16 August 2010

The quest for Remote Desktop Services Web Access Single Signon

In previous posts i have configured and tested a few RDS configurations.  As yet I am failing to get SSO working through the Web access.

So nothing else to do but start from scratching this time knowing a little more...  I rebuild my lab server completely from scratch, so i don't have any lingering configuration.   Just removing the roles and services does not clear all the settings.

I select only the bare minimum roles to get this test up and running.

  • Remote Desktop Session Host
  • Remote desktop Web Access
 I select running - Require Network Level Authentication

The rest I leave on the defaults.

Why do I only select those options?  Do I need a connection broker? - Here is a very nice article that describes small medium and large RDS deployments and when you need to switch from just using RDS Hosts to using a connection broker.  http://blogs.msdn.com/b/rds/archive/2009/06/05/publishing-in-windows-server-2008-r2.aspx

There are some minimum requirements for SSO to work.

  • To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0. - Vista and XP needs to be updated to this.
  • The connection in RemoteApp and Desktop Connections must have an ID. In RD Session mode, it is set to the FQDN of the RD Web Access server. 
  • RemoteApp programs must be digitally signed using a Server Authentication certificate. The certificate Enhanced Key Usage section must contain Server Authentication (  
  • Client operating systems must trust the certificate with which the RemoteApp programs are signed.
In my case I request a valid Server Authentication Certificate from my local CA.  This make it easier to ensure that my clients trust the certificate.

Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server

  • On the RD Session Host server, click Start, point to Administrative Tools, and then click Computer Management. 
  • In the left pane, expand Local Users and Groups, and then click Groups. 
  • In the right pane, double-click TS Web Access Computers
  • In the TS Web Access Computers Properties dialog box, click Add. 
  • In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. 
  • In the Object Types dialog box, select the Computers check box, and then click OK. 
  • In the Enter the object names to select box, specify the computer accounts of the RD Web Access server and the RD Connection Broker server, and then click OK. 
  • Click OK to close the TS Web Access Computers Properties dialog box.
 Step 2: Digitally sign the RemoteApp programs on the RD Session Host server

  • On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager. 
  • In the Actions pane of RemoteApp Manager, click Digital Signature Settings.
  • Select the Sign with a digital certificate check box. 
  • In the Digital certificate details box, click Change. 
  • In the Select Certificate dialog box, select the certificate that you want to use, and then click OK.

Note: The Select Certificate dialog box is populated by certificates that are located in the local computer's certificates store or in your personal certificate store. The certificate that you want to use must be located in one of these stores. 
So by now this should work.
When I launch the RD Web Access site i get the SSL certificate warning.  This is because by default the site uses a self signed certificate that is not trusted by the client.  So I am going to change that to use the Certificate i requested earlier.
  • Open IIS Manager
  • Select Default Web  Site
  • Select Binding from the Actions pane
  • Edit the https settings
  • Change the SSL certificate to the one you installed earlier.
  • Select View to ensure the correct certificate is being used.

When we connect to the site now there is no Certificate warning.  If you log on you will see that there are no applications.
To "fix this" we will just publish a Remote desktop to the server.
  • Open the RemoteApp  Manager
  • On the RD Session Host Server Setting select change
  • Check the  "Show a remote desktop connection to this RD session Host Server in RD Web Access"
  • OK

I am also going to publish the WordPad application.
  • Open the RemoteApp Manager
  • From the Action Pane select "Add RemoteApp Program"
  • Follow the wizard.
Now Refresh your Web Access Window and there should be an application and a remote desktop connection.
Selecting the WordPad application starts up a Warning.  Selecting connect then launches the application successfully without prompting for credentials.   So at this Point SSO is working
If we launch the Remote desktop however we are prompted for credentials.  This is not because SSO is not working.  It is because the default for Remote desktop is to prompt for alternate credentials.
--- Update ---

I have discovered that there is an issue with Windows 7 connecting to the RDS with SSO. To test you can use Vista and Win 2008 R2


Rodney said...

Is there a way to change the default for Remote Desktop prompting for alternate credentials?

Etienne Liebetrau said...


Are you referring to using the RDC directly or through the web interface?

If you are getting in int the web interface trying clearing all your session cookies - or try "in private browsing"

If you still have issues let me know, there are a few trouble shooting steps we can go through.

Rodney said...

Thanks for the response. I'm refering to the default setting to prompt for alternate credentials when "Show a remote desktop connection to this RD session Host Server in RD Web Access" is selected.

Hopeing to find a way to keep everything seemless.

Rodney said...

Thanks for the response. I was refering to how Windows forces Alteranate Credenticals when you check the "Show a remote desktop connection to this RD session Host Server in RD Web Access" checkbox.

Etienne Liebetrau said...

Hi Rodney

This was actually quite an interesting question. I had a good look at the generated rdp files and found that the authentication settings are the same. The issue is that launching the RDP explorer shell requires the log in.

As a nifty test try the following

Publish a windows shell (cmd or powershell)When this application is launched you can start up explorer.exe / control.exe etc. This will give you some of the remote desktop you could be looking for. Create a bath file to launch these for you and off you go.

Must admit, normally what I do it to publish mstsc so i can connect to any server through the gateway, in that case it is handy to be prompted for server name and credentials.

But yes I would be very nice if it just worked with SSO.

DK said...

Yes Iam referring to using the RDC directly or through the web interface?
No Luck after applying fix http://support.microsoft.com/default.aspx?scid=kb;EN-US;977507

Advise if you have any steps

Post a Comment