Hello World,
We are again speaking about Remote Desktop services in Windows 2012 R2. The journey is almost complete for this first serie. In my current assignment, we had to develop a concept where applications would be centralized and would have been offered as remoteapp applications. This was an interesting project. During this project, a lot of users (and managers) were complaining about the fact that you needed to login to the web page in order to access the applications offered.
So, the customer asked us if it was possible to have a Single Sign on (SSO) experience by enabling Windows Integrated authentication (WIA) capability. We had to look a little bit about that and we quickly found out that this case scenario was foreseen by Microsoft. By modifying the IIS configuration and some web config file, we could easily achieve our goal.
This post will walk you through the process of enabling Windows Authentication Integration mechanism with RDS.
Step by Step Process
Assumptions
In this post, we assume that you have followed the steps described in the previous posts related to RDS
- RDS – Remote Desktop Services Overview – PART I
- RDS – Remote Desktop Services Roles – Part II
- RDS – Quick Install Remote Desktop Service – Part III
- RDS – Accessing your RemoteApp – Part V
The scenario described hereafter make sense when you have corporate users that needs to access your RemoteApp service. We assume that the users haved logged on into their corporate workstation (i.e. part of the Active Directory Domain) and that these users will be able to access their remoteapp application without being prompted for credentials or redirected to a login web page.
Step 1 – Configure IIS to support Windows Authentication method
We will first need to configure the IIS server to support the Windows Authentication method. To perform this configuration change, you will execute the following steps
- Login into the Remote Web Access server (RWeb)
- Open the run command or search command and type inetmgr.msc
- The Internet Information services console open
- In the left menu, expand sites and select the RDWeb Site
- in the mid pane, click on authentication icon.
Click on Picture for better Resolution
In the authentication page, you will see something like this. Notice that the windows authentication option is set to disabled.
Click on Picture for better Resolution
In order to enable Windows Authentication protocol, you have to disable the anonymous access and enable the Windows Authentication protocol. You configuration should look like the screenshot below
Click on Picture for better Resolution
Step 2 – Modify the Web.config file for RDWeb
Now, we have to say to the web application that the Windows Authentication protocol can be used. In order to do that, we will need to login into the Remote Web Access server and we will need to modify the following web.config file located at %SystemDrive%\Windows\Web\RDWeb\Pages\Web.config
Click on Picture for better Resolution
Edit this file with notepad and locate the section outlined in the screenshot
Click on Picture for better Resolution
You will need to uncomment the section
<authentication mode=”Windows”/>
and comment the section
<!- –
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”TSWAAuthHttpOnlyCookie” protection=”All” requireSSL=”true” />
</authentication>– ->
It’s not finish yet. In this web config file, you will still need to comment out another section. In the file, locate the section <System.WebServer>. As shown in the screenshot below, you will need to comment out the section beneath the <System.WebServer> tag.
Click on Picture for better Resolution
If you do not comment this section, when trying to access the Remoteapp login page, you will see an error message similar to the following
Click on Picture for better Resolution
Step 3 – Modify the login page
We need to perform an additonal modification on the default login page in order to have a fully working Windows Integrated authentication mechanism. When using the form-based authentication, you can specify if the computer is a public computer or a private computer. If we are using the WIA mechanism, the form is not visible and you can specify this option anymore. By modifying the code of the login page, we can set the private computer option as default.
To perform this, edit the file located at %systemDrive%\Windows\Web\RDWeb\Pages\en-us\Default.aspx.
Click on Picture for better Resolution
In the file search for the word bPrivateMode (see screenshot below).
Click on Picture for better Resolution
The default value is set to False. You have to change the value to True. This line should look like
public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
Step 4 – Configure Internet Explorer for WIA Protocol
There is a final step that should be performed at the browser level. If you try to access your remoteapp web page and you are still prompted for credentials, this might mean that the web site you are trying to access is not listed as Local Intranet Zones.
Click on Picture for Better Resolution
You have to be sure that the url of the remotapp server is configured to be part of the Local Intranet Zone. You can configure this option manually or you can use a GPO that would set this option automatically for you
Final Notes
Voila ! We have accomplished our goal. Now, when a user connect to the remoteapp url, he will have a direct access to the applications that have been published to him. Moreover, the user will be able to start the remoteapp and no more credentials would be requested. Isn’t it cool ?
Till Next Time
See ya
Réferences : http://www.miru.ch/single-sign-on-in-rds-2012-demystified/
Congratulations, very, very good!
Hello Marcus;
thank for the feedback and your visit
Till next time
See ya
Hi, this is cool. But can you enable Windows Auth for Internal users and if that fails go back to forms based authentication?
Forms Authenitcation for external users! and Windows based for internal?
Sorry should have been more clear…
Andy
Hello Andy,
The first that come up in my mind would be to try to create 2 virtual directories and configure one for internal access (Integrated authentication) and one External for Form based authentication
I do not know if this feasable with RDS but I would give it try
Hope this help
till next time
See ya
Hello Griffon,
Thanks for the perfect solution. Tried and implemented in my production environment of about 200 users. However, while opening any remote application which is published for a given user, a password prompt appears. Earlier, before implementing, password was prompted only for the web authentication and not while opening remote app. Please suggest.
Thanks in advance.
Rupesh
Hello Rupesh,
Can you provide us some more inside ? what’s your infrastructre (1 server with all roles or multiple servers) ? have you followed the instruction and ensured that the private mode has been enabled ? Can you also check that your browser is configured accordingly for the url you are using (Intranet zones)
Do you have some information in the event logs when trying access one of the remoteapp that could be helpful to debug and investigate that ?
I will try to setup again the infra and see if we have the problem
Till next time
See ya
Hi Griffon,
Thanks for your immediate reply. 🙂
1. Our infrastructure comprise of two servers. spls-ts01 and spls-ts02.
2. Of these, following roles are installed on spls-ts01:
a. RD Licensing
b. RD Web Access.
c. RD Gateway.
d. RD Connection Broker and
c. RD Session Host.
3. Following roles on spls-ts02:
a. RD Session Host server.
4. This is how we have modified the “%systemDrive%\Windows\Web\RDWeb\Pages\en- us\Default.aspx” file public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
5. Edited the group policy a way that the URL http://spls.ts01.spl.com comes under Local Intranet Site.
Let me make certain things clear:
In group policy, if we add entry TERMSRV/spls-ts01.spl.com in Computer Configuration-Administrative Template-System-Credential Delegation-Allow delegating default credentials (state-enabled), the password is asked once the session is created on server(just before Applying Windows Settings, Please wait for local session manager). However if I do not configure above settings, the password prompt appears immediately after clicking on remote app. So when the password is entered, session is opened with event ID 7001 (Winlogon) on spls-ts01 server.
Please suggest.
Thanks
Rupesh
Hello Rupesh,
I have performed a (really really) quick test and I have it working..
I have followed the instructions I have published and I have added gpo under the Credentials delegation….
I have enabled the Allow Delegating Credeentials as you have and I have also enabled the allow Delegating credentials NTLM Style (the first option in the list)
I have rebooted the servers to be sure that the GPO applies correctly (have done a RSOP)
and I was able to login as SSO
Give it a try and let us know if this fix your issue as well
Hope this help
Till next time
See ya
Hi Griffon,
Tried the same on our DR site. Same issue over there. May be some group policies conflicting. Will workout on this and update with a solution.
Thanks
Rupesh
Hello Rupesh,
have you rebooted your rds server once after applying the gpo (it seems that gpupdate is not enough)
I have done the test again, 1 web Server and 1 session server.
Applied the GPOs for credentials delegation (2 Gpos in total) and then rebooted thed servers
Before the reboot and after gpupate, i was prompted for the credentials…after the reboot, no issues anymore
Sorry I cannot reproduce your situation…
If you fix your situation; please let us know so we can share around the info
Till next time
See ya
Hello Griffon,
I made a new setup of Terminal Server on a fresh Windows Server. I found everything working properly on this newly configured server as discussed earlier in this forum. Thanks for that 🙂 . The only difference between the old and new server is that the old server is fully updated (windows updates) and no update on new server.
Anyone please let know if any KB creating problem here on old server. We may proceed uninstalling it. For now updating the new server to confirm.
Thanks
Rupesh
Hello Rupesh,
Thank you very much for the feedback. this is really appreciated….
This is great news that this is working on the new server….
At our side, we will check also our configuration and see if updates or specific gpos are needed (but I do not think so)
Please keep us in the loop if you find more stuff…
Till next time
See ya
Hello Griffon,
Tried re-installing all roles and features of Remote Desktop Services on our DR site terminal server and it worked like superb. Since this requires a downtime, may be will plan after our month end activities on our production server. Will give an update once done on production server.
Thanks
Rupesh
Hello Griffon,
In the remote setting system properties on both terminal servers we tried enabling the “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended). With this single sign on started working on all Windows 8, 7 and Vista machines. Problem occurred while opening RemoteApp on XP based machines.
To overcome this issue, we run fixit “MicrosoftFixit50588” on all of our XP machines based computers. This will write entry tspkg at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages in registry and credssp.dll at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders.
Now single sign is working fine on all of the machines without any issues.
Thanks
Rupesh
Hello Rupesh,
Good to hear you back… so I see that your issue has been solved and that your desired configuration is working.
Really thank you for the feedback and about the info about the Windows XP machine..
Hope to see you around
Till next time
See ya
Hi Griffon,
Can we put a ADS password change link in the web page which is opened using SSO for a given user.
Thanks
Rupesh
Yes it is possible to do that.
You will need to change some of the code in the aspx pages….
I m really busy right now…but if you have some patience..I all try to provide you with an example
Till next time
See you
Hello Rupesh,
Please find the basic instruction to make appear a link for the ADS Password Change.
In the folder c:\Windows\Web\RDWeb\Pages\En-us, edit (as administrator) the file Default.aspx (in notepad or any other editor you like)
Insert the following code after the line 276 or 277 or basically after this piece of code
<%
if (ConfigurationManager.AppSettings[“ShowDesktops”].ToString() == “true”)
{
%>
<Tab id=”PORTAL_REMOTE_DESKTOPS” href=”Desktops.aspx”><%=L_DesktopTab_Text%></Tab>
<%
}
%>
After this code, add the following information
<Tab id=”Reset_Password” href=”password.aspx”>Reset Password</Tab>
Save your file and you should see a link called Reset Password in your web page
Hope this help
Till next time
See ya
Hello Griffon,
Followed for the procedure as discussed. We now see a “Reset password” link in the “http://rd.spl.com/RDWeb/Pages/en-US/default.aspx” page. The link then redirects us to password.aspx page. After putting old password and confirming the new password twice, the submit button seems not to be working. The ADS password is not changed here. Please suggest if any IIS setting is missing out or is it we are using SSO.
Thanks
Rupesh
Hello Rupesh,
Have you checked this post to enable the reset password : http://c-nergy.be/blog/?p=5676
If you have done, this should be working…. Again, I will need to check if you still have the issue what might be causing the situation
Keep us inform
Till next time
See ya
Hi Griffon,
Done all necessary changes in IIS but still, not working. The password.aspx comes up in a different windows but I am not able to change the password.
Thanks
Rupesh
Hello Rupesh,
Sorry for the late answere but I’m really really busy.
The fact that the change password page is not working is due to the fact that the page is expecting form^-based authentication while you have configured web access using windows integrated authentication. You cannot mix these two types of authentications…
As soon as I have some time, I will see if a workaround can be implemented quite quickly
Till next time
see ya
HI Griffon,
how will WIA behave if I would want to logon as different user to RDSweb ?
is that achievable
thanks
Lukasz
Hello Lukasz,
If I understand your question, you would like to know if there is a way to have another user than the one currently logged on accessing its own RDS SEssion via remoteApp ? Right ?
Option 1 – Use form based authentication (different users can login whatever the currently logged in user )
Option 2 – Use WIA and if you need to have another user accessing its own session, right-click internet explorer and select option run as a different user
Option 3 (My Preferred One 🙂 – Custom Coding…You could create custom code to display a link “Login As another User” and pass the credentials to open the new session
Hope this help
Till next time
See ya
Hi Griffon,
thanks for answering,
running whole IE as a different user makes sense,
WIA sounds good and probably is fine for 99%, but as example we have conferencing PC always logged on, and presenters use RDS to logon with their account, or IT staff like us
I guess it would also be possible to use different address for FBA ?
thanks again!
Hello Lukasz,
yes, that would be an option
hope to see you back as we will post information about RDS FBA adn WIA…(but not right away….holidays are coming 🙂 )
till next time
See ya