?
Solved

Windows 2012 Remoteapp single signon

Posted on 2014-01-03
1
Medium Priority
?
4,691 Views
Last Modified: 2014-01-16
Looking for a way to eliminate users having to renter their credentials multiple times on our network.  Currently we have Active Directory on a Win2008 server and on a Win2003 server.  We also have two Win 2003 Terminal Servers - each runs different application software and several users must access both servers.  So users login to the network with their AD account then RDP to each server and renter their credentials.  
We are implementing a Win 2012 server which will replace the Win2003 Terminal Servers and I am trying to get RemoteApp to eliminate the multiple login problem.  We have gotten the Remoteapp to work thru the RD Web Access but it still prompts for the username and password.  I am not sure how or if creating a msi package and installing it on the client machines will correct the problem.  
Any assistance is greatly appreciated.
0
Comment
Question by:texastek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 39755910
Specific to Win2012 WebSSO, see [1]. For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.

On the "old way", check out this introductory [2] for the WebSSO requirement esp the client machine. Based on past, Single Sign-On works only when connecting from an XP SP3, Vista or a Windows Server 2008 machine to a Vista or Windows Server 2008 machine. If the server you are connecting to cannot be authenticated via Kerberos or SSL certificate, Single Sign-On will not work.  Single Sign-On works only when using domain user accounts. If the terminal server is configured to Always prompt or RDP file setting Always prompt, then Single Sign-on to TS will not work. Single Sign-on only works with Passwords. Does not work with Smartcards.

[1] http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

[2] http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed:  http://support.microsoft.com/kb/2524668.
Requirements
To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.

In order for Web SSO to work:

The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.

RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.

Client operating systems must trust the certificate with which the RemoteApp programs are signed.
Web SSO in Windows Integrated Authentication
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question