In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.
This post describes how to configure RD Session Host and RD Connection Broker servers to take advantage of the Web SSO feature when launching RemoteApp programs from RD Web Access.
In Windows Server 2008 TS Web Access, a major pain point for users was receiving multiple credential prompts, first when logging on to TS Web Access and then when launching a RemoteApp program from a terminal server.
In Windows Server 2008 R2, using the new RD Web Access Forms Based Authentication (FBA), users will now have to enter credentials only once in the login page of RD Web Access and will not be prompted again for entering credentials on launching subsequent apps from the RemoteApp Programs page of RD Web Access.
RD Web Access can access RemoteApp programs in two modes (details about these modes can be found in this post):
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed: http://support.microsoft.com/kb/2524668.
The steps for configuring Web SSO and setting up a digital signature for RemoteApp programs for RD Session Host and RD Connection Broker modes are described below.
There are 2 steps required to configure Web SSO when using RD Session Host.
Membership in the local Administrators group (or equivalent) on the RD Session Host server that you plan to configure is the minimum requirement to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server
Step 2: Digitally sign the RemoteApp programs on the RD Session Host server
There are 5 steps required to configure Web SSO when using RD Connection Broker.
Membership in the local Administrators group, or equivalent, on the specific server that you plan to configure is the minimum required to complete each of the following steps.
Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server
Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server
Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server
Step 4: Digitally sign RemoteApp programs on each RD Session Host server
Use the following steps to sign RemoteApp programs by using RemoteApp Manager. The procedure assumes that you are working from a central administrator workstation, the certificate is stored on the central administrator workstation, and the central administrator workstation has the RemoteApp Manager tool installed.
Repeat the steps in the procedure for each RD Session Host that is providing RemoteApp programs through RemoteApp and Desktop Connection.
Step 5: Specify certificate on RD Connection Broker server
If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.
If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy.
The ‘Trusted Certificate Authority Root’ certificate (shown below) must be imported in the Trusted Root Certification Authorities certification store on the client computer and on the RD Session Host and RD Connection Broker machines. ‘Certificate for Signing Remote App Programs’ certificate must be imported in the Personal store on the RD Session Host, and RD Connection Broker machines.
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.
The configuration of Web SSO for RD Gateway assumes that:
More details on how to configure a ‘Connection Authorization Policy’ on RD Gateway can be found here.
The step below is needed regardless of the mode RD Web Access is configured. In case of RD Connection Broker mode, the step needs to be performed on each RD Session Host server which is added as a RemoteApp Source on RD Connection Broker Server.
I have very simple setup: Clients XP with SP3 and Remote Desk Top Services on a Win2008 R2 (on SP), I configured the RDWeb and also got ride of the second login that was needed initially when the user clicks on a published app on the RDWeb. However I still can't find a way to get ride of the initial login dialog from RDWeb. All is in the same domain and the url is successfully identified as "Local intranet" every normal ASP.Net website then uses the credentials (especially when it is configured in IIS like that). However I haven't found a way around this Login on RDWeb. Pretty annoying is the least to say, help would be very much appreciated.
[sorry for my bad english (i am French)]
First ... I want to said thank You for this article who is my base for working on this subject
But... just one remark... as usual (as in all the articles on the web) ...
there is not part indicating a way to ... validate !!! the good implementation
Ok for single sign on ... it's easy to see if it work or not ...
But... how to verify the good implementation of the session broker ??
Some idea on this point ?
I like to be able to verify the most clearly as possible if all is really working as it does !
Thanks for all
If you are not getting credential prompts after entering creds once on Forms based auth when end user connects, that means it's working properly. Have you looked at the Best Practice Analyzer for RDS in WS08 R2: technet.microsoft.com/.../dd391873(WS.10).aspx ?
To add to what Olga said, the RD Connection Broker is responsible for a) reconnecting users to the same RD Session Host server on which they have a session and b) spreading out new connection requests over the servers in the farm. Therefore, one way you can determine that the RDCB is brokering connections as expected is to examine the sessions in the RDS Manager. If one user is running all applications from a single session, and the session load of all users is disttributed across the farm, that indicates that brokering is working. If one server consistently has no sessions but the other servers do, that may indicate an issue if this situation persists over time.
Getting WebSSO to work (single password from logging into RD Web then launching a RemoteApp program) has been driving me crackers and was on the verge of giving up when I tried the solution below (also mentioned by Sergey in a previous post, although the fix was so effective I think it needs a 2nd mention to save anyone else tearing their hair out if they missed it!)
Which leads to an official fix that isn't listed for RemoteApp but solves the issue...
The moment I put that on my server it worked perfectly using RemoteApp, RD Web Access & RD Gateway.
I've followed this guide however i'm still asked to authenticate when accessing https://termsrv/rdweb and also when accessing remoteapp signed .rdp programs for the first launch.
How do i get around this? Is it possible for complete SSO when accessing the website and all launches of remoteapp .rdp applications
Turns out, we're probably doing everything correctly: support.microsoft.com
The hotfix works, unfortunately it's client-side.
I'm also asked to authenticate when accessing https://termsrv/rdweb and also when accessing remoteapp signed .rdp programs for the first launch.
After following these instructions, like Dan I was still being prompted for credentials the first time I launched a RemoteApp. I found this could be fixed by adding the line
in the Custom RDP Settings tab of RemoteApp Deployment Settings in RemoteApp Manager.
For all of those trying to get rid of the RDWeb Apps logon page, it's in the web.config file. You need to go into iis and turn off form auth and turn on windows auth. Then navigate to the web.config file for RDWebApps at C:\Windows\Web\RDapp\web.config (i think). In the web.config will be commented instructions on how to allow pass through auth. Just follow these instructions and this will work.
found the solution to security prompt in Win Auth mode:
public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = false;
public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = true;
Thanks! That was the finaly solution that I was looking for,
For configuring SSO with a Broker you say "The certificate for digitally signing RemoteApp programs on each RD Session Host server and RD Connection Broker server should be the same". What does that actually mean? If you have the same certificate for a bunch of servers with different names won't you constantly get the IE warning message about the certificate name not matching the server name?
Great article! Where to find TS Web Access Computers on WIndows 2012? Not to find here 2.In the left pane, expand Local Users and Groups, and then click Groups. in my installation.
With Citrix one checkbox ... what a mess ...