Solved

Windows 2012 Remoteapp single signon

Posted on 2014-01-03
1
4,288 Views
Last Modified: 2014-01-16
Looking for a way to eliminate users having to renter their credentials multiple times on our network.  Currently we have Active Directory on a Win2008 server and on a Win2003 server.  We also have two Win 2003 Terminal Servers - each runs different application software and several users must access both servers.  So users login to the network with their AD account then RDP to each server and renter their credentials.  
We are implementing a Win 2012 server which will replace the Win2003 Terminal Servers and I am trying to get RemoteApp to eliminate the multiple login problem.  We have gotten the Remoteapp to work thru the RD Web Access but it still prompts for the username and password.  I am not sure how or if creating a msi package and installing it on the client machines will correct the problem.  
Any assistance is greatly appreciated.
0
Comment
Question by:texastek
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39755910
Specific to Win2012 WebSSO, see [1]. For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.

On the "old way", check out this introductory [2] for the WebSSO requirement esp the client machine. Based on past, Single Sign-On works only when connecting from an XP SP3, Vista or a Windows Server 2008 machine to a Vista or Windows Server 2008 machine. If the server you are connecting to cannot be authenticated via Kerberos or SSL certificate, Single Sign-On will not work.  Single Sign-On works only when using domain user accounts. If the terminal server is configured to Always prompt or RDP file setting Always prompt, then Single Sign-on to TS will not work. Single Sign-on only works with Passwords. Does not work with Smartcards.

[1] http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

[2] http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed:  http://support.microsoft.com/kb/2524668.
Requirements
To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.

In order for Web SSO to work:

The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.

RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.

Client operating systems must trust the certificate with which the RemoteApp programs are signed.
Web SSO in Windows Integrated Authentication
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now