{"id":65,"date":"2022-04-04T15:06:27","date_gmt":"2022-04-04T15:06:27","guid":{"rendered":"http:\/\/www.netx-pro.nl\/?page_id=65"},"modified":"2022-04-04T15:06:27","modified_gmt":"2022-04-04T15:06:27","slug":"sso-single-sign-on-to-your-onpremise-rds-remote-desktop-services-2016-2019-environment","status":"publish","type":"page","link":"http:\/\/www.netx-pro.nl\/?page_id=65","title":{"rendered":"SSO Single-Sign-On to your onPremise RDS Remote Desktop Services 2016\/2019 Environment"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"277\" height=\"56\" src=\"http:\/\/www.netx-pro.nl\/wp-content\/uploads\/sites\/4\/2022\/04\/image.png\" alt=\"\" class=\"wp-image-66\"\/><\/figure>\n\n\n\n<p>Normally, if you want to access a\u00a0<strong>remote desktop services environement<\/strong>, first you have to logon to the\u00a0<strong>RD Web Access Page<\/strong>, therefore you will be prompted with a logon dialog where you have to enter your username and password.<\/p>\n\n\n\n<p>After that logon, you will see depending on the deployment, more or less remoteapp programms. These are the programms, published on the&nbsp;<strong>RD Session Host<\/strong>.<\/p>\n\n\n\n<p>If you want to access and open these programms, you will be prompted a second time with an annoying logon dialog to enter your username and password.<\/p>\n\n\n\n<p>Today I wanna go step by step through the points, to enable&nbsp;<strong>SSO Single-Sign-ON<\/strong>&nbsp;and passing your local&nbsp;<strong>windows credentials<\/strong>&nbsp;through the&nbsp;<strong>Remote Desktop Services RDS<\/strong>.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Now let\u2019s start with the setup for SSO to RDS!<\/p><\/blockquote>\n\n\n\n<p>First check that you use a trusted certificate for the Role Services:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>RD Connection Broker<\/li><li>RD Web Access<\/li><li>RD Gateway<\/li><\/ul>\n\n\n\n<p>In my case I use a wildcard certificate from the internal company CA (PKI\/ADCS), therefore the certificates are trusted on all clients from the company as they will enrolled automatically to all domain members.<br><br>If you are not using a wildcard certificate, make sure to include the DNS names from your RD Web Access FQDN and your RD Connection Broker FQDN.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds001-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds001-1-1024x609.png\" alt=\"\" class=\"wp-image-2468\"\/><\/a><\/figure>\n\n\n\n<p>Then you must change the default authentication from<strong>&nbsp;Anonymous Authentication<\/strong>&nbsp;to&nbsp;<strong>Windows Authentication<\/strong>. So disable&nbsp;<strong>Anonymous Authentication<\/strong>&nbsp;and enable&nbsp;<strong>Windows Authentication<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds004-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds004-1.png\" alt=\"\" class=\"wp-image-2482\"\/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds005-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds005-1.png\" alt=\"\" class=\"wp-image-2484\"\/><\/a><\/figure>\n\n\n\n<p>Also you must enable Windows Authentication in the&nbsp;<strong>web.config<\/strong>&nbsp;file under&nbsp;<strong>C:\\Windows\\Web\\RDWeb\\Pages<\/strong><\/p>\n\n\n\n<p>You have to comment out&nbsp;<strong>Form Authentication<\/strong>&nbsp;+ the &lt;modules&gt; and &lt;security&gt; sections in &lt;system.webServer&gt; and uncomment&nbsp;<strong>Windows Authentication<\/strong>&nbsp;as described itself in the web.config file.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds006-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds006-1-1024x521.png\" alt=\"\" class=\"wp-image-2490\"\/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds007-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds007-1-1024x518.png\" alt=\"\" class=\"wp-image-2492\"\/><\/a><\/figure>\n\n\n\n<p>For&nbsp;<strong>SSO<\/strong>&nbsp;we also do not want to be asked whether we use a public or private computer as per default in<strong>&nbsp;C:\\Windows\\Web\\RDWeb\\Pages\\en-US\\Default.aspx<\/strong>&nbsp;is set.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds008.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds008.png\" alt=\"\" class=\"wp-image-2496\"\/><\/a><\/figure>\n\n\n\n<p>So we have to change this fix into&nbsp;<strong>This is a private computer<\/strong>.<\/p>\n\n\n\n<p>Set the&nbsp;<strong>bPrivateMode<\/strong>&nbsp;variable into&nbsp;<strong>true<\/strong>&nbsp;inside the&nbsp;<strong>C:\\Windows\\Web\\RDWeb\\Pages\\en-US\\Default.aspx<\/strong>&nbsp;file.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds009.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds009-1024x352.png\" alt=\"\" class=\"wp-image-2498\"\/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>In order to get&nbsp;<strong>Single-Sign-On<\/strong>&nbsp;kick in, we also needs to configure a bunch of<strong>&nbsp;Group Policy (GPO)<\/strong>&nbsp;settings.<\/p><\/blockquote>\n\n\n\n<p>We need to configure both,&nbsp;<strong>Computer-&nbsp;<\/strong>and&nbsp;<strong>User Configuration<\/strong>&nbsp;settings at the GPO. So I use<strong>&nbsp;one GPO<\/strong>&nbsp;and linked it to my users OU who wants to single-sign-on into RDS and also linked this GPO to an OU which includes my RDS servers.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>So first we editing the&nbsp;<strong>Computer Configuration<\/strong>&nbsp;settings of this&nbsp;<strong>GPO<\/strong>!<\/p><\/blockquote>\n\n\n\n<p>Open<strong>&nbsp;Computer Configuratio<\/strong>n \u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>System<\/strong>&nbsp;\u2013&nbsp;<strong>Credentials Delegation<\/strong><\/p>\n\n\n\n<p>Enable&nbsp;<strong>Allow delegation default credentials with NTLM-only server authentication<\/strong>&nbsp;and add the names (FQDNs) of your RDS servers (RD Web Access, RD Gateway, RD Connection Broker and RD Session Host).<\/p>\n\n\n\n<p>Add the servers with the format of a&nbsp;<strong>Service Principal Name (SPN)<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>TERMSRV\/rdweb.contoso.com<\/strong><\/li><\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>TERMSRV must be in uppercase!<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Instead listing all your RDS servers separate, you can also use a wildcard FQDN like<br><br>TERMSRV\/*.contoso.com<br><br>or<\/p><p>TERMSRV\/*<br><br>Be aware that these wilcards can be a security risk!<\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds010.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds010-1024x584.png\" alt=\"\" class=\"wp-image-2524\"\/><\/a><\/figure>\n\n\n\n<p>This setting applies when the server authentication was achieved via NTLM, which is the case when you access your RDS environment from external outside of your companies network and without client certificates.<\/p>\n\n\n\n<p>Do the same for&nbsp;<strong>Allow delegating default credentials<\/strong>. This policy setting applies when server authentication was achieved by using a trusted X509 client certificate or Kerberos.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds011.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds011-1024x629.png\" alt=\"\" class=\"wp-image-2534\"\/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Those&nbsp;<strong>Credentials Delegation GPOs<\/strong>&nbsp;will set the following registry settings under the hood.<br><br><strong>CredSSP<\/strong>&nbsp;is enabled by default since Vista and Windows 7.<br>You will find this under&nbsp;<strong>HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders<\/strong><br>REG_SZ value&nbsp;<strong>credssp.dll<\/strong><\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_001.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_001-1024x548.png\" alt=\"\" class=\"wp-image-2928\"\/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_002.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_002-1024x517.png\" alt=\"\" class=\"wp-image-2929\"\/><\/a><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_003.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/credssp_003-1024x499.png\" alt=\"\" class=\"wp-image-2930\"\/><\/a><\/figure>\n\n\n\n<p>To allow Internet Explorer, to pass our credentials through the rdp connection in order to open the remote apps, we must add the addresses (FQDNs) of the&nbsp;<strong>RD Connection Broker<\/strong>,&nbsp;<strong>RD Web Access<\/strong>&nbsp;and&nbsp;<strong>RD Gatway<\/strong>&nbsp;servers under<\/p>\n\n\n\n<p><strong>Computer Configuration<\/strong>&nbsp;\u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>Windows Components<\/strong>&nbsp;\u2013&nbsp;<strong>Internet Explorer<\/strong>&nbsp;\u2013&nbsp;<strong>Internet Control Panel<\/strong>&nbsp;\u2013&nbsp;<strong>Security Page<\/strong><\/p>\n\n\n\n<p>Enable here&nbsp;<strong>Site to Zone Assignment List<\/strong>&nbsp;and add your addresses with an value of&nbsp;<strong>2<\/strong>&nbsp;for&nbsp;<strong>Trusted Sites zone<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds014.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds014-1024x523.png\" alt=\"\" class=\"wp-image-2566\"\/><\/a><\/figure>\n\n\n\n<p>Further you will find here the folder&nbsp;<strong>Trusted Sites Zones<\/strong>&nbsp;in which we enable&nbsp;<strong>Logon options<\/strong>&nbsp;and set them to&nbsp;<strong>Automatic logon with current username and password<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds015.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds015-1024x567.png\" alt=\"\" class=\"wp-image-2568\"\/><\/a><\/figure>\n\n\n\n<p>The last setting under&nbsp;<strong>Computer Configuration<\/strong>&nbsp;we must set you will find under:<\/p>\n\n\n\n<p><strong>Computer Configuration<\/strong>&nbsp;\u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>Windows Components<\/strong>&nbsp;\u2013&nbsp;<strong>Remote Desktop Services<\/strong>&nbsp;\u2013&nbsp;<strong>Remote Desktop Connection Client<\/strong><\/p>\n\n\n\n<p>Disable&nbsp;<strong>Prompt for credentials on the client computer<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds016.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds016-1024x412.png\" alt=\"\" class=\"wp-image-2571\"\/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>So far we finished the&nbsp;<strong>Computer Configuration<\/strong>&nbsp;GPO settings and now have to configure some&nbsp;<strong>User Configuration<\/strong>&nbsp;settings!<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>As I link this&nbsp;<strong>GPO<\/strong>&nbsp;to both,&nbsp;<strong>computers<\/strong>&nbsp;and&nbsp;<strong>users<\/strong>&nbsp;and their<strong>&nbsp;OUs<\/strong>, I can make these settings in the same GPO.<\/p><\/blockquote>\n\n\n\n<p>We also have to add the addresses (FQDNs) of the&nbsp;<strong>RD Connection Broker<\/strong>,&nbsp;<strong>RD Web Access<\/strong>&nbsp;and&nbsp;<strong>RD Gatway<\/strong>&nbsp;servers as done before for the Computer Configuration, under<\/p>\n\n\n\n<p><strong>User Configuration<\/strong>&nbsp;\u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>Windows Components<\/strong>&nbsp;\u2013&nbsp;<strong>Internet Explorer<\/strong>&nbsp;\u2013&nbsp;<strong>Internet Control Panel<\/strong>&nbsp;\u2013&nbsp;<strong>Security Page<\/strong><\/p>\n\n\n\n<p>Enable here&nbsp;<strong>Site to Zone Assignment List<\/strong>&nbsp;and add your addresses with an value of&nbsp;<strong>2<\/strong>&nbsp;for&nbsp;<strong>Trusted Sites zone<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds014-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds014-1-1024x523.png\" alt=\"\" class=\"wp-image-2589\"\/><\/a><\/figure>\n\n\n\n<p>Further as also configured before in Computer Configuration, you will find here also the folder&nbsp;<strong>Trusted Sites Zones<\/strong>&nbsp;in which we enable&nbsp;<strong>Logon options<\/strong>&nbsp;and set them to&nbsp;<strong>Automatic logon with current username and password<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds015-1.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds015-1-1024x567.png\" alt=\"\" class=\"wp-image-2591\"\/><\/a><\/figure>\n\n\n\n<p>Next point is to configure the RD Gateway authentication method. So go to:<\/p>\n\n\n\n<p><strong>User Configuration<\/strong>&nbsp;\u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>Windows Components<\/strong>&nbsp;\u2013&nbsp;<strong>Remote Desktop Services \u2013 RD Gateway<\/strong><\/p>\n\n\n\n<p>Enable&nbsp;<strong>Set RD Gateway authentication method<\/strong>&nbsp;and select&nbsp;<strong>Use locally logged-on credentials<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds017.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds017-1024x615.png\" alt=\"\" class=\"wp-image-2593\"\/><\/a><\/figure>\n\n\n\n<p><br>And now the last and final GPO setting still in User Configuration, is to specify the SHA1 thumbprints from the certificates of our RDS Servers in order to avoid warning prompts regarding untrusted publishers.<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/03\/sso_rds003-1.png\" alt=\"\" class=\"wp-image-2478\"\/><\/figure>\n\n\n\n<p><strong>User Configuration<\/strong>&nbsp;\u2013&nbsp;<strong>Policies<\/strong>&nbsp;\u2013&nbsp;<strong>Administrative Templates<\/strong>&nbsp;\u2013&nbsp;<strong>Windows Components<\/strong>&nbsp;\u2013&nbsp;<strong>Remote Desktop Services \u2013 Remote Desktop Connection Client<\/strong><\/p>\n\n\n\n<p>Enable&nbsp;<strong>Specify SHA1 thumbprints of certificates representing trusted .rdp publishers<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds21.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds21-1024x608.png\" alt=\"\" class=\"wp-image-2620\"\/><\/a><\/figure>\n\n\n\n<p>To get the GPO settings kick in, restart your RDS Servers or execute&nbsp;<strong>gpupdate \/force<\/strong>&nbsp;in the command line.<br><br>Also for your user to update the user policy, enforce an&nbsp;<strong>gpupdate \/force<\/strong>&nbsp;on a computer inside your local network (internal or over vpn connected).<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Also check finally your<strong>&nbsp;CustomRdpProperty<\/strong>&nbsp;settings<br><br>Get-RDSessionCollectionConfiguration -CollectionName &lt;Collection&gt; | fl<br><br>Should look like the following, if not<br><br>Set-RDSessionCollectionConfiguration -CollectionName &lt;Collection Name&gt; -CustomRdpProperty \u201cuse redirection server name:i:1\u201d<\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds22.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds22-1024x328.png\" alt=\"\" class=\"wp-image-2629\"\/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>From now on, if everything was configured correct, you won\u2019t be prompted for your credentials, neither to access the RDWeb page nor at opening the remote apps inside RDWeb.<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>An authentication error has occured (Code: 0x607).<br>Remote computer:<\/p><\/blockquote>\n\n\n\n<p>This error message will come up if an incorrect terminalservices certificate is assigned.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/rds_troubleshooting001.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/rds_troubleshooting001.png\" alt=\"\" class=\"wp-image-2639\"\/><\/a><\/figure>\n\n\n\n<p>So check out what certficate is assigned and replace it with a correct one. For the session host it is quite ok to use a self-signed certificate, you only need trusted certificates for the RD Connection Broker, RD Gateway an RD Web Access Server. In my case the problem was, that I renamed the session host and the terminalservices still use the old certificate with the old name.<\/p>\n\n\n\n<p>How to replace this certificate you can see herehttps:\/\/blog.matrixpost.net\/replace-self-signed-remote-destkop-certificate-with-an-e-g-pki-certficiate-from-your-internal-ca\/embed\/#?secret=3CJ6EEwqti<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Some interesting stuff about RDS and SSO<br><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>Network Level Authentication<\/strong>&nbsp;(<strong>NLA<\/strong>)<\/p><p><a href=\"https:\/\/en.wikipedia.org\/wiki\/Network_Level_Authentication\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/en.wikipedia.org\/wiki\/Network_Level_Authentication<\/a><\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>Credential Security Support Provider<\/strong><\/p><p><a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/credential-security-support-provider\" target=\"_blank\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/credential-security-support-provider<\/a><\/p><p><a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Security_Support_Provider_Interface\" target=\"_blank\">https:\/\/en.wikipedia.org\/wiki\/Security_Support_Provider_Interface<\/a><br><br><a href=\"https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/windows_winrm.html\">https:\/\/docs.ansible.com\/ansible\/latest\/user_guide\/windows_winrm.html<\/a><\/p><p>CredSSP authentication is a newer authentication protocol that allows credential delegation. This is achieved by encrypting the username and password after authentication has succeeded and sending that to the server using the CredSSP protocol.&nbsp;<strong>Because the username and password are sent to the server to be used for double hop authentication<\/strong>, ensure that the hosts that the Windows host communicates with are not compromised and are trusted. CredSSP can be used for both local and domain accounts and also supports message encryption over HTTP.<\/p><p><strong>SSPI<\/strong><br><br><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/sspi\">https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/secauthn\/sspi<\/a><\/p><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Bypassing RDP Authentication<\/h3>\n\n\n\n<p><a href=\"https:\/\/ryanmangansitblog.com\/2013\/03\/10\/configuring-rds-2012-certificates-and-sso\/\">Configuring RDS 2012 Certificates and&nbsp;SSO<\/a><\/p>\n\n\n\n<p>Older versions of windows connected to the computer before checking credentials, RDS now checks credentials before connecting. The following custom RDP Property is not&nbsp;to be used without security considerations,&nbsp;but if you want to turn off warning or&nbsp;alerts for use in a POC\/LAB\/UAT Environment then its perfectly fine to get round warnings and connection issues. I do not recommend that you use this in a production environment.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Set-RDSessionCollectionConfiguration \u2013CollectionName QuickSessionCollection -CustomRdpProperty \u201cauthentication level:i:0\u201d<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>RD&nbsp;Web Access<\/strong>&nbsp;role service can be used to present applications on a website that is accessed by the user with a browser.&nbsp;<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em><strong>Relation between<\/strong><\/em>&nbsp;RD Session Host, RD Web Access, RD Gateway and RD Connection Broker<br><br><a href=\"https:\/\/books.google.de\/books?id=FTmlanYtJhUC&amp;pg=PA416&amp;lpg=PA416&amp;dq=rds+rd+gateway+relation+to+rd+connection+broker&amp;source=bl&amp;ots=pbKNBiPBu_&amp;sig=ACfU3U3yXOK7w6WmQpatrR1eTSNewwezHg&amp;hl=en&amp;sa=X&amp;ved=2ahUKEwjNoqOtrsfoAhXmTxUIHUnsBn0Q6AEwD3oECAwQKQ#v=onepage&amp;q=rds%20rd%20gateway%20relation%20to%20rd%20connection%20broker&amp;f=false\" target=\"_blank\" rel=\"noreferrer noopener\">Virtualizing Microsoft Tier 1 Applications with VMware vSphere 4<\/a><br><br>A remote desktop (RD) client gets connection information from the&nbsp;<strong>RD Web Access<\/strong>&nbsp;server in an RDS solution. If an RD Client is outside a corporate network, the client connects through an&nbsp;<strong>RD Gateway.<\/strong>&nbsp;If an RD client is internal, the client can then directly connect to an intended&nbsp;<strong>RD Session<\/strong>&nbsp;Host or&nbsp;<strong>RD Viritualization Host<\/strong>&nbsp;once&nbsp;<strong>RD Connection Broker<\/strong>&nbsp;provides the connection information. In both cases,&nbsp;<strong>RD Connection Broker&nbsp;<em>plays a central role<\/em><\/strong>&nbsp;to make sure a client gets connected to correct resource.<\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds012.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds012.png\" alt=\"\" class=\"wp-image-2557\"\/><\/a><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>RD Gateway<\/strong>&nbsp;functions as an RDP proxy. It proxies incoming RDP traffic (on port 443) to the Remote Desktop Session Host (RD Session Host) servers on port 3389.<br><br>Authentication of the user\/computer if he is authorized to connect to the RD Gateway<br>Checks if the client is allowed to connect to the requested ressource<br>Secure connections via HTTPS (Port 443 Default) without the use of a VPN<br>Enables connections through firewalls without opening additional ports IE:3389<\/p><p><a href=\"https:\/\/statemigration.com\/windows-server-remote-desktop-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/statemigration.com\/windows-server-remote-desktop-services\/<\/a><br><br>When an external client connects to the Remote Desktop Services environment through RD Gateway, RD Gateway acts as a security broker, performing client authentication by calling back-end services. It accepts the connection and authenticates the client through Remote Desktop connection authorization policies (RD CAPs) and Remote Desktop resource authorization policies (RD RAPs) that are called from AD DS. It may also call NAP to test the client\u2019s health. Figure 3 illustrates these connections.<br><br>Once authorization is complete, the RD Gateway role service connects the client to the requested server or the RD Session Host server farm through the firewall. The RD Session Host server then performs a Windows authentication challenge with the user. If the user passes authentication, the Remote Desktop Services session can begin.<\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>RD Connection Broker<\/strong>&nbsp;perform a variety of tasks, including:<br><br>Checking user credentials.<br>Assigning users to remote desktops.<br>Turning remote desktops on and off as needed.<br>Load balancing the servers that host the desktops.<br>Managing desktop images.<br>Redirecting multimedia processing to the client.<\/p><p>Design and Place the RD&nbsp;Connection Broker Role Service<br><a href=\"https:\/\/statemigration.com\/windows-server-remote-desktop-services\/\">https:\/\/statemigration.com\/windows-server-remote-desktop-services\/<\/a><\/p><\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><strong>UDP Support<\/strong><br><a href=\"https:\/\/redmondmag.com\/Articles\/2013\/12\/24\/RD-Gateway-in-Windows-Server.aspx?Page=1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/redmondmag.com\/Articles\/2013\/12\/24\/RD-Gateway-in-Windows-Server.aspx?Page=1<\/a><br>RD Gateway supports UDP since Windows Server 2012 to optimize transport of data over the internet.<br><br>The UDP tunnel uses DTLS to secure its communications so will also utilize the SSL certificate in place on the RD Gateway server.<br><br><a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Datagram_Transport_Layer_Security\" target=\"_blank\">https:\/\/en.wikipedia.org\/wiki\/Datagram_Transport_Layer_Security<\/a><\/p><p>By default RD Gateway uses port 443 for HTTP and port 3391 for UDP.<\/p><\/blockquote>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds23.png\"><img decoding=\"async\" src=\"https:\/\/blog.matrixpost.net\/wp-content\/uploads\/2020\/04\/sso_rds23-1024x544.png\" alt=\"\" class=\"wp-image-2758\"\/><\/a><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Links<br><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Remote Desktop Services roles<br><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/remote\/remote-desktop-services\/rds-roles\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/docs.microsoft.com\/en-us\/windows-server\/remote\/remote-desktop-services\/rds-roles<\/a><br><br>How To Work with RD Gateway in Windows Server 2012<br><a href=\"https:\/\/redmondmag.com\/Articles\/2013\/12\/24\/RD-Gateway-in-Windows-Server.aspx?Page=1\">https:\/\/redmondmag.com\/Articles\/2013\/12\/24\/RD-Gateway-in-Windows-Server.aspx?Page=1<\/a><\/p><p><br>RD Connection Broker<br><a href=\"https:\/\/www.petri.com\/remote-desktop-services-deployment-options-windows-server-2012-r2\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.petri.com\/remote-desktop-services-deployment-options-windows-server-2012-r2<br><\/a><br>Windows Server 2012 R2: Get a list of active Remote Desktop Users<br><a href=\"https:\/\/www.petri.com\/windows-server-2012-r2-get-list-active-remote-desktop-users\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.petri.com\/windows-server-2012-r2-get-list-active-remote-desktop-users<\/a><br><br>Remote Desktop Services 2016, Standard Deployment \u2013 Part 4 \u2013 RD Web Access (Part4) \u2013 SSO &amp; High&nbsp;Availability<br><a href=\"https:\/\/nedimmehic.org\/2017\/11\/20\/remote-desktop-services-2016-standard-deployment-part-4-rd-web-access-part4-sso-high-availability\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/nedimmehic.org\/2017\/11\/20\/remote-desktop-services-2016-standard-deployment-part-4-rd-web-access-part4-sso-high-availability<\/a><a href=\"https:\/\/nedimmehic.org\/2017\/11\/20\/remote-desktop-services-2016-standard-deployment-part-4-rd-web-access-part4-sso-high-availability\/\">\/<\/a><\/p><p><br>Windows 2012 R2 \u2013 How to Create a (Mostly) Seamless Logon Experience For Your Remote Desktop Services Environment<br><a href=\"https:\/\/www.rdsgurus.com\/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.rdsgurus.com\/windows-2012-r2-how-to-create-a-mostly-seamless-logon-experience-for-your-remote-desktop-services-environment\/<\/a><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Normally, if you want to access a\u00a0remote desktop services environement, first you have to logon to the\u00a0RD Web Access Page, therefore you will be prompted with a logon dialog where you have to enter your username and password. After that logon, you will see depending on the deployment, more or less remoteapp programms. These are &hellip; <\/p>\n<p class=\"link-more\"><a href=\"http:\/\/www.netx-pro.nl\/?page_id=65\" class=\"more-link\">Lees verder <span class=\"screen-reader-text\">&#8220;SSO Single-Sign-On to your onPremise RDS Remote Desktop Services 2016\/2019 Environment&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-65","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/pages\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=65"}],"version-history":[{"count":1,"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/pages\/65\/revisions"}],"predecessor-version":[{"id":67,"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=\/wp\/v2\/pages\/65\/revisions\/67"}],"wp:attachment":[{"href":"http:\/\/www.netx-pro.nl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}