Solved

RD Web SSO

Posted on 2011-09-12
5
2,116 Views
Last Modified: 2013-12-08
Working on SSO for RDWeb.  I'm running Windows Server 2008 R2 and our desktops have Windows 7 32-bit Pro with IE9.  

The remote application works fine and I will be purchasing SSL certs for later.  My question is whether or not there is a way to have the Windows Security Credentials box not appear after the client has authenticated via https://myserver.mycompany.com/RdWeb

Thanks
0
Comment
Question by:jwilson347
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 500 total points
ID: 36545423
I have this working perfectly.   There are several conditions which have to be met in order for it to work, and they are as follows:

You must have a valid certificate for your RDWeb server, that Internet Explorer can use without any certicate warnings.  SSO will not work on an unencrypted RDWeb site.
At the RDWeb login screen, you MUST enter your domain and username when you log in.  For example, CONTOSO\PhilipJFry as the username.  This is an ABSOLUTE REQUIREMENT - I know you can specify a default domain in the RDWeb configuration, but this doesn't help whatsoever, you have to specify the domain as part of your username.
You must select "This is a private computer" on the login screen.
After you have signed in, make sure you have allowed the ActiveX control - you only have to do this once per computer.  If you have locked down IE via Policy, this control may be inadvertently disabled

Here's a little bonus gotcha - don't use IIS Redirection to get your users to the /RDWeb site on your web server - it will interfere (badly) with your TS Gateway, assuming you wish to use that.
0
 

Author Comment

by:jwilson347
ID: 36545698
Thank you Lester.  I have a certificate follow up question.

I have an external IP aliased as companyerp.company.com pointing at the internal server which is servername.mycompany.com  

I read somewhere that I needed TWO certs.  One internal and one external.  Is this true?
0
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36549592
You can get away with just 1 certificate (external certificate), if you're happy to keep confirming an ugly yellow box which will pop up while launching an application.  Here is the certificate usages you'd effectively need:

External Certificate for:

RDS Web Server / Gateway (you can run both from the same server - preferred)
Application Signing

Internal Certificate(s) for:

Terminal Servers

Your internal certificates just need to be valid from the point of view of your internal servers - i.e. your TS Gateway needs to be able to validate them, so an Internal CA would be fine in this case.  My structure is quite complicated, but you could get away with having a Certificate Authority which has issued certificates for your terminal servers.  Be sure to add the Certificate Authority's certificate to the trusted certificate authority for all the servers involved - this mean it will automatically accept any certificates issued from it.

Your applications must be signed by the external certificate for them to become trusted. Alternatively, you can issue an internal certificate as long as the workstation which is connecting trusts the Certificate Authority.  My guess is that this won't always be the case, so that's why external certificates are more desired.
0
 

Author Comment

by:jwilson347
ID: 36550689
I got it the way I wanted, but it is a bit of a PITA.

Set up external SSL
Set up internal self-signed cert
Install the cert to each  local system under trusted authority

All is good now.  Thank you for your assistance.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question