WebSSO is great and it works beautifully if configured correctly. If you go https://rdwebserver.company.com/RDWeb, you will be presented with form based authentication page.
What if we present the published apps/icons without presenting form-based authentication page, meaning use Kerberos or NTLM authentication with logged of user. This makes sense for internal corporate users, they are already logged in with their domain credentials and who do they have to logon again.
This blog is to achieve Windows Authentication for RDWeb logon. It’s really easy to do in Windows Server 2012 R2.
- Logon to Remote Desktop Web Access server.
- Open Explorer and go to C:\Windows\Web\RDWeb\Pages
- Make a backup copy of web.config file.
- Open Notepad as Administrator
- Open C:\Windows\Web\RDWeb\Pages\web.config
- Uncomment Windows Authentication section and comment Formbased authentication. The end result would like this:
<!–
To turn on Windows Authentication:
– uncomment <authentication mode=”Windows”/> section
– and comment out:
1) <authentication mode=”Forms”> section.
2) <modules> and <security> sections in <system.webServer> section at the end of the file.
3) Optional: Windows Authentication will work in https. However, to turn off https, disable ‘Require SSL’ for both RDWeb and RDWeb/Pages VDIR.
Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck ‘Require SSL’ and
click Apply in the top right in the right pane. Repeat the steps for RDWeb/Pages VDIR.
–>
<authentication mode=”Windows”/>
<!–
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”TSWAAuthHttpOnlyCookie” protection=”All” requireSSL=”true” />
</authentication>
–>
<webParts>
<personalization defaultProvider=”TSPortalProvider”>
<providers>
<add name=”TSPortalProvider” type=”Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider”/>
</providers>
<authorization>
<allow users=”*” verbs=”enterSharedScope”>
</allow>
</authorization>
</personalization>
</webParts>
</system.web>
Enable Windows Authentication in IIS settings
1. Open IIS Console on the RD Web Access Server
2. Expand to RDWeb folder.
3. Double click on Authentication.
4. Disable Basic Authentication and Enable Windows Authentication
That’s all, BUT there is one more thing. Since we don’t use form-based authentication, how would you specify it’s Public or Private. On RDWeb page there is a check box to make the RDWeb sessions private. It shows up in the bottom as below.
I made this Private checked by default since all my users are internal (& I have different Remote desktop web access server for external users with form-based authentication). To make that happen follow the steps below.
- Logon to Remote Desktop Web Access server.
- Open Explorer and go to C:\Windows\Web\RDWeb\Pages\en-US
- Make a backup copy of Default.aspx file.
- Open Notepad as Administrator
- Open C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx
- Modify the variable bPrivateMode to true (from false). The modified variable line looks like this:
public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
Now it looks like this, since Private mode is checked by default.
Hope this helps you. Enjoy!!
Anand, the Architect 
In section about changing bPrivateMode variable should be changed Default.aspx
Excellent blog mate, I have a hybrid 2012/2008 setup due to compatibility issues and was looking for something like this for a few days now. Top Man!
Hi,
I made all those settings (via IIS directly)
BUT WHERE TO DO:
Disable Basic Authentication and Enable Windows Authentication
And also, I have read on the net, that you have to enable on the client the:
CREDENTIALS DELEGATION + CREDENTIALS DELEGATION NTLM policy.
Thanks for answer me.
Cheers
David
Yes I have Credentials Delegation policy for the clients. I don’t have NTLM policy and am not sure it’s requirement.
Hello, and thanks for manual, but after doing this, i have 401 error – access denied due to invalid credentials.
Thanks for answer me.
With best regards, Ilya.
Ilya: Try copying C:\Windows\Web\RDWeb\Pages\en-US\Login.aspx to C:\Windows\Web\RDWeb\Pages and see if you still having issues.
Anand
Hello, and thank you for reply. I have resolve problem today.
Problem was in IIS Authentication settings for folder sites\rdweb\pages\ru-RU (coz i have russian language). I dont know, by default or not, but when i set Authentication settings for RDWeb folder, subfolders won`t apply these settings.
Can you run FBA and Kerberos on the same server in different folders or websites?
These changes worked great, but now once I’m in the RDweb and click on an app I get a box asking for a username and password. I can enter a username and password and it opens up the app. For some reason it’s not passing the credentials to the app.
Any idea why this may be?
Hi. I’m having the same problem. Did you managed to fix it?
No, ended up going a different route for my customer.
They just use a shortcut to access the RDS servers and all apps are installed there.
This works nicely, what I did notice is that when you go to:
https:///RDWeb you authenticate via Kerberos
Where if you close/open your browser and follow the autocomplete link if you already visited the site before.
https:///RDWeb/Pages/en-US/Default.aspx it does SSO but actually authenticates you via NTLM instead of Kerberos.
Any idea’s why that is?
@Nathan It sounds like what you missed was to apply the necessary Group policys for the users.
[Computer configuration\Administrative Templates\System\Credentials Delegation]. Choose:
-Allow delegating default credentials – Enable
-Add servers to the list: (Here you add the name of the external dns name being used + the FQDN of the RDS servers)
On top of that there are 3 more Group policys that you would need to apply for optimal use.
A RDP signing gpo. Google it for more information. (Use the thumbprint of your ssl certificate to approve the remoteapps)
USER Configuration–>Administrative Templates–>Windows Components–>Internet Explorer–>Internet control panel–>Security Page –> Trusted site zone –> Logon options
= Automatic logon with current username and password
USER Configuration–>Administrative Templates–>Windows Components–>Internet Explorer–>Internet control panel–>Security Page –> Site To Zone Assignment list.
external dns name for rdweb Value=2
RDSHostservername Value=2
RDShostserverFQDN Value=2
GreatI. I just made these changes and it fucked the whole thing. Brilliant. Thanks heaps.
Not only that, if re-instating the backed up files and setting iis back it was still throwing errors.
Again, great stuff mate. Thanks for ruining my day. Hope u enjoy yours.