• Force the use of the RDS gateway
• Enable SSO for the RDS web access

When you deploy a RDS infrastructure to publish RemoteApp programs, your users can access it in different ways :

• via web access
• via the "RemoteApp and Desktop Connections" feature of Windows

However, when you configure Windows remote connections for transparent access to RemoteApp programs, your users will need to log in twice to use them.

Indeed, even when a user connects with his Active Directory account on a client PC, this user must also identify himself when first launching a RemoteApp program.

Launch a RemoteApp program from the Windows Start menu (or modern interface).

An identification window is displayed for connection to RDS resources.

To avoid this double authentication, go on your Active Directory server and open the Group Policy Management Editor.
Then go to : Computer Configuration -> Policies -> Administrative Templates -> System -> Credential Delegation.

Enable the "Allow delegating default credentials" policy, and then click the "Show" button.

Add the list of session host servers that you have by prefixing them with "TERMSRV/" (as described in the description of this policy).

In our case, this gives : TERMSRV/rds.informatiweb.lan

Finally, click OK.

Force the update of the policy on your client computers :

Batch

gpupdate /force

When the policy update is complete, launch a RemoteApp program from the Start menu or the modern Windows interface.

Now, the RemoteApp window appears while the desired RemoteApp program is starting.

And the RemoteApp program appears without asking the user to login a second time.
Note that this is only possible if your user logs on to the client PC with his Active Directory account.