RDS 2102 This is a public or shared computer - or this is private computer

Hi I would like a detailed understanding of the difference in choosing between these 2 options when using RDS 2012 R2 to logon.

I can get the single sign-on to work ok If I choose "private" but not public option. What acctually occurs or does not occur for this to be happening. When I choose public the published app prompts for another "windows security" logon (no domain is specified)  - I only want the 1 logon in the 1st web form.  What is the extra checks done - when choosing the publc option and can I disable them ?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

philb19Author Commented:
Thanks - But I have all of this knowledge - What I require is to be able to choose public computer (YES log in each time) but not have to login twice - Once on RDweb form and again when i fire off a published app. - 2 logins

When I choose Private I dont need to login again when i fire off a published app - only on web form

What I am after is WHY??? - What does choosing public do behind the sceens (what extra checks!!) - i know how to default to private - thats not what I am mtrying to understand or achieve. thanks
David Johnson, CD, MVPOwnerCommented:
on a 'private' computer a token is saved on that computer, on a 'public' computer that token is NOT saved also remoteapp and RDS use different sessions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
philb19Author Commented:
Thnks David - What is a token exactly? And wht do you mean by remoteapp and RDS use different sessions ?  is rds the front web form and remoteapp the published app? - a session is?
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

David Johnson, CD, MVPOwnerCommented:
a token is simply that a token .. a cookie is a token.  one can add the url of the remote app into control panel /remote computers and remote applications.. the first logon allows you to see what is available for your access level but as I said the token is not saved/remembered so when you open the program it again requires authorization so you again get the logon prompt
philb19Author Commented:
ok thankyou - So If you choose public there is no way to avoid the 2 x logins? 1 for RDweb and again 1 with same username and password  for the published app you run(click)?
David Johnson, CD, MVPOwnerCommented:
now you understand
philb19Author Commented:
Actually I dont believe it to be the case - Even If I choose public - Why would the software be designed that you need to log in twice with exactly the same detail. The research online indicates SSO should work with 1 login regardless. It doesnt in our setup unless the computer is domain joined. There is a problem with our setup that im at a loss with. we have reviewed/tried everything!
philb19Author Commented:
We have an old 5.0 Citrix environment with a CAG - you login once regardless of from private/public PC(given that you dont get option to choose).
I need to achieve the same for RDS 2012 as the citrix needs replacing
The way RDS works from the WAN is the user first connects to the RDweb server via 443 ( first authentication).  You user then clicks on and subsequently downloads an rdp file.  The rdp file is launched automatically and a new session to the rds gateway is established via 3389 over 443 ( second authentication).   The gateway connects to the brokers for the initial connection over 3389 and then redirects the session to appropriate session host in the collection based on affinity ( 3rd authentication).  

If your gateway is in the dmz and not domain joined you effectively have two user databases - the workgroup and then the active directory.  For this reason place the gateway in the core and use a reverse proxy in your dmz.

The way sso works is is through credential forwarding.  The RDWeb uses Kerberos and the rest is though CredSsp.  

To enable it do the following

- issue valid ssl certificates for server authentication
- use gpo to enable trusted rdp signing
- enable sso on the web server
- configure credential delegation via gpo
- push the RDweb URL to local internet zone ( this allows ie to support sso )

True sso will not work with non domain joined resources
One more thing .  If you want to allow non domain joined machines to have an SSO like experience - you need to manually go to the advanced tab of the Remote Desktop connection client and click settings then check the box "use RD gateway credentials for the remote computer"
David Johnson, CD, MVPOwnerCommented:
CITRIX and RDS are apples and oranges they do things differently.
philb19Author Commented:
I'm sure you are aware Citrix runs on Terminal Server.  So Citrix is the only way to achieve true SSO?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.