Customizing RD Gateway authentication and authorization schemes

Customizing RD Gateway authentication and authorization schemes

  • Comments 28

Imagine that you are responsible for managing Remote Desktop Services at Woodgrove Bank. Woodgrove Bank has recently approved a new authentication vendor and you must upgrade all edge services -- including Remote Desktop Gateway (RD Gateway) – to support this new authentication service. How can you integrate the new authentication service with RD Gateway?

The RD Gateway 2008 R2 server platform enables you to integrate custom authentication schemes using the pluggable authentication and authorization (PAA) framework. PAA provides your authentication vendor an interface for developing and integrating custom authentication and authorization plug-ins to the RD Gateway platform. For more details, please refer to the following article hosted on the code gallery:

Leave a Comment
  • Please add 2 and 3 and type the answer here:
  • Post
  • Thanks, is there a way to avoid it. We plan to authenticate the user already (and only) on the website


  • @Martin - Unfortunately there is no way to do single sign on between RD Gateway and RDS today when using custom authentication on the Gateway.

  • @Vikash - I see. Another question - Is there a way to get the IP-address of the caller, to make sure that the caller is the same as the one who got the cookie.

  • @Martin - I assume that by caller you mean the client. If yes, then you can get the client's IP address in the authorization Plugin call ITSGPolicyEngine::AuthorizeConnection. For more information, please refer

  • Thanks for your response. Is it possible to use the RD Web access for SSO. I havent been able to test that, but if your logged in on the Web Access can you use those credentials to log in to RDS?

  • @Martin - are you referring to using web sso with RD Web Access? If yes, then this is not a tested scenario but I would assume that it should work.

  • My question is rather: Is it possible to combine the SSO functionality between RD Web Access and RDS with cookie based authentication?



  • The Remote App manager does not support cookie based authentication, it is not possible to configure that there. Is there a way to point out a customized rdp files in RD Web Access. So far I have only managed to create a rdp file, sign it and run it from my own computer, but I have not managed to get this to work in RD Web Access.


  • @Martin - Cookie based authentication is not supported for other RDS roles like RDSH or Remote App. What I was referring to was using web SSO for RDWA so that when you specify the credentials at RDWA on the web, that credentials can be used to authenticate on the RDSH also, but cookie used at RD Gateway can't be used anywhere else.

  • I'm having a heck of a time getting my component to register. Does there need to be an entry in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Gateway\Authorization plug-ins\ for an authorization plug-in? I scrounged this up on the internet somewhere, if so - why is it missing from every piece of documentation I can find?

    The call to SetAuthorizationPlugin fails if I don't have a Key under that location with a "pluginName", followed by REG_SZ values describing the CLSID and Description.

    But even once those values are present, and a call to SetAuthorizationPlugin succeeds, the service never starts. I placed tracing information in DllMain, but the DLL is never loaded. Once I set everything back to its original state, the service runs.

    This process appears to be very lightly documented, can someone help?

  • Hi, I'm trying to get started doing this. I have a few questions.

    1) Where do you get the idl files? For example Tsgauthenticationengine.idl Or do we need to make our own from scratch?

    2) When we call OnUserAuthenticated and pass userName and userDomain, is this the windows domain and windows username on that domain that the connection will be running under on the session host?

    3) Assuming the answer to #2 is yes, I don't see any place in the documentation where the session host sets up any kind of trust or authorization for the gateway server so that the session host can trust who the gateway will be telling the session host the user is. What am I missing?

  • Hi,  ITSGAuthenticationEngine::AuthenticateUser(...) seems to be called only if cookie based authentication was configured in the .rdp file. Consequently, when I change the gateway credentials source manually in the .rdp, I could bypass a custom PAA plugin anyway. Can I force cookie based authentication in RD Gateway somehow (without any additional component like ISA/TGM)? Otherwise a custom PAA plugin would make less sense, doesn't it? Thx.

  • Does this all still works in Windows Server 2012?

Page 2 of 2 (28 items) 12