25 August 2010

RDS Gateway, Connection Broker, and Web Access deployment with SSO

This is just a really short version of how I got all of the above to work.  (This I just a ref for myself but someone else might find it useful.

1 Server for Web Access, Connection Broker and Gateway (RDS01)
2 Server for RDS Session host (RDS02 and RDS03)

Before I started:
  • I requested an exportable certificate form my internal CA.  I then installed that certificate eon the three servers I was using. 
  • I Created a DNS entry that matches the CA common name for use with the Gateway and Web Access
  • I created a round robin DNS entry for the two RDS Session hosts.

Install RDS Session Host Role on RDS02 and RDS03 the following was done on both machines
  • Configure Remote App Management
  • Used the certificate that I pre-installed to digitally signs apps.
  • Specify Gateway setting to Use gateway and Ask for Password
  • Added RDS01 to the TS Web server groups
  • Publish a different app on each host
On server RDS01
Install the RD Gateway Role Service
Install the RD Web Access Role Service

Use the pre-installed certificate for the authentication.

Tested and everything was working 100% with SSO (Just a note  -- Test from another machine no one that has rdp sessions open to the TS Hosts.)

Next step was to add the TS connection broker role service to RDS01

  • Add the Webb access Server to the TS Web access Server local group
  • Add the RDS Session Host Roun Robin DNS in the Application source
  • Specify the certificate to use (the pre-installed one)
  • Change the gateway setting to RDS01 and Ask for a password
  • Add RDS02 and RDS03 in to connection broker group.
  • Change the application source on the web interface to use the connection broker

ON RDS02 and RDS03
  • In the connection configuration
  • Join both machines to the Connection broker farm
  • Select IP redirection
  • In remote app manager chnage the RD Session host server settings server name to use the NLB dns

Two Things:

When I connect to an application I get a certificate warning from the machine stating that the certificate name doe snot match the connection name -- hardly surprising since we are now using an NLB name.

Secondly when I update applications - I need to go to the Connection broker and re add the App source.

--- Update ---

I have discovered that there is an issue with Windows 7 connecting to the RDS with SSO.  To test you can use Vista and Win 2008 R2

The issue I finally found to resolve the Windows 7 issue was a group policy setting on the RDS servers.

You need to ensure that  the following is not overwritten

Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies / Security Options

"Network Access: Do not allow storage of passwords and credentials for network authentication"  - This need to be set to DISABLED

"Network Security: LAN  Manager authentication level" needs to be set to "Send LM and NTLM -Use NTLMv2 session security if negotiated"

No comments:

Post a Comment