Solved

RD Web SSO

Posted on 2011-09-12
5
2,126 Views
Last Modified: 2013-12-08
Working on SSO for RDWeb.  I'm running Windows Server 2008 R2 and our desktops have Windows 7 32-bit Pro with IE9.  

The remote application works fine and I will be purchasing SSL certs for later.  My question is whether or not there is a way to have the Windows Security Credentials box not appear after the client has authenticated via https://myserver.mycompany.com/RdWeb

Thanks
0
Comment
Question by:jwilson347
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 500 total points
ID: 36545423
I have this working perfectly.   There are several conditions which have to be met in order for it to work, and they are as follows:

You must have a valid certificate for your RDWeb server, that Internet Explorer can use without any certicate warnings.  SSO will not work on an unencrypted RDWeb site.
At the RDWeb login screen, you MUST enter your domain and username when you log in.  For example, CONTOSO\PhilipJFry as the username.  This is an ABSOLUTE REQUIREMENT - I know you can specify a default domain in the RDWeb configuration, but this doesn't help whatsoever, you have to specify the domain as part of your username.
You must select "This is a private computer" on the login screen.
After you have signed in, make sure you have allowed the ActiveX control - you only have to do this once per computer.  If you have locked down IE via Policy, this control may be inadvertently disabled

Here's a little bonus gotcha - don't use IIS Redirection to get your users to the /RDWeb site on your web server - it will interfere (badly) with your TS Gateway, assuming you wish to use that.
0
 

Author Comment

by:jwilson347
ID: 36545698
Thank you Lester.  I have a certificate follow up question.

I have an external IP aliased as companyerp.company.com pointing at the internal server which is servername.mycompany.com  

I read somewhere that I needed TWO certs.  One internal and one external.  Is this true?
0
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36549592
You can get away with just 1 certificate (external certificate), if you're happy to keep confirming an ugly yellow box which will pop up while launching an application.  Here is the certificate usages you'd effectively need:

External Certificate for:

RDS Web Server / Gateway (you can run both from the same server - preferred)
Application Signing

Internal Certificate(s) for:

Terminal Servers

Your internal certificates just need to be valid from the point of view of your internal servers - i.e. your TS Gateway needs to be able to validate them, so an Internal CA would be fine in this case.  My structure is quite complicated, but you could get away with having a Certificate Authority which has issued certificates for your terminal servers.  Be sure to add the Certificate Authority's certificate to the trusted certificate authority for all the servers involved - this mean it will automatically accept any certificates issued from it.

Your applications must be signed by the external certificate for them to become trusted. Alternatively, you can issue an internal certificate as long as the workstation which is connecting trusts the Certificate Authority.  My guess is that this won't always be the case, so that's why external certificates are more desired.
0
 

Author Comment

by:jwilson347
ID: 36550689
I got it the way I wanted, but it is a bit of a PITA.

Set up external SSL
Set up internal self-signed cert
Install the cert to each  local system under trusted authority

All is good now.  Thank you for your assistance.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question