Direct RDP login into Virtual Desktop Pool with Smart Card (Windows Server 2012)

In my earlier post, I've explored about Single Sign On for WS2012 Virtual Desktop. Normally, we have to login through the Remote Connection Web server. Can we do direct RDP with smartcard logon i.e. bypass RDWeb server? Yes, it's possible.

Open up MSTSC, key in the FQDN of your RD Connection Broker, configure whatever RDP settings and save it into a .rdp file. Open the .rdp file with notepad.

Modify this line (change from 0 to 1): use redirection server name:i:1

Add this line: loadbalanceinfo:s:tsv://[TSV URL]

Substitute the [TSV URL] path with your RD collection name. To find out the exact name, go to Event Viewer of your connection broker server. Look for event under TerminalServices-SessionBroker. Do a normal login via the usual RDWeb console. Refresh and look out for event 800. You'll find the TSV URL information.

Test this by double clicking on the new RDP file.

Single Sign On for RD Web Access (WS2012)

By default, form-based authentication is enabled on Web access portal for VDI. I was googling around on how to do SSO authentication. Most sites would advise the editing of the Web.config file of the RD web host that couldn't work well. Finally, I found one post that works. Here's the extract:

OK, here are my results so far.

1) You should not edit web.config file manually. Using comment symbols corrupts this file, so IIS cannot interpret it properly (this is the cause of 'HTTP 500 Internal server error' message). Instead, you should use IIS Management Console to do the task.

Start this console and go to Sites -> Default Web Site -> RDWeb -> Pages (left-click on 'Pages' in the left column). In the right part of the console under 'IIS' section double-click 'Authentication' icon. Disable both the Anonymous and Forms authentication methods. Enable 'Windows Authentication'.

If you try to access the web interface now, you'll get popup window which asks for your login and password. This is expected behavior.

2) On the endpoint (user PC) set Internet Explorer options to allow pass-through authentication. It could be done via IE settings for each user personally, but if you have many users you should use group policy:

* Add your Desktop Broker server to Trusted Sites zone: go to User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security. Open 'Site to Zone assignment list' setting, enable it and map Broker server FQDN to zone 2.

* Enable automatic logon: go to User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. Open 'Logon options' setting, enable it, and make sure that the following option is selected in the drop-down list: 'Automatic logon with current username and password'.

3) In addition, the actions mentioned above should be executed (I repeat the description here for readers of the thread to have the full list):

* Enable SSO on the RDS clients.
 ---- In the group policy applied to RDS client, edit Administrative Templates -> System -> Credentials Delegation -> Enable the policies "Allow Delegating Default Credentials" and “Allow Delegating Default Credentials with NTLM-only Server Authentication”
--- Set both with value to "termsrv/*" allows the delegation for all terminal servers, you may also specify the server FQDN.

* Open the RDWeb page. Before clicking a pool name make sure the below check box is checked: 'I am using a private computer that complies with my organization's security policy.'

After that single sign-on works nice if I access client PC by entering my login and password manually. However, if I login to the workstation using smart card, I still can access web interface seamlessly. However, after I click on a pool name, RDP client asks for login and password (or smart card PIN). I tried to enable Kerberos authentication provider in Windows Authentication in IIS, but it did not change the situation.

I begin to wonder whether the task has a solution at all. I've found the following article:http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx It's said there that 'Single Sign-on only works with Passwords. Does not work with Smartcards'. The article was last modified four years ago. Is this statement still valid?

How to enable Remote Desktop remotely using Powershell

In Windows Server 2012, remote management is enabled by default but not Remote Desktop. To enable RDP on the server, add the target server to the Server Manager and run remote Powershell console.

On the remote Powershell console, enable remote desktop and firewall using the following cmdlets:
1) Enable Remote Desktop
set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0

2) Allow incoming RDP on firewall

Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

3) Enable secure RDP authentication

set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1   

Refer to "Windows 2012 Core Survival Guide – Remote Desktop" for more information.

Install Office 2007 on Terminal Server/Session Host

If you want to install Office 2007 on a Terminal Server, you have to perform the installation in the following sequence:

1. Open an elevated command prompt
2. Put the TS on install mode by running change user /install
3. Run the program installer Setup.exe as usual
4. Choose custom install, ensure none of the components are on "Install on First Use" option. Select either "Run from My Computer" or "Not Available".
5. Upon successful installation, run change user /execute

Display currently logon terminal services users

To display the currently logon users on a terminal server or session host on Windows Server 2008, use this command:

query session /counter [ /server:servername ]

For example, to count the number of active users:

query session /counter | find /c " Active "

find filters the output that contains "Active" and count them with the "/c" option.

RemoteFX coming in next SP of Win7 and Win2K8 R2

RemoteFX is an enhancement to RDP's graphics remoting capabilities. With Microsoft RemoteFX, users will be able to work remotely in a Windows Aero desktop environment, watch full-motion video, enjoy Silverlight animations, and run 3D applications – all with the fidelity of a local-like performance when connecting over the LAN. RemoteFX does this via a technique known as host-based rendering, which means the entire final composited screen image is rendered on the remote host and then compressed and sent down to the client.

Look like Microsoft is beefing up its RDP-based virtualizaton offering - namely Remote Desktop Services (RDS). The goal of RemoteFX is to deliver the full modern Windows desktop experience to the remote thin clients while their desktops are actually hosted in the data center as part of a virtual desktop infrastructure (VDI). And these virtual desktops must be hosted in Hyper-V.

We have been using Microsoft RDS to allow our network administrators to access their desktops and network management & troubleshooting tools from our standard locked down corporate PCs. And certainly, I'm looking forward to the next SP release, which promises the incorporation of RemoteFX. Probably, I should try out the beta release.

Presentation Virtualization is back in Las Vegas

I thought the term "Presentation Virtualization" was dropped since launch of Windows Server 2008 R2, since it was hardly mentioned in any new Microsoft Windows 2008 R2 literature. It was almost used in synonymous with Remote Desktop Services (f.k.s Terminal Services) RemoteApp.

Right now, I'm attending the Virtualization Pro summit 2010 at Las Vegas. Presentation Virtualization is still mentioned by a few MVP speakers, including Sean Deuby. Sean defined Presentation Virtualization as the display being abstracted from the originating processes.

Hello Remote Desktop Services, Goodbye Terminal Services

With the major launch of Microsoft Windows 2008 R2, Terminal Services is now renamed as Remote Desktop Services (RDS) to indicate additional functionality. The major addition is the support of Virtual Desktop Infrastructure (VDI).

Terminal Server is now renamed as Session Host. Session Broker (in-built load-balancer) is now renamed Connection Broker. Presentation Virtualization (Present-V) has apparently been taken out of Microsoft dictionary - RDS RemoteApp is used in place. The term (Present-V) which you saw in my earlier posts can now be replaced with RDS RemoteApp instead.

Securing enterprise applications using RDS RemoteApp

Windows 2008 has a new feature in Remote Desktop Services (RDS a.k.a Terminal Services) that allows individual applications to be presented to users via RDP. Although the applications are installed and run on Terminal Server (now known as Session Host), Users interact with the virtualised applications as if they were installed locally. This feature is known as RemoteApp.

There's a growing security demand for Internet traffic to be segregated from the corporate applications due to the recent high profile APT incidents. We conducted a trial that leveraged primarily on this RDS RemoteApp. Internet applications (i.e. Internet Explorer etc) are virtualised and executed via RDP, which effectively permit only screenshots, key stroke and mouse clicks to be transmitted between client and server. Even if the Internet applications were subverted by Trojans, it would have no impacts on existing corporate applications. Corporate applications are protected and there's no drop in user experiences. The setup is simple and fits well on existing infrastructure. And the trial is a huge success.

Microsoft Virtual Desktop Infrastructure (VDI)

Besides RemoteApp, Microsoft Virtual Desktop Infrastructure (VDI) is introduced as part of Remote Desktop Services (RDS) in Windows Server 2008 R2. User sessions are executed on the client VMs (i.e. Windows Vista or Win7) residing on backend infrastructure i.e. Hyper-V hosts.

MS VDI comes in 2 variants: (1) static 1 user to 1 specific VM, (Personal Virtual Desktop); OR (2) many users share a pool of VMs (Virtual Desktop Pool) with common image.

For the former (personal virtual desktop), each user is assigned to a fixed client VM that can be personalized and customized by the users. These changes are available to users each time that they log on to their personal virtual desktop. For the latter (virtual desktop pool), a single image is replicated across many virtual machines. As users connect to the shared virtual desktop pool, they are dynamically assigned with any client VMs. Because users may not always be assigned to the same client VMs whenever they connect, any personalization and customization made by the users are not saved. If you choose dynamic virtual desktop pool and users still need their personalization and customizations, you have to consider roaming profiles and folder redirection as well.

Reference: http://blogs.msdn.com/rds/archive/2009/08/19/microsoft-vdi-overview.aspx

Present-V Smart Card & Printer Redirection

Present-V supports smart card & printer redirection, even though the application is running on the backend server and the smart card/printer is located at the client desktop.

The same device middleware (or drivers) must be installed on both the server and the client. If you use ActivClient smart cards, ActivIdentity must be installed on both server and client, so that the server can locate the matching device driver. Whenever the application requires smart card access, TS would re-direct the I/O to the client local devices. Also, ensure that the Device and Resource Redirection is enabled, which is allowed by default.

Overall, it is how device redirection work:

Present-V Single Sign On (SSO)

Recently, I have worked with the interns to setup a cross domain Present-V POC, with the Exchange infrastructure on one domain and the windows clients & terminal server on another. Initially, winxp users need to keep logging in with password to launch remoteapp, while win7/vista users are able to launch remoteapp with Single Sign On (SSO). A deeper search reveals that SSO to Terminal Services 2008 uses the Credential Security Service Provider (CredSSP). CredSSP delegates credentials to defined target servers and is native to Windows Vista. Windows XP SP3 includes CredSSP but it is not enabled by default.

To enable SSO, here is the solution. Take note that SSO can only be used for password authentication (i.e. not smart card authentication)

Present-V Introduction

Microsoft Server 2008 Terminal Services offers a new feature. Instead of showing entire server desktops to the users, it can just present the application GUI. (Otherwise, showing multiple desktops can be confusing.) Hence, you can now have individual virtualised applications running on the backend terminal service, as if they were local applications running on your PC. Microsoft called it Presentation Virtualization (Present-V in short). The virtual application is known as "RemoteApp".

Step-by-Step guides are available here.

Typical deployment scenario that allows remote access over the Internet: