Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Manage users via group policy after the login to our RDS servers via ADFS

Posted on 2015-01-22
4
Medium Priority
?
215 Views
Last Modified: 2015-01-25
We are considering using ADFS to allow a number of our customers to login to our web application and our RDS pool.  If users login to our RDS servers via ADFS can we still manage these users via group policy?  We want to control session time-out, drive mappings, IE security settings, the look and feel of the desktop, etc.

Based on what I can find my personal feeling is this can not be done on a per person level as there is not actual account in my AD to apply these policies to.

Any assistance is greatly appreciated.

Thanks.
0
Comment
Question by:mwDev
  • 2
  • 2
4 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 40565448
I think you may have misunderstood how ADFS works. Or I misunderstood your intended topology.

ADFS takes outside authentication requests that are not natively supported by ADDS (so SAML for example) and handles that. It basically extends the capabilities of ADDS so you can reach beyond the traditional boundaries of an AD organization.   As such, at its core, ADDS is still sitting behind ADFS and handling the final arbitration of the system. And that means AD accounts are there to authenticate against.  So yes, a user logging into an RDSH server may authenticate against ADFS, but the account is still an AD account and the RDSH server is still presumably joined to the domain. So once logged in, normal group policies will certainly still apply, and will behave as expected.  OUs, WMI filters, all still matter. Only the method of authentication is changing.

-Cliff
0
 

Author Comment

by:mwDev
ID: 40566954
Hi Cliff,

Thanks for the answer.  Just to be certain we are on the same page.

We host RDS and Web Servers that provide software to our customers.  We wish to allow these customers (there are many of them each of whom has their own different and distinct domain) to use their AD accounts to authenticate to our RDS and web applications using their local AD accounts.  So if we setup ADFS between our two organizations (they provide the authentication token and we accept it), and my servers are in my domain (us.local) and their accounts are in their domain (them.remote) do I have a way to set policies that would allow me to control the look and feel of the desktop, time-outs on RDS accounts, etc. from my end?  If it was accounts in my domain using someone else's server I would presume I would be able to control this functionality because I would have the AD accounts but my understanding of ADFS when we host the services to use is that I have nothing in my AD for that person.  We get a token that says I am person 'A' and I am from domain 'them.remote' and you trust my domain to say I am who I am.  As a result I will now use this web application or authenticate to this RDS server and use what it offers.

I hope this makes my side clearer.
0
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40567136
You simply won't get RDS to work the way you want. To log into an RDSH server, an account *must* exist. You can't simply accept am ADFS token and have TDS create some sort of anonymous login.

When you look at other commercial apps that support ADFS, you'll see that they still maintain a user account for each user. Such as O365 or Azure AD. *Only* the authentication portion happens over ADFS, and that is with a lot of glue. The account itself is still local (which is why O365, for example, supports ADFS w/ dirsync so new accounts get created as well.)

So, since there would be local accounts, yes, as I said GPOs would work. However it also sounds like you may not be prepared for the complexity of implementing ADFS on the hosting side, nor the very complex licensing implications that come along with it.
0
 

Author Closing Comment

by:mwDev
ID: 40569893
H Cliff,

Thanks for the assistance.  The answer you provided is pretty close to what I had expected and just needed to clarify since I have never used ADFS.  Thanks for your answer and clarification.

Ron
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question