Solved

Manage users via group policy after the login to our RDS servers via ADFS

Posted on 2015-01-22
4
195 Views
Last Modified: 2015-01-25
We are considering using ADFS to allow a number of our customers to login to our web application and our RDS pool.  If users login to our RDS servers via ADFS can we still manage these users via group policy?  We want to control session time-out, drive mappings, IE security settings, the look and feel of the desktop, etc.

Based on what I can find my personal feeling is this can not be done on a per person level as there is not actual account in my AD to apply these policies to.

Any assistance is greatly appreciated.

Thanks.
0
Comment
Question by:mwDev
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40565448
I think you may have misunderstood how ADFS works. Or I misunderstood your intended topology.

ADFS takes outside authentication requests that are not natively supported by ADDS (so SAML for example) and handles that. It basically extends the capabilities of ADDS so you can reach beyond the traditional boundaries of an AD organization.   As such, at its core, ADDS is still sitting behind ADFS and handling the final arbitration of the system. And that means AD accounts are there to authenticate against.  So yes, a user logging into an RDSH server may authenticate against ADFS, but the account is still an AD account and the RDSH server is still presumably joined to the domain. So once logged in, normal group policies will certainly still apply, and will behave as expected.  OUs, WMI filters, all still matter. Only the method of authentication is changing.

-Cliff
0
 

Author Comment

by:mwDev
ID: 40566954
Hi Cliff,

Thanks for the answer.  Just to be certain we are on the same page.

We host RDS and Web Servers that provide software to our customers.  We wish to allow these customers (there are many of them each of whom has their own different and distinct domain) to use their AD accounts to authenticate to our RDS and web applications using their local AD accounts.  So if we setup ADFS between our two organizations (they provide the authentication token and we accept it), and my servers are in my domain (us.local) and their accounts are in their domain (them.remote) do I have a way to set policies that would allow me to control the look and feel of the desktop, time-outs on RDS accounts, etc. from my end?  If it was accounts in my domain using someone else's server I would presume I would be able to control this functionality because I would have the AD accounts but my understanding of ADFS when we host the services to use is that I have nothing in my AD for that person.  We get a token that says I am person 'A' and I am from domain 'them.remote' and you trust my domain to say I am who I am.  As a result I will now use this web application or authenticate to this RDS server and use what it offers.

I hope this makes my side clearer.
0
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40567136
You simply won't get RDS to work the way you want. To log into an RDSH server, an account *must* exist. You can't simply accept am ADFS token and have TDS create some sort of anonymous login.

When you look at other commercial apps that support ADFS, you'll see that they still maintain a user account for each user. Such as O365 or Azure AD. *Only* the authentication portion happens over ADFS, and that is with a lot of glue. The account itself is still local (which is why O365, for example, supports ADFS w/ dirsync so new accounts get created as well.)

So, since there would be local accounts, yes, as I said GPOs would work. However it also sounds like you may not be prepared for the complexity of implementing ADFS on the hosting side, nor the very complex licensing implications that come along with it.
0
 

Author Closing Comment

by:mwDev
ID: 40569893
H Cliff,

Thanks for the assistance.  The answer you provided is pretty close to what I had expected and just needed to clarify since I have never used ADFS.  Thanks for your answer and clarification.

Ron
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question