Customizing RD Gateway authentication and authorization schemes

Customizing RD Gateway authentication and authorization schemes

  • Comments 28

Imagine that you are responsible for managing Remote Desktop Services at Woodgrove Bank. Woodgrove Bank has recently approved a new authentication vendor and you must upgrade all edge services -- including Remote Desktop Gateway (RD Gateway) – to support this new authentication service. How can you integrate the new authentication service with RD Gateway?

The RD Gateway 2008 R2 server platform enables you to integrate custom authentication schemes using the pluggable authentication and authorization (PAA) framework. PAA provides your authentication vendor an interface for developing and integrating custom authentication and authorization plug-ins to the RD Gateway platform. For more details, please refer to the following article hosted on the code gallery: https://code.msdn.microsoft.com/Release/ProjectReleases.aspx?ProjectName=rdsdev&ReleaseId=3745

Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post
  • That's great news.

    However, I don't get exactly how the RD Session Host is informed about which AD users that it has to impersonate in order to deliver the wished-for service?

    Thanks a bunch,

  • A code sample would be most appreciated in order for us to be able to figure out all the minor details that aren't covered in the brief whitepaper.

  • I tried to follow the instructions in the document on the link, but failed on installing my customized authentication DLL. Some examples and detailed instruction that works would be nice.

  • @Morten -- The user will have to authenticate himself/herself again on the RD Session Host server and Gateway is not going to impersonate the user from the authentication cookie to the RDSH server. Hope that makes it clear to you!

  • @Martin -- how did you try to install your customized auth dll? Did you follow the exact steps as mentioned in the document?

    1. Write a COM DLL implementing the COM interface exposed by RD Gateway

    2. Register the COM DLL using “regsvr32.exe” on the RD Gateway server. For example,

    Regsvr32 myAuthenticationPlugin.dll

    3. Call the WMI method “SetAuthenticationPluginAndRecycleRPCApplicationPools” (exposed by the RD Gateway server) with the parameter pluginName as the name of your plug-in DLL. For example,

    SetAuthenticationPluginAndRecycleRPCApplicationPools myAuthenticationPlugin.dll

    4. Restart the RD Gateway service.

    If yes, then please tell me which step exactly failed and what is the error?

  • @Vikash

    I do the following commands:

    $ts=get-WMIObject Win32_TSGatewayServerSettings  -Namespace ROOT\CIMV2\TerminalServices

    $r=$ts.SetAuthenticationPluginAndRecycleRpcApplicationPools("rdg.dll")

    $r

    And get the response (error code 2147966007):

    __GENUS          : 2

    __CLASS          : __PARAMETERS

    __SUPERCLASS     :

    __DYNASTY        : __PARAMETERS

    __RELPATH        :

    __PROPERTY_COUNT : 1

    __DERIVATION     : {}

    __SERVER         :

    __NAMESPACE      :

    __PATH           :

    ReturnValue      : 2147966007

    I cannot find any info about the error code.

  • @Martin

    You have missed the 2nd step that I outlined earlier.

    Register the COM DLL using “regsvr32.exe” on the RD Gateway server. For example,

    Regsvr32 rdg.dll

  • I did that before the WMI call (even though I did not mentioned it), and that went ok.

    But I get an error code that I cannot find any documentation about.

  • @Martin

    I need to find out where this error code is documented, but you can take this from me that the error code that you are getting refers to the case when the WMI function could not find your auth DLL registered.

    After executing the command to register your auth dll,can you check for the below registry key:

    HKEY_CLASSES_ROOT\CLSID\<CLSID For your DLL>

    Does this registry key exist? If yes, please check whether "InProcServer32" key exists under that or not? If exists, then please tell me what are the keys under it and what are there values.

  • The (Default) value of InProcServer32 is "C:\share\RDG.dll". There are no keys under that key, should there be?

  • I made a testprogram that instantiated the that COM DLL with CoCreateInstance and that worked fine.

  • @Martin

    Can you please share the code for your auth dll with me? You can followup directly with me at vikbucha@microsoft.com

  • The registration now works and I receive the cookie in the plugin.

    I have a question:

    In the mehtod AuthenticateUser I call pSink->OnUserAuthenticated(...) with the username and the domain of the user that shall access the remote app. I thought that this step would autimatically authenticate the user, but the "Enter your credentials" dialog comes up and the user has to authenticate himself.

    Is this the way it is supposed to work, or have I done something wrong here? I would like to authenticate the user on the website and then only use the cookie as authentication in the RDG.

    /Martin

  • The registration now works and I receive the cookie in the plugin.

    I have a question:

    In the method AuthenticateUser I call pSink->OnUserAuthenticated(...) with the username and the domain of the user that shall access the remote app. I thought that this step would automatically authenticate the user, but the "Enter your credentials" dialog comes up and the user has to authenticate.

    Is this the way it is supposed to work, or have I done something wrong here? I would like to authenticate the user on the website and then only use the cookie as authentication in the RDG.

    /Martin

  • @Martin - Good to hear that it's working for you now and you are getting the cookie in your custom plugin. The credential prompt that you are seeing after calling OnUserAuthenticated(..) is for the RDS server hosting the remote App. You can confirm the same by the name of the server which is shown in the cred prompt.

Page 1 of 2 (28 items) 12