Thursday, October 31, 2013

Single Sign On for RD Web Access (WS2012)

By default, form-based authentication is enabled on Web access portal for VDI. I was googling around on how to do SSO authentication. Most sites would advise the editing of the Web.config file of the RD web host that couldn't work well. Finally, I found one post that works. Here's the extract:

OK, here are my results so far.
1) You should not edit web.config file manually. Using comment symbols corrupts this file, so IIS cannot interpret it properly (this is the cause of 'HTTP 500 Internal server error' message). Instead, you should use IIS Management Console to do the task.
Start this console and go to Sites -> Default Web Site -> RDWeb -> Pages (left-click on 'Pages' in the left column). In the right part of the console under 'IIS' section double-click 'Authentication' icon. Disable both the Anonymous and Forms authentication methods. Enable 'Windows Authentication'.
If you try to access the web interface now, you'll get popup window which asks for your login and password. This is expected behavior.
2) On the endpoint (user PC) set Internet Explorer options to allow pass-through authentication. It could be done via IE settings for each user personally, but if you have many users you should use group policy:
* Add your Desktop Broker server to Trusted Sites zone: go to User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security. Open 'Site to Zone assignment list' setting, enable it and map Broker server FQDN to zone 2.
* Enable automatic logon: go to User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. Open 'Logon options' setting, enable it, and make sure that the following option is selected in the drop-down list: 'Automatic logon with current username and password'.
3) In addition, the actions mentioned above should be executed (I repeat the description here for readers of the thread to have the full list):
* Enable SSO on the RDS clients.
 ---- In the group policy applied to RDS client, edit Administrative Templates -> System -> Credentials Delegation -> Enable the policies "Allow Delegating Default Credentials" and “Allow Delegating Default Credentials with NTLM-only Server Authentication”
--- Set both with value to "termsrv/*" allows the delegation for all terminal servers, you may also specify the server FQDN.
* Open the RDWeb page. Before clicking a pool name make sure the below check box is checked: 'I am using a private computer that complies with my organization's security policy.'
After that single sign-on works nice if I access client PC by entering my login and password manually. However, if I login to the workstation using smart card, I still can access web interface seamlessly. However, after I click on a pool name, RDP client asks for login and password (or smart card PIN). I tried to enable Kerberos authentication provider in Windows Authentication in IIS, but it did not change the situation.
I begin to wonder whether the task has a solution at all. I've found the following article:http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx It's said there that 'Single Sign-on only works with Passwords. Does not work with Smartcards'. The article was last modified four years ago. Is this statement still valid?

12 comments:

  1. This is the only fix that enabled me to be able to get RDWEB SSO to work. I had researched for hours. Thanks very much.

    ReplyDelete
  2. Same here. I search for two days until I read this blog. THANKS!!!

    ReplyDelete
  3. Great resource, got my SSO working after looking at lots of other pages on the web, this is the one that got my up and running. Thanks :)

    ReplyDelete
  4. Thanks, its really help! It is possible to enable the checkbox "I am using a private computer that complies with my organization's security policy" automatically? Best regards!

    ReplyDelete
  5. This worked for me after spinning for a few days with no results. THANK YOU!

    ReplyDelete
  6. Hey,
    Great information I got here. I've been reading about this topic. I found it here in your blog. I had a great time reading this.

    Regards
    Citrix Web Interface

    ReplyDelete
  7. How can i make the SSO work when opening from Work Resoureces or the Remote CLient app? From there it prompts for password when opening an app

    ReplyDelete
  8. Everything works perfectly but there is one last credential prompt at the login page to the Virtual Machine resides on RD Server.:(

    ReplyDelete
  9. For me I have a popup on the rdweb, that demand the smartcard. How can i remove this popup.

    ReplyDelete
  10. I want to integrate RDWeb with ADFS for SSO. How can i acheive this ?

    ReplyDelete
  11. Bluehost is ultimately the best website hosting company with plans for any hosting needs.

    ReplyDelete