SSO (Single Sign-On) Authentication on RDS
Single Sign-On (SSO) is the technology that allows an authenticated (signed on) user to access other services without re-authentication. Applied to the Remote Desktop Service, SSO allows a user logged on to the domain computer not to reenter account name and password when connecting to RDS servers or launch published RemoteApp applications.
In this article, we ll describe the peculiarities of configuring the transparent SSO (Single Sign-On) authentication on RDS servers running Windows Server 2012 R2.
- The Connection Broker server and all RDS servers must be running Windows Server 2012
- SSO works only in the domain environment: Active Directory user accounts must be used, and servers together with the workstations must be included in the domain
- RDP 8.0 or later has to be used
- Windows 7/8/8.1 on the client side
- SSO works with password authentication (smart cards are not supported)
The procedure of Single Sign-On configuration consists of the following steps:
- SSL certificate has to be issued and assigned on RD Gateway, RD Web and RD Connection Broker servers
- Web SSO has to be enabled on RDWeb server
- The group policy for credentials delegation has to be configured
- The certificate thumbprint has to be added to .rdp trusted publishers using GPO
Firstly, you have to issue and assign an SSL certificate (the EKU of the certificate must contain Server Authentication). We won t describe the procedure of getting the certificate since it goes beyond the scope of this article.
The certificate is assigned in the Certificates section of RDS Deployment properties.
Then you have to enable “Windows Authentication” on all servers with Web Access role for IIS RDWeb directory and disable Anonymous Authentication.
After you save the changes, restart IIS:
If you are using RD Gateway, make sure that it is not used for connection of the internal clients. (Bypass RD Gateway server for local address has to be checked.)
The next step is the configuration of the credentials delegation policy. This policy is located in Computer Configuration – Policies – Administrative Templates – System – Credential Delegation – Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users.
- The policy has to be enabled (Enabled)
- You have to add the names of RDS servers to the list of servers, on which the authentication takes place. The format of adding a server is as follows: TERMSRV/rd.contoso.com. If you have to give this permission to all terminal systems in the domain (it is less safe, though), you can use this construction: TERMSRV/*.contoso.com
Then, to prevent a window warning of the remote application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the client computers using GPO:
User/Computer Configuration – Administrative Tools – Windows Components – Internet Explorer – Internet Control Panel – Security Page- Site to Zone assignment list
Specify FQDN server name RDCB and Zone 2 (Trusted sites)
Then enable Logon options policy in User/Computer Configuration – Administrative Tools – Windows Components – Internet Explorer – Internet Control Panel – Security – Trusted Sites Zone and in the dropdown list select Automatic logon with current username and password.
At last, you have to get the certificate thumbprint and add it to the list of trusted rdp publishers. To do it, run the following PowerShell command on your RDS Connection Broker server:
Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration – Administrative Templates – Windows Desktop Services – Remote Desktop Connection Client).
Now the SSO configuration is over, and after the policies have been applied, the user can connect to the RDS farm using RDP without re-entering password.