Link to home
Start Free TrialLog in
Avatar of kellysys

asked on

How to allow single sign on to TS from clients in different remote domains


I have been reading about TS 2008 and Single Sign Ons.

In my case I would like to allow my remote clients to access the TS 2008 with a single sign on. i.e. their AD signon.

Problem is that my clientsare in remote locations and may be in different domains.

Is it possible to have single sign on functionality from remote clients even when remote clients can each be members of different domains? How can this be best achieved? Am I better off buying a 3rd party product?

In the event that this is supported, do you know what will be returned for user name and domain name when  queried from within the TS session?

Many thanks,

Avatar of Netman66
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kellysys



In this scenario is there a mapping defined between the domain user on one side and the domain user on the other side?

\\abcdomain\user1    maps to    \\tsdomain\tsusera
\\defdomain\user1    maps to    \\tsdomain\tsuserb

so when we query for the user n the TS we get \\tsdomain\tsusera

Is it possible on the TS side to see that the user was originally \\abcdomain\user1 ?

Thanks for your help.
By using ADFS, you are allowing users from other domains to have access to certain claims-aware applications that you define (in this scenario).

You will see the domain\username of the currently logged in user - there is no mapping as this isn't Services for Unix.  Each user will attach using their own credentials.

Thank you again Netman66.

Finally, does ADFS have to be installed on both sides, as I may have problems with getting this installed on the remote infrastructure?

thanks for great advice - could I trouble you to answer my question on where ADFS needs to reside?
Yes, a server on each side.  The instructions in the link are very detailed and explain how to set it all up.

You will likely have to work with the company on the other side to accomplish this, but it's definitely the way to do it right.