RDS 2012 R2–Single sign on using Windows Authentication for RDWeb page


WebSSO is great and it works beautifully if configured correctly. If you go https://rdwebserver.company.com/RDWeb, you will be presented with form based authentication page.

What if we present the published apps/icons without presenting form-based authentication page, meaning use Kerberos or NTLM authentication with logged of user. This makes sense for internal corporate users, they are already logged in with their domain credentials and who do they have to logon again.

This blog is to achieve Windows Authentication for RDWeb logon. It’s really easy to do in Windows Server 2012 R2.

  1. Logon to Remote Desktop Web Access server.
  2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages
  3. Make a backup copy of web.config file.
  4. Open Notepad as Administrator
  5. Open C:\Windows\Web\RDWeb\Pages\web.config
  6. Uncomment Windows Authentication section and comment Formbased authentication. The end result would like this:

    <!–
To turn on Windows Authentication:
– uncomment <authentication mode=”Windows”/> section
– and comment out:
1) <authentication mode=”Forms”> section.
2) <modules> and <security> sections in <system.webServer> section at the end of the file.
3) Optional: Windows Authentication will work in https.  However, to turn off https, disable ‘Require SSL’ for both RDWeb and RDWeb/Pages VDIR.
Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck ‘Require SSL’ and
click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
–>

    <authentication mode=”Windows”/>

<!–
<authentication mode=”Forms”>
<forms loginUrl=”default.aspx” name=”TSWAAuthHttpOnlyCookie” protection=”All” requireSSL=”true” />
</authentication>
–>
<webParts>
<personalization defaultProvider=”TSPortalProvider”>
<providers>
<add name=”TSPortalProvider” type=”Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider”/>
</providers>
<authorization>
<allow users=”*” verbs=”enterSharedScope”>
</allow>
</authorization>
</personalization>
</webParts>
</system.web>

Enable Windows Authentication in IIS settings

1. Open IIS Console on the RD Web Access Server
2. Expand to RDWeb folder.
3. Double click on Authentication.
4. Disable Basic Authentication and Enable Windows Authentication

That’s all, BUT there is one more thing. Since we don’t use form-based authentication, how would you specify it’s Public or Private. On RDWeb page there is a check box to make the RDWeb sessions private. It shows up in the bottom as below.

 

I made this Private checked by default since all my users are internal (& I have different Remote desktop web access server for external users with form-based authentication). To make that happen follow the steps below.

  1. Logon to Remote Desktop Web Access server.
  2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages\en-US
  3. Make a backup copy of Default.aspx file.
  4. Open Notepad as Administrator
  5. Open C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx
  6. Modify the variable bPrivateMode to true (from false). The modified variable line looks like this:

public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

Now it looks like this, since Private mode is checked by default.

image

Hope this helps you. Enjoy!!

Advertisements

14 thoughts on “RDS 2012 R2–Single sign on using Windows Authentication for RDWeb page

  1. Excellent blog mate, I have a hybrid 2012/2008 setup due to compatibility issues and was looking for something like this for a few days now. Top Man!

  2. Hi,
    I made all those settings (via IIS directly)
    BUT WHERE TO DO:
    Disable Basic Authentication and Enable Windows Authentication

    And also, I have read on the net, that you have to enable on the client the:
    CREDENTIALS DELEGATION + CREDENTIALS DELEGATION NTLM policy.

    Thanks for answer me.

    Cheers
    David

  3. Hello, and thanks for manual, but after doing this, i have 401 error – access denied due to invalid credentials.

    Thanks for answer me.
    With best regards, Ilya.

      1. Hello, and thank you for reply. I have resolve problem today.
        Problem was in IIS Authentication settings for folder sites\rdweb\pages\ru-RU (coz i have russian language). I dont know, by default or not, but when i set Authentication settings for RDWeb folder, subfolders won`t apply these settings.

  4. These changes worked great, but now once I’m in the RDweb and click on an app I get a box asking for a username and password. I can enter a username and password and it opens up the app. For some reason it’s not passing the credentials to the app.

    Any idea why this may be?

      1. No, ended up going a different route for my customer.
        They just use a shortcut to access the RDS servers and all apps are installed there.

  5. @Nathan It sounds like what you missed was to apply the necessary Group policys for the users.
    [Computer configuration\Administrative Templates\System\Credentials Delegation]. Choose:
    -Allow delegating default credentials – Enable
    -Add servers to the list: (Here you add the name of the external dns name being used + the FQDN of the RDS servers)

    On top of that there are 3 more Group policys that you would need to apply for optimal use.

    A RDP signing gpo. Google it for more information. (Use the thumbprint of your ssl certificate to approve the remoteapps)

    USER Configuration–>Administrative Templates–>Windows Components–>Internet Explorer–>Internet control panel–>Security Page –> Trusted site zone –> Logon options
    = Automatic logon with current username and password

    USER Configuration–>Administrative Templates–>Windows Components–>Internet Explorer–>Internet control panel–>Security Page –> Site To Zone Assignment list.
    external dns name for rdweb Value=2
    RDSHostservername Value=2
    RDShostserverFQDN Value=2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s