Single Sign on for RDWeb on Server 2016

-
This guide will show you how to streamline your sign in experience so that users do not get any security prompts.

By default you might see the warning below every time you try to connect to a collection:

The Final Result


  1. Users enter their password into RD Web
    1. We will not be passing Windows credentials to the website automatically since it will not work from external computers, and it might cause some confusion.
  2. Users select their collection
  3. Users are now on their remote desktop (no other prompts)
You will also get a lock on your RDP bar confirming that the identity of the server was verified.

Requirements

  1. Server 2016 (Most of this should work on 2012)
  2. SSL certificate for one domain (Wildcard not required)
  3. Remote Desktop Gateway Role Deployed
  4. Windows workstations using Internet Explorer

My Test Environment

  • Server 2016
  • Single server handling RD Web, RD Gateway, RD Connection broker
  • 3 RD Session Host servers
  • Internal AD Domain name of example.LOCAL
  • External domain name example.COM
  • RDWeb URL: remote.example.com 

Assigning SSL certificate

Purchase an SSL certificate that corresponds with your external RDWeb URL. In my case it is remote.example.com. Assign this certificate to all of your deployment roles. Make sure that all roles say trusted.
Go to https://remote.example.com and make sure that you do not get any SSL warnings. 

Create DNS records and Test Connection

Create an internal (Active Directory) and an external DNS record that points remote.example.com to your remote desktop gateway server.

Test to make sure that you can connect to your RD Session Host Servers from inside and outside your network. You might get the error below, but we will get rid of it soon.

Removing the IE Add-in warning

We will be using IE which will eliminate one of the sign in prompts. But first we need to automatically enable the Remote Desktop Services Web Access Control add-on for all users. 

GPO

For computers on the domain, create a GPO with the following settings:
  • User Configuration/Preferences/Windows Settings/Registry
  • HKCU
  • Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID
  • {6A5B0C7C-5CCB-4F10-A043-B8DE007E1952}
  • REG_SZ
  • 1

Non Domain computers

For all other computers, you will need to run this command:


reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID" /t REG_SZ  /v "{6A5B0C7C-5CCB-4F10-A043-B8DE007E1952}" /d 1

Remove Publisher warning


By default computers will not trust your Gateway as an RDP publisher.

Get the thumbprint of your certificate. You might have an invisible white space at the front so delete the first character and type it in again.

You will need to update this any time you renew your certificate.

GPO

  • User Configuration /Policies/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection Client/Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
  • Enabled
  • Your thumbprint from earlier

Non Domain Computers

For all other computers, you will need to run this command:

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /t REG_SZ  /v "TrustedCertThumbprints" /d "THUMBPRINTgoesHERE"

Remove Certificate Name Mismatch Error

As you can see in the error above, the name on the certificate does not match our RDG server. This is also preventing us from getting the lock on the RDS bar.

  1. Open the Remote Desktop Gateway Manager MMC
  2. Go to %ServerName%/Policies/Resource Authorization policies
  3. Right click on the properties of RDG_AllDomainComputers
  4. Click on the Network Resources tab
  5. select "Allow users to connect to any network resource"
  6. Using the script found here change the published name of all RDP files.
  7. Try connecting to the RDS again. if it works then you can move forward. If you get an error like the one below then review all the steps. Worst case you can revert the changes by using the old RD Published Name.

Set Private Computer mode (optional)

To further reduce the number of clicks we will be setting all RD Web logins to "This is a private computer". Note, changing this will prevent the public setting from taking effect. 
  1. On your Gateway go to C:\Windows\Web\RDWeb\Pages\en-US
  2. Make a backup of Default.aspx
  3. Change bPrivateMode = false (Line 35 for me) to bPrivateMode = true
It might look like nothing changed on the website, but all new logins will be treated as private. Changing the radio button will no longer do anything.


Remove "Connect to a remote PC"

  1. Open IIS
  2. Go to %ServerName%/Sites/Default Web Site/RDWeb/Pages
  3. Click on Application Settings
  4. Set ShowDesktops to false


Since we set the network resources to unrestricted I will remove the option for users to connect to network PCs from the website.

All Done

We have new completed our SSO configuration. Users will not have to click through any warnings and they will be able to get to their RD Resources faster than before.

References

https://anandthearchitect.com/2014/02/01/rds-trusting-the-certificate-used-for-publishing-by-gpo/
https://www.itprotoday.com/windows-8/remove-rd-web-access-option-connect-remote-pc
https://social.technet.microsoft.com/Forums/windowsserver/en-US/08406376-9321-462a-a28c-0f19c7b3cea7/changing-the-published-name-of-an-rdp-collection-breaks-new-connections?forum=winserverTS

Comments

Post a Comment

Popular posts from this blog

FSLogix Troubleshooting guide

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org This article will cover some common issues I have ran into, and steps on how to resolve them. The guide should be followed  in order  since most of the advanced items are usually not the cause of a problem. If you just set up FSLogix, make sure that you followed every step under  Deploying FSLogix Office 365 Containers  and  Deploying FSLogix Profile Containers Terminology ODFC = Office Data File Containers This is there Office (Outlook, Teams, Licensing) data is stored This can be used in conjunction with UPDs FSL Profiles Replacement for UPDs User profiles are stored here (Office data is stored in the ODFC) Cannot  be used in conjunction with UPDs Non-Issues The items below should be ignored when troubleshooting Local_ files under C:\Users If FSLogix profiles are enabled, these folders can be ignored. They will be deleted the next
Read more

Best Practices for Deploying User Profile Disks

-
Image
Have an issue you can't solve? I offer consulting engagements and can be reached here: consulting[а 𝐭 ]amorales[․]org Last Updated 2020-01-03 After months of testing I recommend deploying FSLogix Profile Containers instead of User Profile Disks. You can find my guide here . Some of the items below apply to FSL Profile Containers.  User Profile Disks (UPDs) are great for load balanced RDS farms since it allows users to seamlessly roam from server to server. The goal of this article will be to configure the RDS and file servers in a way that maximizes performance and reduces the likelihood of UPD disconnects. I'll keep this updated any time I find new improvements. Use FSLogix Before you even consider deploying UPDs you need to be aware of  this limitation . On Server 2012 and 2016 (Server 2019 does not have this issue,  but it doesn't support Office ) the Windows Search index is machine wide. This means that when a UPD is disconnected the user's index data is d
Read more

Removing Application UAC Requirements with Shims

-
Image
This guide will show you how to create shims that allow regular users to run applications that normally require local admin. Shims should only be used as a measure of last resort. In many cases simply granting users to certain folders or reg keys eliminates the need to create a shim. You can use LUA Buglight to identify what those reg keys/files are.   How it works The shim will force the application to use "RunAsInvoker" when it is launched. RunAsInvoker tells the application to open with the privilege level of whatever launched it. For example, if a regular user opens the application through explorer.exe (a non admin process) then the application will open with regular user permissions.  Things to keep in mind: Shims should be installed after the application Shims might need to be re-installed if an application is updated Not all apps play well with shims. Make sure to test the application before putting it into production Pre-Requisites Install the Microsoft Application C
Read more