Single Sign-On (SSO) is the technology that allows an authenticated (signed on) user to access other domain services without re-authentication. Applied to the Remote Desktop Service, SSO allows a user logged on to the domain computer not to re-enter account credentials (username and password) when connecting to the RDS servers or launching published RemoteApps.
In this article, we’ll describe the peculiarities of configuring the transparent SSO (Single Sign-On) authentication on RDS servers running Windows Server 2016 and 2012 R2.
System requirements:
- The Connection Broker server and all RDS servers must be running Windows Server 2012 or later;
- SSO works only in the domain environment: Active Directory user accounts must be used, the RDS servers and user’s workstations must be included in the AD domain;
- The RDP 8.0 or later must be used on the rdp clients (it won’t be possible to install this version of the RDP client in Windows XP);
- The following OS versions are supported on the rdp-client side: Windows 10, 8.1 or 7;
- SSO works only with password authentication (smart cards are not supported);
- The RDP Security Layer in the connection settings should be set to Negotiate or SSL (TLS 1.0), and encryption mode to High or FIPS Compliant.
The procedure of Single Sign-On configuration consists of the following steps:
- You need to issue and assign an SSL certificate on RD Gateway, RD Web, and RD Connection Broker servers;
- Web SSO has to be enabled on RDWeb server;
- The group policy for credentials delegation has to be configured;
- The certificate thumbprint has to be added to the trusted .rdp publishers using GPO.
Firstly, you need to issue and assign an SSL certificate. In the EKU (Enhanced Key Usage) certificate property, the Server Authentication identifier must be present. We won’t describe the procedure of obtaining the SSL certificate since it goes beyond the scope of this article (you can generate a self-signed SSL certificate yourself, but you will have to deploy it to the trusted cert on all clients using the group policy).
The certificate is assigned in the Certificates section of RDS Deployment properties.
Then you have to enable “Windows Authentication” on all servers with Web Access role for IIS RDWeb directory and disable “Anonymous Authentication”.
After you save the changes, restart IIS:
iisreset /noforce
If you are using RD Gateway, make sure that it is not used for connection of the internal clients (Bypass RD Gateway server for local address option has to be checked).
The next step is the configuration of the credentials delegation policy. Create a new domain GPO and link it to the OU with users (computers) who need to allow SSO access to the RDS server. If you want to allow SSO for all domain users, it is acceptable to edit the Default Domain Policy.
This policy is located in the following GPO section: Computer Configuration -> Policies -> Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users:
- The policy has to be enabled (Enabled);
- You have to add the names of RDS servers to the list of servers to which the client can automatically send user credentials to perform SSO authentication. The format of adding a server is as follows: TERMSRV/rd.contoso.com (note that all TERMSRV characters must be in upper case). If you have to give this permission to all terminal servers in the domain (less secure), you can use this construction: TERMSRV/*.contoso.com .
Then, to prevent a window warning of the remote application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the client computers using the policy “Site to Zone Assignment List” (similar to the article How to disable Open File security warning on Windows 10): User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.
Specify FQDN server name RDCB and Zone 2 (Trusted sites).
Then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone and in the dropdown list select “Automatic logon with current username and password”.
After updating the group policies on the client, if you try to start the RemoteApp, a password prompt won’t appear, but a warning window will appear:
Do you trust the publisher of this RemoteApp program?
To prevent this message from being displayed each time at user logon, you need to get the SSL certificate thumbprint on the RD Connection Broker and add it to the list of trusted rdp publishers. To do this, run the PowerShell command on the RDS Connection Broker server:
Get-Childitem CERT:\LocalMachine\My
Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client).
Now the SSO configuration is over, and after the policies have been applied, the user can connect to the Windows Server RDS farm using RDP without re-entering password.
Now, when you start mstsc.exe (Remote Desktop Connection client) and specify the name of the RDS server, the UserName field will automatically display the user name in the format (user@domain.com) with the caption:
Your Windows logon credentials will be used to connect.
To use RD Gateway with SSO, you need to enable the policy “Set RD Gateway Authentication Method” (User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RD Gateway) and set its value to “Use Locally Logged-On Credentials”.
To use Web SSO on RD Web Access, please note that it is recommended to use Internet Explorer with enabled Active X component named Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell).
10 comments
Hi,
Thanks for the post. So these GPO setting is done on the Server 2012 Hyper-V server? not on thin clients or virtual machine?
Thanks
Hi,
These GPO settings should be applied on users’ computers
Hi.
In our setup we are using a Load balancer with RSA two factor authentication as front end to our RDS Farm.
Do these settings still apply?
The front end of the BigIP is located on the same subnet and domain as the user computers (Win7) but the RDS Farm (Win2016) is in another subnet and domain.
I think SSO in this case will not work if there is no trust relationship between these domains.
S.KLEVEN, does the BIGIP device allow for session collections. We have 8 RSH and have 4 session collections 2 in each session, we have the issue where the client is offered connection to RSH not in their collection.
Fajne moze byc ale nwm oco hodzi
Could I make 1 suggestion, with your IE security settings GPO, added Logon options as the final path? It was a bit confusing. See below.
then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone -> Logon Options and in the dropdown list select “Automatic logon with current username and password”.
Anybody got issues after KB5018410 is installed on Windows 10 device? It makes a connection to the remote desktop and then it receives a message that the username or password is not correct. When entered manually, it logs in successfully.
When the update is removed, SSO is working like it should again.
Yes, same issue.
Edit the RDP file and change:
use redirection server name:i:0 to use redirection server name:i:1
It works after that.