Remote desktop services single sign on not working externally
hi all hope everyone is doing well ,
i am having an issue with SSO that is a domain joined machine and is connecting in from outside the network.
this is the error message i receive
is single sign on supposed to work this way for external when setup as it works internally correctly passing through the credentials?
i have also noticed when testing if i login first on domain then disconnect and connect to external network and try launching a published app it will work , it also works if i just enter the username and password into credential manager.
looks like it doesnt pass the windows domain cached creds , unless you authenticate with active directory first for that session/ or manually specify them in creds manager.
thanks for taking a look.
i am having an issue with SSO that is a domain joined machine and is connecting in from outside the network.
this is the error message i receive
is single sign on supposed to work this way for external when setup as it works internally correctly passing through the credentials?
i have also noticed when testing if i login first on domain then disconnect and connect to external network and try launching a published app it will work , it also works if i just enter the username and password into credential manager.
looks like it doesnt pass the windows domain cached creds , unless you authenticate with active directory first for that session/ or manually specify them in creds manager.
thanks for taking a look.
ASKER
Hi Philip thanks for the reply,
the error i am getting is from launching and published app through remoteapp and desktop connections (cofigured via gpo "HKEY_CURRENT_USER\Softwar
once i login by internet explorer or chrome through thre portal i am able to run the work resources setup via the above , doesn't make sense rdp files look correct when i open them stating the correct info and that it will pass my creds through.
this is the guide i used for SSO and then just added in the gpo DefaultConnectionURL
https://nedimmehic.org/2017/11/20/remote-desktop-services-2016-standard-deployment-part-4-rd-web-access-part4-sso-high-availability/
you should just be able to have the remoteapp and desktop connections and use sso not have to open IE first and login.
update : if i have sso enabled for rdweb it works on logging me into the portal but i get the error when launching an app
the error i am getting is from launching and published app through remoteapp and desktop connections (cofigured via gpo "HKEY_CURRENT_USER\Softwar
once i login by internet explorer or chrome through thre portal i am able to run the work resources setup via the above , doesn't make sense rdp files look correct when i open them stating the correct info and that it will pass my creds through.
this is the guide i used for SSO and then just added in the gpo DefaultConnectionURL
https://nedimmehic.org/2017/11/20/remote-desktop-services-2016-standard-deployment-part-4-rd-web-access-part4-sso-high-availability/
you should just be able to have the remoteapp and desktop connections and use sso not have to open IE first and login.
update : if i have sso enabled for rdweb it works on logging me into the portal but i get the error when launching an app
Default connection URL should be the same internally and externally (split DNS).
Normally: https://remote.domain.com/rdweb/feed/webfeed.aspx
Where "remote.domain.com" resolves to RDS Broker on internal subnet: 192.168.55.5 (replace with yours).
Where "remote.domain.com" resolves to WAN port IP that has HTTPS/443 port forwarded to the broker: 66.55.44.23 (replace with yours)
The feed can be renamed as well using the Set-RDworkspace PowerShell.
Normally: https://remote.domain.com/rdweb/feed/webfeed.aspx
Where "remote.domain.com" resolves to RDS Broker on internal subnet: 192.168.55.5 (replace with yours).
Where "remote.domain.com" resolves to WAN port IP that has HTTPS/443 port forwarded to the broker: 66.55.44.23 (replace with yours)
The feed can be renamed as well using the Set-RDworkspace PowerShell.
ASKER
hi philip ,
i can confirm that this is how i have it setup on LAN pointing to the internal address and externally pointing to the WAN address.
port 443 and 3391 for udp
some of the errors i have found:
this is what i have from the windows machine - nothing on the server i can find
"Microsoft-Windows-Termina
Component name:CClientProxyTransport
"Remote application (User Data) is launched on RemoteApp and Desktop connection (<server name>.local) but no stored credentials are used for single sign on. (Reason - No credentials are stored on the RemoteApp and Desktop connection)"
thanks
i can confirm that this is how i have it setup on LAN pointing to the internal address and externally pointing to the WAN address.
port 443 and 3391 for udp
some of the errors i have found:
this is what i have from the windows machine - nothing on the server i can find
"Microsoft-Windows-Termina
Component name:CClientProxyTransport
"Remote application (User Data) is launched on RemoteApp and Desktop connection (<server name>.local) but no stored credentials are used for single sign on. (Reason - No credentials are stored on the RemoteApp and Desktop connection)"
thanks
Does SSO work if the external user is using IE?
ASKER
yes works if you login with IE and then because of the session all app from the feed work
Then it's working as expected.
All other browsers will force a prompt.
Starting a RemoteApp from the (Work Resources) list will cause a prompt for the first app or the only app for external users.
All other browsers will force a prompt.
Starting a RemoteApp from the (Work Resources) list will cause a prompt for the first app or the only app for external users.
ASKER
ah okay thanks
seems silly really to have SSO setup then as after you sign in you are fine for all the other apps during that session
seems silly really to have SSO setup then as after you sign in you are fine for all the other apps during that session
SSO is needed for a seamless internal user experience. With IE same for external users.
We always set it up for both standalone and farm RDS deployments along with RemoteApp RSS.
We always set it up for both standalone and farm RDS deployments along with RemoteApp RSS.
ASKER
so for external you cannot use the work resources for sso and have to go through IE ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
great thanks for your explanation , i have moved user over to using the web portal
Order is as follows:
IE --> RDWeb --> Change setting to Private Computer --> Sign on (DOMAIN\UserName) --> Open RemoteApp (no-prompt).
All other browsers will prompt to download a .RDP file and get prompted a second time for the initial RemoteApp. If they leave that RemoteApp open all others opened will do so without a prompt.
We get users to open File Explorer as their first RemoteApp to allow them to open any subsequent applications and/or data they need to.
Another option would be to set up a VPN on the edge, have them log on to the VPN, and SSO would work with any RSS published RemoteApps and SSO.