Hi, I’m Sergey, one of the developers on the team that produces Remote Desktop Services. In Windows Server 2008 R2, we introduced Web Single Sign-On (web SSO), which reduced the number of times a user was asked for credentials when accessing RemoteApp programs published through Remote Desktop Web Access (RD Web Access). Enabling this was complex and difficult for users. In this post, I'll explain how easy it is to set this up in Windows Server 2012. It basically works "out of the box."
If your deployment is based solely on Windows Server 2012 and/or Windows 8 virtual machine VDI, and all the clients support Remote Desktop Protocol (RDP) 8.0, no special configuration is required.
It is now easier to configure SSO by using logged-on user credentials for the intranet users who are subscribed to a RemoteApp and Desktop Connections feed. To enable SSO, the administrator only needs to add the fully qualified domain name (FQDN) of the RD Connection Broker server (with a “TERMSRV/” prefix) to the server list of the corresponding Credentials Delegation Group Policy setting.
For more information about how to configure the Credentials Delegation policy setting for single sign-on, see How to enable single sign-on for my Terminal Server connections.
Note: Any other Credentials Delegation policy setting can be applied to the deployment the same way. Also, credentials saved when connecting to any resource in the deployment will work for the entire deployment.
When you add the Remote Desktop Gateway (RD Gateway) role service to your deployment, it is configured to support web SSO by default. The deployment RD Gateway property responsible for this is “Use RD Gateway credentials for remote computers.”
To view or change this property, open Server Manager, navigate to Server Manager > Remote Desktop Services > Overview, and in the DEPLOYMENT OVERVIEW section, on the TASKS menu, click Edit Deployment Properties (see the following screen shot).
In the Properties dialog box, select the RD Gateway tab. For web SSO to work with RD Gateway, select the Use RD Gateway credentials for remote computers check box, and set the Logon method to Password Authentication.
For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.
I hope I’ve clearly shown how we have made web single sign-on much easier to set up so that you can more easily reduce credential prompts, which helps make the end user more productive. If you have any questions or comments, please comment on this blog post.
So, setup on Windows 2008 R2 is still unnecessarily difficult, and Microsoft's solution is to make it easier on Windows 2012 and Windows 8 (neither of which anyone is using or is likely to have in large-scale production anytime soon). Meanwhile, I've been struggling to get this working on a single server for weeks. I remember setting this up on Citrix years ago - it was a check box. Oh well.
Can we get some more details on this new SSO? Does it still rely on certificates or is there another way the SSO is setup? there isn't much technical content about the inner workings of RDS (yet) on technet.
The new SSO relies on the Redirector (Connection Broker) identity. All connections going through the same Connection Broker will share user credential.
I've got this working but want to support older clients through TMG 2010. I cannot find out where to specify the custom RDP settings in Server 2012 for pre-authentication. Any idea?
Also in 2008 R2 we were able to specify a friendly name for the gateway instead of using the FQDN of each server. How can this be done in 2012?
For this purpose try using use free remote desktop software Ammyy Admin
It's a zero-config app! Instantly connects to any PC. No installation or registration required. A way faster than anything else.
Hope youl'll like it!
Hi, Can i use SSO 2012 with Windows 7? Or Just Windows 8?
How can I use the SSO to log on the RDS in IE,whe using RDS to connect another remote desktop with the remoteapp remote desktop connetions?
The old way isn't possible with Windows 2012 as the options are different
There is a broken link.