• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4986
  • Last Modified:

Windows 2012 Remoteapp single signon

Looking for a way to eliminate users having to renter their credentials multiple times on our network.  Currently we have Active Directory on a Win2008 server and on a Win2003 server.  We also have two Win 2003 Terminal Servers - each runs different application software and several users must access both servers.  So users login to the network with their AD account then RDP to each server and renter their credentials.  
We are implementing a Win 2012 server which will replace the Win2003 Terminal Servers and I am trying to get RemoteApp to eliminate the multiple login problem.  We have gotten the Remoteapp to work thru the RD Web Access but it still prompts for the username and password.  I am not sure how or if creating a msi package and installing it on the client machines will correct the problem.  
Any assistance is greatly appreciated.
0
texastek
Asked:
texastek
1 Solution
 
btanExec ConsultantCommented:
Specific to Win2012 WebSSO, see [1]. For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.

On the "old way", check out this introductory [2] for the WebSSO requirement esp the client machine. Based on past, Single Sign-On works only when connecting from an XP SP3, Vista or a Windows Server 2008 machine to a Vista or Windows Server 2008 machine. If the server you are connecting to cannot be authenticated via Kerberos or SSL certificate, Single Sign-On will not work.  Single Sign-On works only when using domain user accounts. If the terminal server is configured to Always prompt or RDP file setting Always prompt, then Single Sign-on to TS will not work. Single Sign-on only works with Passwords. Does not work with Smartcards.

[1] http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

[2] http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed:  http://support.microsoft.com/kb/2524668.
Requirements
To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.

In order for Web SSO to work:

The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.

RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.

Client operating systems must trust the certificate with which the RemoteApp programs are signed.
Web SSO in Windows Integrated Authentication
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now