SSO (Single Sign-On) Authentication on RDS, Windows OS Hub, authentication single sign


SSO (Single Sign-On) Authentication on RDS

Single Sign-On (SSO) is the technology that allows an authenticated (signed on) user to access other services without re-authentication. Applied to the Remote Desktop Service, SSO allows a user logged on to the domain computer not to reenter account name and password when connecting to RDS servers or launch published RemoteApp applications.

In this article, we ll describe the peculiarities of configuring the transparent SSO (Single Sign-On) authentication on RDS servers running Windows Server 2012 R2.

  • The Connection Broker server and all RDS servers must be running Windows Server 2012
  • SSO works only in the domain environment: Active Directory user accounts must be used, and servers together with the workstations must be included in the domain
  • RDP 8.0 or later has to be used
  • Windows 7/8/8.1 on the client side
  • SSO works with password authentication (smart cards are not supported)

The procedure of Single Sign-On configuration consists of the following steps:

  • SSL certificate has to be issued and assigned on RD Gateway, RD Web and RD Connection Broker servers
  • Web SSO has to be enabled on RDWeb server
  • The group policy for credentials delegation has to be configured
  • The certificate thumbprint has to be added to .rdp trusted publishers using GPO

Firstly, you have to issue and assign an SSL certificate (the EKU of the certificate must contain Server Authentication). We won t describe the procedure of getting the certificate since it goes beyond the scope of this article.

The certificate is assigned in the Certificates section of RDS Deployment properties.

Authentication single sign on

Then you have to enable “Windows Authentication” on all servers with Web Access role for IIS RDWeb directory and disable Anonymous Authentication.

Authentication single sign on

After you save the changes, restart IIS:

If you are using RD Gateway, make sure that it is not used for connection of the internal clients. (Bypass RD Gateway server for local address has to be checked.)

Authentication single sign on

The next step is the configuration of the credentials delegation policy. This policy is located in Computer Configuration – Policies – Administrative Templates – System – Credential Delegation – Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users.

  • The policy has to be enabled (Enabled)
  • You have to add the names of RDS servers to the list of servers, on which the authentication takes place. The format of adding a server is as follows: TERMSRV/ If you have to give this permission to all terminal systems in the domain (it is less safe, though), you can use this construction: TERMSRV/* Authentication single sign on

Then, to prevent a window warning of the remote application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the client computers using GPO:

User/Computer Configuration – Administrative Tools – Windows Components – Internet Explorer – Internet Control Panel – Security Page- Site to Zone assignment list

Specify FQDN server name RDCB and Zone 2 (Trusted sites)

Authentication single sign on

Then enable Logon options policy in User/Computer Configuration – Administrative Tools – Windows Components – Internet Explorer – Internet Control Panel – Security – Trusted Sites Zone and in the dropdown list select Automatic logon with current username and password.

At last, you have to get the certificate thumbprint and add it to the list of trusted rdp publishers. To do it, run the following PowerShell command on your RDS Connection Broker server:

Authentication single sign on

Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration – Administrative Templates – Windows Desktop Services – Remote Desktop Connection Client).

Authentication single sign on

Now the SSO configuration is over, and after the policies have been applied, the user can connect to the RDS farm using RDP without re-entering password.

What is Kerberos? Definition from #kerberos #authentication



Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted network, such as the internet. Kerberos is built in to all major operating systems, including Microsoft Windows, Apple OS X, FreeBSD and Linux.

Download this free guide

Download Now: Mobile Security Vendor Reviews and Ratings

Are your mobile devices secure against today’s threat landscape? Inside this guide discover 7 secret mobile security tips, top drivers for mobile security purchases, survey data on top mobile trends in 2017, peer reviews on mobile security vendors in the market today and more.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy .

Since Windows 2000, Microsoft has incorporated the Kerberos protocol as the default authentication method in Windows, and it is an integral component of the Windows Active Directory service. Broadband service providers also use Kerberos to authenticate DOCSIS cable modems and set-top boxes accessing their networks.

Kerberos was originally developed for Project Athena at the Massachusetts Institute of Technology (MIT). The name Kerberos was taken from Greek mythology; Kerberos (Cerberus) was a three-headed dog who guarded the gates of Hades. The three heads of the Kerberos protocol represent a client. a server and a Key Distribution Center (KDC), which acts as Kerberos’ trusted third-party authentication service.

Users, machines and services using Kerberos need only trust the KDC, which runs as a single process and provides two services: an authentication service and a ticket granting service. KDC tickets provide mutual authentication. allowing nodes to prove their identity to one another in a secure manner. Kerberos authentication uses conventional shared secret cryptography to prevent packets traveling across the network from being read or changed and to protect messages from eavesdropping and replay attacks.

Kerberos protocol overview

A simplified description of how Kerberos works follows; the actual process is more complicated and may vary from one implementation to another. For the purposes of this discussion, the initiating client in the scenario below is a corporate laptop running Windows, and an end user is trying to log into the corporate network.

To start the Kerberos authentication process, the initiating client sends a request to an authentication server for access to a service. The initial request is sent as plaintext because no sensitive information is included in the request.

The authentication server retrieves the initiating client’s private key. assuming the initiating client’s username is in the KDC database. If the initiating client’s username cannot be found in the KDC database, the client cannot be authenticated and the authentication process stops. If the client’s username can be found in the KDC database, the authentication server generates a session key and a ticket granting ticket. The ticket granting ticket is timestamped and encrypted by the authentication server with the initiating client’s password .

This video provides a quick
demonstration of how Kerberos

The initiating client is then prompted for a password; if what is entered matches the password in the KDC database, the encrypted ticket granting ticket sent from the authentication server is decrypted and used to request a credential from the ticket granting server for the desired service. The client sends the ticket granting ticket to the ticket granting server, which may be physically running on the same hardware as the authentication server, but performing a different role.

The ticket granting service carries out an authentication check similar to that performed by the authentication server, but this time sends credentials and a ticket to access the requested service. This transmission is encrypted with a session key specific to the user and service being accessed. This proof of identity can be used to access the requested kerberized service, which, once having validated the original request, will confirm its identity to the requesting system.

The timestamped ticket sent by the ticket granting service allows the requesting system to access the service using a single ticket for a specific time period without having to be re-authenticated. Making the ticket valid for a limited time period makes it less likely that someone else will be able to use it later; it is also possible to set the maximum lifetime to 0, in which case service tickets will not expire. Microsoft recommends a maximum lifetime of 600 minutes for service tickets; this is the default value in Windows Server implementations of Kerberos.

The MIT Kerberos Consortium was founded in September 2007 to further the development of Kerberos. In 2013, the consortium was expanded and renamed the MIT Kerberos and Internet Trust Consortium.

This was last updated in August 2016

Continue Reading About Kerberos

Related Terms

knowledge factor The knowledge factor, in a security context, is a category of authentication credentials consisting of information that the user. See complete definition single sign-on (SSO) Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g. See complete definition single-factor authentication (SFA) Single-factor authentication (SFA) is the traditional security process that requires a user name and password before granting. See complete definition

Dig Deeper on Single-sign on (SSO) and federated identity

What is authentication, authorization, and accounting (AAA)? Definition from #s #authentication


authentication, authorization, and accounting (AAA)

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security.

Download this free guide

5 Ways to Prevent Ransomware: Download Now

Ransomware attacks are not only becoming more common, they’re becoming more creative. In this guide, industry expert Kevin Beaver uncovers 5 ways to prevent a ransomware infection through network security.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy .

As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted. The process of authentication is based on each user having a unique set of criteria for gaining access. The AAA server compares a user’s authentication credentials with other user credentials stored in a database. If the credentials match, the user is granted access to the network. If the credentials are at variance, authentication fails and network access is denied.

Following authentication, a user must gain authorization for doing certain tasks. After logging into a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

The final plank in the AAA framework is accounting, which measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Authentication, authorization, and accounting services are often provided by a dedicated AAA server. a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS) .

This was last updated in November 2010

Next Steps

Now you have the basics on authentication and authorization. From here, read about the fundamentals of multifactor authentication in the enterprise and utilize this comparison of the top multifactor authentication products to determine which may be best for your organization.

Continue Reading About authentication, authorization, and accounting (AAA)

Related Terms

passive keyless entry (PKE) Passive keyless entry (PKE) is an automotive locking system that operates automatically when the holder is in proximity to the. See complete definition remote keyless entry (RKE) Remote keyless entry (RKE) is an electronic access system that can be controlled from a distance. RKEs, which are typically used. See complete definition two-factor authentication (2FA) Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides two. See complete definition

Dig Deeper on Two-factor and multifactor authentication strategies