Solved

RD Web SSO

Posted on 2011-09-12
5
2,096 Views
Last Modified: 2013-12-08
Working on SSO for RDWeb.  I'm running Windows Server 2008 R2 and our desktops have Windows 7 32-bit Pro with IE9.  

The remote application works fine and I will be purchasing SSL certs for later.  My question is whether or not there is a way to have the Windows Security Credentials box not appear after the client has authenticated via https://myserver.mycompany.com/RdWeb

Thanks
0
Comment
Question by:jwilson347
  • 2
  • 2
5 Comments
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 500 total points
ID: 36545423
I have this working perfectly.   There are several conditions which have to be met in order for it to work, and they are as follows:

You must have a valid certificate for your RDWeb server, that Internet Explorer can use without any certicate warnings.  SSO will not work on an unencrypted RDWeb site.
At the RDWeb login screen, you MUST enter your domain and username when you log in.  For example, CONTOSO\PhilipJFry as the username.  This is an ABSOLUTE REQUIREMENT - I know you can specify a default domain in the RDWeb configuration, but this doesn't help whatsoever, you have to specify the domain as part of your username.
You must select "This is a private computer" on the login screen.
After you have signed in, make sure you have allowed the ActiveX control - you only have to do this once per computer.  If you have locked down IE via Policy, this control may be inadvertently disabled

Here's a little bonus gotcha - don't use IIS Redirection to get your users to the /RDWeb site on your web server - it will interfere (badly) with your TS Gateway, assuming you wish to use that.
0
 

Author Comment

by:jwilson347
ID: 36545698
Thank you Lester.  I have a certificate follow up question.

I have an external IP aliased as companyerp.company.com pointing at the internal server which is servername.mycompany.com  

I read somewhere that I needed TWO certs.  One internal and one external.  Is this true?
0
 
LVL 9

Expert Comment

by:Lester_Clayton
ID: 36549592
You can get away with just 1 certificate (external certificate), if you're happy to keep confirming an ugly yellow box which will pop up while launching an application.  Here is the certificate usages you'd effectively need:

External Certificate for:

RDS Web Server / Gateway (you can run both from the same server - preferred)
Application Signing

Internal Certificate(s) for:

Terminal Servers

Your internal certificates just need to be valid from the point of view of your internal servers - i.e. your TS Gateway needs to be able to validate them, so an Internal CA would be fine in this case.  My structure is quite complicated, but you could get away with having a Certificate Authority which has issued certificates for your terminal servers.  Be sure to add the Certificate Authority's certificate to the trusted certificate authority for all the servers involved - this mean it will automatically accept any certificates issued from it.

Your applications must be signed by the external certificate for them to become trusted. Alternatively, you can issue an internal certificate as long as the workstation which is connecting trusts the Certificate Authority.  My guess is that this won't always be the case, so that's why external certificates are more desired.
0
 

Author Comment

by:jwilson347
ID: 36550689
I got it the way I wanted, but it is a bit of a PITA.

Set up external SSL
Set up internal self-signed cert
Install the cert to each  local system under trusted authority

All is good now.  Thank you for your assistance.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now