In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.
This post describes how to configure RD Session Host and RD Connection Broker servers to take advantage of the Web SSO feature when launching RemoteApp programs from RD Web Access.
In Windows Server 2008 TS Web Access, a major pain point for users was receiving multiple credential prompts, first when logging on to TS Web Access and then when launching a RemoteApp program from a terminal server.
In Windows Server 2008 R2, using the new RD Web Access Forms Based Authentication (FBA), users will now have to enter credentials only once in the login page of RD Web Access and will not be prompted again for entering credentials on launching subsequent apps from the RemoteApp Programs page of RD Web Access.
RD Web Access can access RemoteApp programs in two modes (details about these modes can be found in this post):
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed: http://support.microsoft.com/kb/2524668.
The steps for configuring Web SSO and setting up a digital signature for RemoteApp programs for RD Session Host and RD Connection Broker modes are described below.
There are 2 steps required to configure Web SSO when using RD Session Host.
Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
There are 5 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server
Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server
Step 4: Digitally sign RemoteApp programs on each RD Session Host server
Use the following steps to sign RemoteApp programs by using RemoteApp Manager. The procedure assumes that you are working from a central administrator workstation, the certificate is stored on the central administrator workstation, and the central administrator workstation has the RemoteApp Manager tool installed.
Repeat the steps in the procedure for each RD Session Host that is providing RemoteApp programs through RemoteApp and Desktop Connection.
Step 5: Specify certificate on RD Connection Broker server
If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.
If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the RD Session Host and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the RD Session Host, and RD Connection Broker machines.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.
The configuration of Web SSO for RD Gateway assumes that:
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.
The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.
Are you using RDC 7.0 from both locations? Only RDC 7.0 supports Web SSO. Another thing to check is whether your client trusts the publisher. If you are getting a warning about unknown publisher, SSO won’t work.
I have 2 RD GW+Web Access and 1 RD Broker all using Windows 2008 R2, but our Session Hosts are Windows 2008. Web SSO works fine with RemoreApp icons, but doesn't works using "Remote Desktop" icon in RD Web Access. any Helps?
@David -- this is by design. Remote Desktop Tab on the RD Web Access page does not support Web SSO in Windows Server 2008 R2.
Hi Vikash, thank you for your quick reply but I'm not speaking about Remote Desktop *tab*, but about Remote Desktop *icon* obtained with the flag 'Show a remote dektop connection to this terminal server in TS Web Access' in Terminal Server setting on the TS RemteApp Mannager. TIA.
Currently SSO is supported with RemoteApp connections only.
I'm trying to implement a RD-WA with SSO, but I found a issue and can't resolve it.
My lab have a 3 VM's running Windows Server 2008 R2:
dc-01 -> AD-DS, AD-CS, DNS, RD Licesing, RD Session Broker;
sh-01 -> RD Session Host;
gw-01 -> RD Web Access, RD Gateway;
When I configure my RD-WA to use the RD Session Host, the single sign-on works fine, but when I use the Session Broker as source, I'm asked to insert a password, and the "connection ID" appear in the password field.
What can I do to have SSO with Session Broker and SSO working fine?
@David: hi David, did you succeed in allowing SSO with remote desktop icon too? I'm asking because I have a similar problem. I published mstsc.exe (because I do not want users to use the mstsc.exe installed on the client machine) and I would like to automatically pass the Web Access credentials to the target remote computer.
I have a connection broker and two session hosts (identically configured). A hardware load balancer is front-ending the VIP for the farm. The certs used for signing the apps are the same as the cert installed on the broker. SSO is working great when using RDWeb, however, when I select an app from a Windows 7 machine using the Start-> "Remote App and Desktop Connections" shortcuts, I am prompted for credentials.
Hi, I am unable to get SSO working with the Remote Desktop icon either. Is this by design? If so is there anyway of publishing a desktop with SSO working? SSO is working fine with all other remoteapp applications.
Hi, Just an update on my post re SSO not working with the Remote Desktop icon. I logged this with Microsoft and this is definitely by design. Apparantly there is no way of publishing a desktop with SSO working through web access. SSO only works with single applications.
I'm rolling this out on the Internet. I am getting multiple logins - then I looked at the version of mstsc to determine if I had 7.0. All 3 Windows 7 machines I've been using have mstsc.exe and it's 6.1.7600.16385. This is Windows 7 - a fresh build - and it still has RDP 6.1 on it? And I don't find a version 7.0 download for Windows 7. Is the numbering just messed up, or do I have an old version of RDP? Thanks.
I want to configure Web SSO using RD Connection Broker mode. I am looking at this note: "The certificate for digitally signing RemoteApp programs on each RD Session Host server and RD Connection Broker server should be the same."
What purpose(s) should we issue for the certificate? Server auth? Client auth? Code signing? All?
Either Server auth or Code signing will work.
Thanks for the quick reply Sergey. Will it Web SSO work if our Internet domain name (e.g. contoso.com) does not match our Active Directory domain name (e.g. contoso.local)?
Our Server Auth cert is a wildcard certificate signed by Thawte (wildcard is supported by RDC 6.1 according to 2008/12/04 blog entry) and the subject only contains our external domain (e.g. contoso.com). However, there are places in the RDS configuration (e.g. Web Access Configuration) where it will only work using the internal FQDN (e.g. contoso.local) which is not mentioned in our certificate. Is there any way we can make Web SSO work with our naming structure? Do we need to add our internal domain as a SAN?