In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.
This post describes how to configure RD Session Host and RD Connection Broker servers to take advantage of the Web SSO feature when launching RemoteApp programs from RD Web Access.
In Windows Server 2008 TS Web Access, a major pain point for users was receiving multiple credential prompts, first when logging on to TS Web Access and then when launching a RemoteApp program from a terminal server.
In Windows Server 2008 R2, using the new RD Web Access Forms Based Authentication (FBA), users will now have to enter credentials only once in the login page of RD Web Access and will not be prompted again for entering credentials on launching subsequent apps from the RemoteApp Programs page of RD Web Access.
RD Web Access can access RemoteApp programs in two modes (details about these modes can be found in this post):
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed: http://support.microsoft.com/kb/2524668.
The steps for configuring Web SSO and setting up a digital signature for RemoteApp programs for RD Session Host and RD Connection Broker modes are described below.
There are 2 steps required to configure Web SSO when using RD Session Host.
Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
There are 5 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server
Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server
Step 4: Digitally sign RemoteApp programs on each RD Session Host server
Use the following steps to sign RemoteApp programs by using RemoteApp Manager. The procedure assumes that you are working from a central administrator workstation, the certificate is stored on the central administrator workstation, and the central administrator workstation has the RemoteApp Manager tool installed.
Repeat the steps in the procedure for each RD Session Host that is providing RemoteApp programs through RemoteApp and Desktop Connection.
Step 5: Specify certificate on RD Connection Broker server
If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.
If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the RD Session Host and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the RD Session Host, and RD Connection Broker machines.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.
The configuration of Web SSO for RD Gateway assumes that:
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.
The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.
I have the same question as Archie. I digitally signe our Remote App with the same wildcard certificate as I use om my RD Gateway. When launching the remote app from the gateway I get a warning for the certificate which show the internal computer certificate "SessionComputerHostNAme.domain.local" How can you make RemoteApp availible outside your organisaion with SSO?
Hi, I am currently setup just with an rdweb access server and an rd session host with all the certs. (no gateway and no connection broker). Websso was working fine. It has stopped working on one pc. That pc is running windows xp sp3. The about for remote desktop connection says: Shell version 6.1.7600, Control version 6.1.7600, Remote desktop protocol 7.0 supported. Previously if I clicked on a remoteapp it would pop asking if I trust the publisher and if I showed details it would say that it was sending the credentials and go right to the app when I hit connect. Now it no longer says that and it asks again for id/password. Other pc's work fine.
The article looks great....
But I would like to know where from should I generate the cert and import it to RDSH servers?
I mean should I do it from my CA or just generate a new certificate from the RD Gateway and import it to my RDSH servers?
Way to go Microsoft. You tried to do what Citrix has done so well for years and made it a heap of mess. The "RD" suite of services just plain suck.
I did everything mentioned above and still prompting for credential twice.
Hi Herlander, is the little workspace icon showing up when you login to the web access page? Can you also check that the client you're connecting with trusts the root of the certificate? Lastly, you're connecting to a remoteApp or a full desktop? If it's a full desktop, then you need to install the following hotfix: support.microsoft.com/.../2524668
I've tried everything in your great article but it wont work :(
We run all on one host (gateway, remoteapp, web access) but unfortunately, the sign on dialog pops up twice.
Everything works like a charm, but you have to enter the credentials twice.
Any idea to get this SSO working? let me know if you need more information
oh i forgot a few details:
- internally, the SSO works like a charm, but from the internet it doesnt (we've opened only https)
- we've configured the gateway with the domain name used by users from the internet (hostname != domain)
- we only use remoteapps, no remote desktop connections
- we dont have an active directory, only local users
The first thing I'd check is whether or not your client trusts the certificates with which RDP files are signed.
it is usually clear from the warning dialog that comes up when you launch a RemoteApp.
If the client does not trust the certificate, SSO won't work.
Thanks for the quick reply!
We imported the CA-Cert at the client and there is no warning dialog.
Do i need to do another procedure to "sign" the rdp files?
There is no certificate warning at launch of a remoteapp, its only that it prompts for the credentials again.
Are you using Remote Desktop Gateway? In that case you need to make sure that the same user credentials are used between the gateway and the target server (RDP file setting "promptcredentialonce:i:1"). Otherwise, the client will prompt for the credentials to the gateway on every connection.
One other possible cause of SSO not working is described here: support.microsoft.com/.../977507
I have RDGW plus RDWA on NLB'ed R2 servers. 5 RD hosts in session broker, one RD host stand alone. ISA 2006 in fornt of this setup. Everything setup as it shoul, getting two promts. Same as Christian here.
What should the ID of the gateways be? The public dns-name as it is in the certificate?
Will SSO work at all with NLB and ISA 2006. It looks like it's authenticating at the ISA. COmes up with the isa server name in the logon prompt. Authentication is not setup on ISA.
You RDGW configuration should not matter as long as it accepts the same user credentials as RDWA and RD hosts and as long as you have credential sharing between RD and RDGW enabled ("promptcredentialonce:i:1" setting in the RDP file). Please, also make sure that you are using 7.0 or higher client version and that all RDP files are signed with the same certificate and that the signing certificate is trusted by the client.
In addition, if you need SSO to work with full Remote Desktop connections, you need to apply the following hotfix: support.microsoft.com/.../2524668