In this article, we ’ ll describe the peculiarities of configuring the transparent SSO ( Single Sign-On ) authentication on RDS servers running Windows Server 2016 and 2012 R2.
- The Connection Broker server and all RDS servers must be running Windows Server 2012 or later;
- SSO works only in the domain environment: Active Directory user accounts must be used, the RDS servers and user’s workstations must be included in the AD domain;
- The RDP 8.0 or later must be used on the rdp clients (it won’t be possible to install this version of the RDP client in Windows XP);
- The following OS versions are supported on the rdp-client side: Windows 10, 8.1 or 7;
- SSO works only with password authentication (smart cards are not supported);
- The RDP Security Layer in the connection settings should be set to Negotiate or SSL (TLS 1.0), and encryption mode to High or FIPS Compliant.
The procedure of Single Sign-On configuration consists of the following steps:
- You need to issue and assign an SSL certificate on RD Gateway, RD Web, and RD Connection Broker servers;
- Web SSO has to be enabled on RDWeb server;
- The group policy for credentials delegation has to be configured;
- The certificate thumbprint has to be added to the trusted .rdp publishers using GPO.
first, you need to issue and assign an SSL security. In the EKU ( Enhanced Key Usage ) certificate property, the Server Authentication identifier must be deliver. We won ’ t describe the operation of obtaining the SSL certificate since it goes beyond the setting of this article ( you can generate a self-signed SSL security yourself, but you will have to deploy it to the trusted cert on all clients using the group policy ) .
The security is assigned in the Certificates section of RDS Deployment properties .
then you have to enable “ Windows Authentication ” on all servers with Web Access function for IIS RDWeb directory and disable “ Anonymous Authentication” .
After you save the changes, resume IIS :
If you are using RD Gateway, make indisputable that it is not used for connection of the inner clients ( Bypass RD Gateway server for local address option has to be checked ) .
The future measure is the shape of the credentials deputation policy. Create a newly domain GPO and link it to the OU with users ( computers ) who need to allow SSO access to the RDS server. If you want to allow SSO for all world users, it is acceptable to edit the Default Domain Policy .
This policy is located in the be GPO section : Computer Configuration -> Policies -> Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users :
- The policy has to be enabled (Enabled);
- You have to add the names of RDS servers to the list of servers to which the client can automatically send user credentials to perform SSO authentication. The format of adding a server is as follows: TERMSRV/rd.contoso.com (note that all TERMSRV characters must be in upper case). If you have to give this permission to all terminal servers in the domain (less secure), you can use this construction: TERMSRV/*.contoso.com .
then, to prevent a window admonitory of the outside application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the node computers using the policy “ Site to Zone Assignment List” ( exchangeable to the article How to disable Open File security warning on Windows 10 ) : User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page .
Specify FQDN waiter name RDCB and Zone 2 ( Trusted sites ) .
then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone and in the dropdown list choice “ Automatic logon with current username and password” .
After updating the group policies on the customer, if you try to start the RemoteApp, a password prompt won ’ t appear, but a warning window will appear :
Do you trust the publisher of this RemoteApp program?
To prevent this message from being displayed each fourth dimension at exploiter logon, you need to get the SSL certificate thumbprint on the RD Connection Broker and add it to the list of trust rdp publishers. To do this, run the PowerShell command on the RDS Connection Broker waiter :
Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers ( Computer Configuration – > administrative Templates – > Windows Desktop Services – > Remote Desktop Connection Client ) .
now the SSO configuration is over, and after the policies have been applied, the drug user can connect to the Windows Server RDS farm using RDP without re-enter password .
now, when you start mstsc.exe ( Remote Desktop Connection customer ) and specify the name of the RDS waiter, the UserName field will mechanically display the exploiter name in the format ( user @ domain.com ) with the subtitle :
Your Windows logon credentials will be used to connect.
To use RD Gateway with SSO, you need to enable the policy “ Set RD Gateway Authentication Method ” ( User Configuration – > Policies – > administrative Templates – > Windows Components – > Remote Desktop Services – > RD Gateway ) and set its value to “ Use Locally Logged-On Credentials ” .
To use Web SSO on RD Web Access, please note that it is recommended to use Internet Explorer with enable Active X part named Microsoft Remote Desktop Services Web Access Control ( MsRdpClientShell ) .