SSO with Remote DesktopService 2008 R2

Through this article I will try to explain how to set up the SSO (Single Sign On) when using RemoteApp published in 2008 R2 RDS.

For purposes of explanation, I will assume that the infrastructure in place is:

– 1 domain: core.lab

– A farm of 2 servers RDSH

o RDSH1.core.lab

o RDSH2.core.lab

The name of the farm is RDFARM.core.lab

– 1 RD Connection Broker: RDCB.core.lab

– 1 RD Web Access: RDWA.core.lab

– An RD Gateway: RDGW: RDGW.core.lab

The implementation of the SSO can be divided into several phases:

1) Choice Certificates

2) Generation of certificates

3) Installing certificates on different machines

4) Setting the RD Session Hosts

5) Setting the RD Connection Broker

6) Setting the RD Web Access

7) Setting the RD Gateway

8) Creation of GPOs

1. Choice Certificates

One or more certificates will be generated.

There is need for the following certificate:

– Each RD Session Host server

RD Connection Broker server

– RD Web Access server

– The RD Gateway server.

RD Session Hosts servers and server RD Connection Broker will share the same certificate.

RD Web Access servers and RD Gateway may each have a different certificate.

In conclusion, we need at most 3 different certificates.

The certificate of the RD Session Host servers and RD Connection Broker must contain the following:

CN = RDFARM.core.lab

The server certificate RD Web Access must include the following:

CN = RDWA.core.lab

The RD Gateway server certificate must contain the following:

CN = RDGW.core.lab

You can only use one certificate for all those servers.

Should either use a wildcard type *. Core.lab in the Subject Name or reference the different names useful in fields SAN (Subject Alternative Name) certificate.

It should be noted however that only customers RDC 6.1 and beyond can make use of these possibilities.

For the use of Subject Alternative Name in our example, we should learn:

Subject Name:

CN = RDFARM.core.lab

Subject Alternative Name:

DNS = RDFARM.core.lab

DNS = RDWA.core.lab

DNS = RDGW.core.lab

We find the name RDFARM.core.lab, both in the Subject Name in the Subject Alternative Name.

This repetition is voluntary.

For the rest of this article, I will assume that we will use three different certificates.

2. Generation of certificates

To generate our certificates, there are two possibilities:

– Use a CA in the Active Directory domain

– Buy your certificates from companies such as VeriSign ™, ™ Thawte, and others …

If all workstations accessing the infrastructure referred to are under the control of your IT department, you can just use your own CA.

Indeed, if the positions are in the same forest as the CA, there will be an automatic approval thereof.

Otherwise, they must be set to approve the certification authority, and should have access to the CRL (Certificate Revocation List) thereof.

To create your own certificates, I invite you to visit this section .

3. Installing certificates on different machines

After the certificates are created, they must be installed on different servers.

In our example, these are the servers and the following certificates:

Server

Certificate

RDSH1.core.lab

RDFARM.core.lab

RDSH2.core.lab

RDFARM.core.lab

RDCB.core.lab

RDFARM.core.lab

RDWA.core.lab

RDWA.core.lab

RDGW.core.lab

RDGW.core.lab

This is done as follows:

Since one of the servers in question launch an MMC elevation of privilege, to “Add or Remove Snap-ins”.

Select the snap-in “certificate”

Select “Computer Account” and then “Local Computer”

From the magazine “Personal” to “All Tasks” then “Import …”

Select the file. Pfx previously created, enter the password provided when exporting the private key,

 

Select the location of certificate in the store “Personal” and do the import.

At the end of the operation, you should see the certificate in the console.

This operation must be repeated for each of the servers mentioned above, with their respective certificates.

4. Setting the RD Session Hosts

On servers RD Session Hosts, there are 2 things to configure:

RDP

– The RemoteApp

For RDP, this happens at the MMC: “Remote Desktop Session Host Configuration.”

Open the properties of the RDP-TCP, and in the General tab, click the “Select” to select the certificate.

Put the certificate selected is highlighted, and click “OK”

The selected certificate will be displayed.

Click OK to apply changes.

RemoteApp on, open the MMC “RemoteApp Manager.”

Choose the link “Change” next to “Digital Signature Settings”

Check the “Sign with a digital certificate” and click on “Change”.

Choose the certificate, and confirm with “Ok”

The certificate must then chose appear in the interface, like this.

Do the same with the other RD Session Host server farm.

5. Setting the RD Connection Broker

On the RD Connection Broker server, there are two things to configure:

RDP

– The certificate used by the RD Connection Broker itself.

For RDP, proceed in exactly the same way as for R & D Sessions Hosts servers, using the MMC “Remote Desktop Session Host Configuration.”

For the RD Connection Broker, launch the MMC “Remote Desktop Connection Manager”.

Then select the option to update the certificate.

Check the “Sign with a digital certificate” and click on “Select”.

Choose the certificate, and confirm with “Ok”

The certificate must then chose appear in the interface

6. Setting the RD Web Access

On the RD Web Access server, there are two things to configure:

RDP

– The certificate used by HTTPS.

For RDP, proceed in exactly the same way as for R & D Sessions Hosts servers, using the MMC “Remote Desktop Session Host Configuration.”

For HTTPS, launch the MMC “Internet Information Services (IIS) Manager”.

Start with the “Default Web Site”, then select the option “Binding …”.

Then select the HTTPS protocol, then the button “Edit …”

It only remains to select the certificate to use, and validate.

A restart of the website is expected.

7. Setting the RD Gateway

RD Gateway server, there are two things to configure:

RDP

– The certificate used by HTTPS.

For RDP, proceed in exactly the same way as for R & D Sessions Hosts servers, using the MMC “Remote Desktop Session Host Configuration.”

For HTTPS, this time, we’ll go through the “RD Connection Manager”

Start MMC “RD Gateway Manager.”

Then select the option to update the certificate.

Then select Import Certificate.

Then select the correct certificate and then click on “Import”, then confirm with “OK”.

8. Creation of GPOs

To create GPOs are set up for all clients wishing to run RemoteApp by the SSO.

In our example, I created an OU “Desktop” in which I moved all user workstations.

Then, since the MMC “Group Policy Management”, select the OU in question, then select “Create a GPO in this domain, and Link it here.”

In our example, I named SSO for RDS.

Then do Edit

The MMC “Group Policy Management Editor” opens.

Go to “Computer Configuration \ Policies \ Administrative Templates \ System \ Credentials Delegation”

Change the setting “Allow Delegating Default Credentials”

Select “Enabled”, then click on “Show …”

Then enter the SPN for the servers involved.

In our example, you must enter the name of our farm.

Then confirm twice “OK”.

Then go to “Computer Configuration \ Policies \ Administrative Templates \ Windows Components \ Remote Desktop Connection Client»

Parameter to change is “Specify SHA1 Thumbprints of certificates Representing trusted. Rdp publishers”

The “thumbprint” or “footprint” is to retrieve the certificate from the farm.

For this certificate from the console, select the certificate RDFARM.core.lab, then tab “Details”, retrieve the data field “Thumbprint”

This data is to copy, preferably without spaces, to avoid “copy / paste” unfortunate.

According to what is selected, non-printable characters can be included in the clipboard, and thus corrupt the data.

 

Once this is done and validated, the SSO configuration is complete.

For the GPO to take effect, remember to close the MMC “Group Policy Management Editor.”

Leave a Comment