Single Sign-On (SSO) is the technology that enables an authenticated (signed on) consumer to entry different area companies with out re-authentication. Applied to the Remote Desktop Service, SSO permits a consumer logged on to the area laptop to not re-enter account credentials (username and password) when connecting to the RDS servers or launching printed RemoteApps.
In this text, we’ll describe the peculiarities of configuring the clear SSO (Single Sign-On) authentication on RDS servers operating Windows Server 2016 and 2012 R2.
- The Connection Broker server and all RDS servers should be operating Windows Server 2012 or later;
- SSO works solely within the area setting: Active Directory consumer accounts should be used, the RDS servers and consumer’s workstations should be included within the AD area;
- The RDP eight.zero or later should be used on the rdp purchasers (it received’t attainable to put in this model of the RDP shopper in );
- The following OS variations are supported on the rdp-client facet: Windows 10, eight.1 or 7;
- SSO works solely with password authentication (good playing cards will not be supported);
- The RDP Security Layer within the connection settings ought to be set to Negotiate or SSL (TLS 1.zero), and encryption mode to High or FIPS Compliant.
The process of Single Sign-On configuration consists of the next steps:
- You must concern and assign an SSL certificates on RD Gateway, RD Web and RD Connection Broker servers;
- Web SSO must be enabled on RDWeb server;
- The group coverage for credentials delegation must be configured;
- The certificates thumbprint must be added to the.rdp trusted publishers utilizing GPO.
Firstly, you could concern and assign an SSL certificates. In the EKU (Enhanced Key Usage) certificates property, the Server Authentication identifier should be current. We received’t describe the process of acquiring the SSL certificates because it goes past the scope of this text (you possibly can your self, however you’ll have to ).
The certificates is assigned within the Certificates part of RDS Deployment properties.
Then it’s a must to allow “Windows Authentication” on all servers with Web Access function for IIS RDWeb listing and disable “Anonymous Authentication”.
After you save the adjustments, restart IIS:
If you’re utilizing RD Gateway, make it possible for it’s not used for connection of the inner purchasers (Bypass RD Gateway server for native tackle choice must be checked).
The subsequent step is the configuration of the credentials delegation coverage. Create a brand new area GPO and hyperlink it to the OU with customers (computer systems) who want to permit SSO entry to the RDS server. If you wish to enable SSO for all area customers, it’s acceptable to edit the Default Domain Policy.
This coverage is situated within the following GPO part: Computer Configuration -> Policies ->Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential. The coverage permits sure servers to entry the credentials of Windows customers:
- The coverage must be enabled (Enabled);
- You have so as to add the names of RDS servers to the checklist of servers to which the shopper can mechanically ship consumer credentials to carry out SSO authentication. The format of including a server is as follows: TERMSRV/rd.contoso.com (word that each one TERMSRV characters should be in higher case). If it’s a must to give this permission to all terminal servers within the area (much less safe), you should use this building: TERMSRV/*.contoso.com .
Then, to forestall a window warning of the distant utility writer being untrusted to look, add the tackle of the server with the Connection Broker function to the trusted zone on the shopper computer systems utilizing the coverage “Site to Zone Assignment List” (just like the article ): User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Specify FQDN server identify RDCB and Zone 2 (Trusted websites).
Then allow Logon choices coverage in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone and within the dropdown checklist choose “Automatic logon with present username and password”.
After updating the group insurance policies on the shopper, if you happen to attempt to begin the RemoteApp, a password immediate won’t seem, however a warning window will seem:
Do you belief the writer of this RemoteApp program?
To forestall this message from being displayed every time at consumer logon, you could get the SSL certificates thumbprint on the RD Connection Broker and add it to the checklist of trusted rdp publishers. To do that, run the PowerShell command on the RDS Connection Broker server:
Copy the worth of the certificates thumbprint and add it to the checklist of thumbprints within the coverage Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client).
Now the SSO configuration is over, and after the insurance policies have been utilized, the consumer can hook up with the Windows Server RDS farm utilizing RDP with out re-entering password.
Now, if you begin mstsc.exe (Remote Desktop Connection shopper) and specify the identify of the RDS server, the UserIdentify discipline will mechanically show the consumer identify within the format ([email protected]) with the caption:
Your Windows logon credentials can be used to attach.
To use RD Gateway with SSO, you could allow the coverage “Set RD Gateway Authentication Method” (User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RD Gateway) and set its worth to “Use Locally Logged-On Credentials”.
To use Web SSO on RD Web Access, please word that it is suggested to make use of Internet Explorer with enabled Active X element named Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell).