Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2012 R2 / Configuring SSO (Single Sign-On) Authentication on Windows Server RDS

January 29, 2019 Windows Server 2012 R2Windows Server 2016

Configuring SSO (Single Sign-On) Authentication on Windows Server RDS

Single Sign-On (SSO) is the technology that allows an authenticated (signed on) user to access other domain services without re-authentication. Applied to the Remote Desktop Service, SSO allows a user logged on to the domain computer not to re-enter account credentials (username and password) when connecting to the RDS servers or launching published RemoteApps.

In this article, we’ll describe the peculiarities of configuring the transparent SSO (Single Sign-On) authentication on RDS servers running Windows Server 2016 and 2012 R2.

System requirements:

  • The Connection Broker server and all RDS servers must be running Windows Server 2012 or later;
  • SSO works only in the domain environment: Active Directory user accounts must be used, the RDS servers and user’s workstations must be included in the AD domain;
  • The RDP 8.0 or later must be used on the rdp clients (it won’t be possible to install this version of the RDP client in Windows XP);
  • The following OS versions are supported on the rdp-client side: Windows 10, 8.1 or 7;
  • SSO works only with password authentication (smart cards are not supported);
  • The RDP Security Layer in the connection settings should be set to Negotiate or SSL (TLS 1.0), and encryption mode to High or FIPS Compliant.

The procedure of Single Sign-On configuration consists of the following steps:

  • You need to issue and assign an SSL certificate on RD Gateway, RD Web, and RD Connection Broker servers;
  • Web SSO has to be enabled on RDWeb server;
  • The group policy for credentials delegation has to be configured;
  • The certificate thumbprint has to be added to the trusted .rdp publishers using GPO.

Firstly, you need to issue and assign an SSL certificate. In the EKU (Enhanced Key Usage) certificate property, the Server Authentication identifier must be present. We won’t describe the procedure of obtaining the SSL certificate since it goes beyond the scope of this article (you can generate a self-signed SSL certificate yourself, but you will have to deploy it to the trusted cert on all clients using the group policy).

The certificate is assigned in the Certificates section of RDS Deployment properties.

RDS certificates

Then you have to enable “Windows Authentication” on all servers with Web Access role for IIS RDWeb directory and disable “Anonymous Authentication”.

IIS Windows Authentication

After you save the changes, restart IIS:

iisreset /noforce
If you are using RD Gateway, make sure that it is not used for connection of the internal clients (Bypass RD Gateway server for local address option has to be checked).

RD Gateway deployment

The next step is the configuration of the credentials delegation policy. Create a new domain GPO and link it to the OU with users (computers) who need to allow SSO access to the RDS server. If you want to allow SSO for all domain users, it is acceptable to edit the Default Domain Policy.

This policy is located in the following GPO section: Computer Configuration -> Policies -> Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users:

  • The policy has to be enabled (Enabled);
  • You have to add the names of RDS servers to the list of servers to which the client can automatically send user credentials to perform SSO authentication. The format of adding a server is as follows: TERMSRV/rd.contoso.com (note that all TERMSRV characters must be in upper case). If you have to give this permission to all terminal servers in the domain (less secure), you can use this construction: TERMSRV/*.contoso.com  .TERMSRV/rd.contoso.com

Then, to prevent a window warning of the remote application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the client computers using the policy “Site to Zone Assignment List” (similar to the article How to disable Open File security warning on Windows 10): User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Specify FQDN server name RDCB and Zone 2 (Trusted sites).

Site to Zone assignment : trusted zone

Then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone and in the dropdown list select “Automatic logon with current username and password”.

After updating the group policies on the client, if you try to start the RemoteApp, a password prompt won’t appear, but a warning window will appear:

Do you trust the publisher of this RemoteApp program?

Do you trust the publisher of this RemoteApp program

To prevent this message from being displayed each time at user logon, you need to get the SSL certificate thumbprint on the RD Connection Broker and add it to the list of trusted rdp publishers. To do this, run the PowerShell command on the RDS Connection Broker server:

Get-Childitem CERT:\LocalMachine\My

Get-Childitem CERT:\LocalMachine\My

Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client).

Specify SHA1 thumbprints of certificates representing RDP publishers

Now the SSO configuration is over, and after the policies have been applied, the user can connect to the Windows Server RDS farm using RDP without re-entering password.

Now, when you start mstsc.exe (Remote Desktop Connection client) and specify the name of the RDS server, the UserName field will automatically display the user name in the format (user@domain.com) with the caption:

Your Windows logon credentials will be used to connect.

Your Windows logon credentials will be used to connect.

To use RD Gateway with SSO, you need to enable the policy “Set RD Gateway Authentication Method” (User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RD Gateway) and set its value to “Use Locally Logged-On Credentials”.

Active X component Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell)

To use Web SSO on RD Web Access, please note that it is recommended to use Internet Explorer with enabled Active X component named Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell).

10 comments
1
Facebook Twitter Google + Pinterest
previous post
Unable to Start or Connect to Virtual Disk Service in Disk Management
next post
WSUS Windows Update Error 0x80244010: Exceeded max server round trips

Related Reading

Fix: The Requested Certificate Template is Not Supported...

January 9, 2023

PowerShell: Unable to Resolve Package Source

December 14, 2022

How to Install .NET Framework 3.5 on Windows...

December 12, 2022

How to Install and Configure Free Hyper-V Server...

November 22, 2022

How to Enable Maintenance Mode on Exchange Server?

November 16, 2022

10 comments

Tuan January 26, 2016 - 6:59 pm

Hi,
 Thanks for the post. So these GPO setting is done on the Server 2012 Hyper-V server? not on thin clients or virtual machine?
Thanks

Reply
admin February 3, 2016 - 6:49 am

Hi,
These GPO settings should be applied on users’ computers

Reply
S.Kleven March 15, 2018 - 5:59 am

Hi.

In our setup we are using a Load balancer with RSA two factor authentication as front end to our RDS Farm.
Do these settings still apply?

The front end of the BigIP is located on the same subnet and domain as the user computers (Win7) but the RDS Farm (Win2016) is in another subnet and domain.

Reply
Max March 15, 2018 - 1:35 pm

I think SSO in this case will not work if there is no trust relationship between these domains.

Reply
Rick April 8, 2019 - 10:17 pm

S.KLEVEN, does the BIGIP device allow for session collections. We have 8 RSH and have 4 session collections 2 in each session, we have the issue where the client is offered connection to RSH not in their collection.

Reply
Viktoria January 11, 2021 - 7:41 pm

Fajne moze byc ale nwm oco hodzi

Reply
Tim Baten March 20, 2021 - 2:00 am

Could I make 1 suggestion, with your IE security settings GPO, added Logon options as the final path? It was a bit confusing. See below.

then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone -> Logon Options and in the dropdown list select “Automatic logon with current username and password”.

Reply
Selles October 13, 2022 - 9:22 am

Anybody got issues after KB5018410 is installed on Windows 10 device? It makes a connection to the remote desktop and then it receives a message that the username or password is not correct. When entered manually, it logs in successfully.

When the update is removed, SSO is working like it should again.

Reply
Martin October 17, 2022 - 9:55 am

Yes, same issue.

Reply
Selles November 18, 2022 - 7:27 am

Edit the RDP file and change:

use redirection server name:i:0 to use redirection server name:i:1

It works after that.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Downgrade Windows Server Datacenter to Standard Edition?
  • Licensing Mode for Remote Desktop Session Host is not Configured
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • Managing Printers from the Command Prompt in Windows 10 / 8.1
  • User Profile Disks on Windows Server 2012 R2 / 2016 RDS
  • Fix: RDP Authentication Error Has Occurred – The Function Requested Is Not Supported
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top