Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Windows 2012 Remoteapp single signon

Posted on 2014-01-03
1
Medium Priority
?
4,802 Views
Last Modified: 2014-01-16
Looking for a way to eliminate users having to renter their credentials multiple times on our network.  Currently we have Active Directory on a Win2008 server and on a Win2003 server.  We also have two Win 2003 Terminal Servers - each runs different application software and several users must access both servers.  So users login to the network with their AD account then RDP to each server and renter their credentials.  
We are implementing a Win 2012 server which will replace the Win2003 Terminal Servers and I am trying to get RemoteApp to eliminate the multiple login problem.  We have gotten the Remoteapp to work thru the RD Web Access but it still prompts for the username and password.  I am not sure how or if creating a msi package and installing it on the client machines will correct the problem.  
Any assistance is greatly appreciated.
0
Comment
Question by:texastek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39755910
Specific to Win2012 WebSSO, see [1]. For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.

On the "old way", check out this introductory [2] for the WebSSO requirement esp the client machine. Based on past, Single Sign-On works only when connecting from an XP SP3, Vista or a Windows Server 2008 machine to a Vista or Windows Server 2008 machine. If the server you are connecting to cannot be authenticated via Kerberos or SSL certificate, Single Sign-On will not work.  Single Sign-On works only when using domain user accounts. If the terminal server is configured to Always prompt or RDP file setting Always prompt, then Single Sign-on to TS will not work. Single Sign-on only works with Passwords. Does not work with Smartcards.

[1] http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

[2] http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
Web SSO is supported for launching RemoteApp programs from RD Web Access or the Start menu in any of the above modes. For Web SSO to work when connecting to personal desktops or pooled virtual machines (VMs) the client machine needs this hotfix installed:  http://support.microsoft.com/kb/2524668.
Requirements
To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.

In order for Web SSO to work:

The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.

RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.

Client operating systems must trust the certificate with which the RemoteApp programs are signed.
Web SSO in Windows Integrated Authentication
If RD Web Access is configured to use Windows Authentication, which is the Windows Server 2008 mode, instead of the default Forms Based Authentication (FBA), users will be prompted for credentials twice: once for the Windows Integrated Authentication for RD Web Access and again on the launch of the first RemoteApp in the RemoteApp and Desktop Connection. Thereafter on subsequent RemoteApp launch, SSO will work as it works in the FBA mode.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question