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed: http://support.microsoft.com/kb/2524668.
The steps for configuring Web SSO and setting up a digital signature for RemoteApp programs for RD Session Host and RD Connection Broker modes are described below.
There are 2 steps required to configure Web SSO when using RD Session Host.
Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
There are 5 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server
Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server
Step 4: Digitally sign RemoteApp programs on each RD Session Host server
Use the following steps to sign RemoteApp programs by using RemoteApp Manager. The procedure assumes that you are working from a central administrator workstation, the certificate is stored on the central administrator workstation, and the central administrator workstation has the RemoteApp Manager tool installed.
Repeat the steps in the procedure for each RD Session Host that is providing RemoteApp programs through RemoteApp and Desktop Connection.
Step 5: Specify certificate on RD Connection Broker server
If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.
If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the RD Session Host and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the RD Session Host, and RD Connection Broker machines.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.
The configuration of Web SSO for RD Gateway assumes that:
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.
The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.
For Web Single Sign-On to work, the requirement is to have RDP Client 7.
Please refer to this post : http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx.
I can't seem to get this to work.
Will this work if RD Web Access, RD Gateway and RD Session host is on the same machine, which is in a workgroup - not joined to a domain?
Do anybody know whether we can publish both Remote App programs (Ex : Word or Excel) and VMs (Personal or Dynamic) simultaneously via IE (RDweb access) ?
I tried to configure Remote App Programs and Virtual VMs at my test environment. However, I was only able to view either VMs or Remote App Programs via RDweb access. I am not able to see both in IE. Any hints would be of great help !
Yes you can publish both. You need to do the following steps:
You need 3 roles (these can be installed on the same machine, but I would suggest making the RD Session Host that is serving up the Remote App Programs a seperate machine).
The roles needed are RD Web Access, Connection Broker and RD Session Host (Not counting the VM roles needed for the vms)
RD Web Access is the front end, you configure it to point to the Connection Broker.
On the Connection Broker use sbmgr.msc to configure your Pool/personal VM and setup the RD Session host. This will configure the connection broker service to serve up both VMs and Apps. I think what you missed is setting up the RD Session host to point to your app server. (Of course you also need to setup the RemoteApp programs on the RD Session host as well).
There are a bunch of Step-By-Step guides that might help, here are a few, but you will see the others if you select one and look to the left side of the menu in the browser.
Hope that helps.
Thanks for the info, Kevin ! I figured it out my mistake. I forgot to add RDCB server to TS Web Computers security group on RDSH server. Hence, was not able to view both Apps Programs and VMs on IE. Its now working fine !
I've one more query in this regard.In order to add RDP protocol permissions to a virtual machine, we need to type a couple of WMI commands in the command prompt. Do you know whether there is any easy way to configure it.We can type those commands on two or three VMs. However, if we consider a large number of VMs (Ex: 100) then it will be very tidous to type those commands on each individual systems. I think we will need to create a script with these commands and then push it via GPO. Is there any alternate solution available ?
Hi, in that blog it states the Web SSO will work for XP SP3 with RDC 7.0 installed but in the page for the RDC update there is a section saying that Web SSO does not work for XP.
Is this something that will be introduced in a future update? If not you should change that blog entry as it suggests you can when the update is applied.
Web SSO is supported on XP SP3 with RDC 7.0
Please refer to Security Features section at
http://blogs.msdn.com/rds/archive/2009/08/21/remote-desktop-connection-7-for-windows-7-windows-xp-windows-vista.aspx for the XP SP3 and RDC 7.0 column.
So does it require the RD infrastructure to be part of an AD for Web SSO to work, yes or no?
Did anybody figured out how to make Forms-Based Authentication to work? I tried everything and still get prompted to enter user credentials twice. Once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Does anybody know what changes need to be made and where to switch from Windows Authentication to Forms Based Authentication?
We are looking for the API to pass username and password to the RD Gateway dialog box seamllessly from our broker when launching an RDS application remotely on a PC which is not in the domain. How can we achieve this?
If I have all internal domain logged on users can I just pass the local credentials and not be prompted at the FBA and also not prompt during launching apps.
I don't have a need to ever prompt internal users with credentials for Web Access or launching apps.
There is no rd gateway involved and no external users.
Please, take a look at: http://blogs.msdn.com/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
You can also change RDWeb site ot use integrated Windows authentication, so it won't be prompting internal users for credentials.
Can I publish RD Web Access with Forefront TMG 2010, and still get web sso with RDC 7.0 client?
Or do I have to use the form-based rdweb page?
I installed RDS in one machine. (RD Session Host mode).When I enter srv-remote.yyy.local/rdweb from a domain member computer, Web SSO is working. but if I try to enter remote.domainname.com from internet Web SSO is not working. any idea about this issue ? thanks.