Windows Server 2012 / 2012 R2 - RDS - Enable single sign-on (SSO) for the RDS web access

Page 1 / 2

In business, it's common to log on to your computer with an Active Directory account.
Thanks to this centralized authentication and the management of the policies, it's even possible to activate the SSO (Single Sign-On).

As you already know, by default, your users need to log in twice if you offer them desktops and/or RemoteApp programs through the RDS (Remote Desktop Services) web access.

To improve the user experience and prevent them from having to authenticate twice, you can use remote connections of Windows or enable SSO for RDS web access.

In this tutorial, we will show you how to configure the SSO for the RDS web access.

Note : in order for RemoteApp programs launched from the client machine (via Windows remote connections or via web access) to be launched without having to re-authenticate a second time, you will first have to enable SSO for your RDS session hosts by following our previous tutorial : Enable single sign-on (SSO) for access to RemoteApp programs and published desktops

  1. Enable Windows authentication on RDS web access
  2. Enable Windows authentication on IIS web server
  3. Testing RDS web access using Windows authentication
  4. Configure the Single Sign-On (SSO)
  5. Enable the private mode by default

1. Enable Windows authentication on RDS web access

To get started, you must enable Windows authentication on the RDS web access.
To do this, you must start the notepad as an administrator and open this file : C:\Windows\Web\RDWeb\Pages\Web.config

Note : make a copy of this file before modifying it to be able to restore it in case of problem.

In this file, you will find a section explaining how to enable Windows Authentication on RD Web Access.

To start, uncomment the "<authentication mode="Windows"/>" tag by removing the "<!--" and "-->" (which are HTML comments).

A little further down, you will find a "<system.webServer>" section.

In this section, comment out the "<modules ...>...</modules>" and "<security>...</security>" tags like this.

2. Enable Windows authentication on IIS web server

For Windows authentication to work, you must also enable it in Internet Information Services (IIS) Manager.
To enable it for the Remote Desktop Services (RDS) web access, go to "Sites -> Default Web Site -> RDWeb" and click "Authentication" (in the IIS section).

Disable the anonymous authentication (since you no longer have the login form for the web access).

Then, enable the Windows authentication.

Once activated, IIS will tell you about the extended protection to configure.
To do this, select Windows Authentication from the list, then click "Advanced Settings" in the right column.

Choose "Extended Protection: Accept".

Then, click on "Suppliers" (in the right column).

And verify that the "Negotiate" and NTLM providers are enabled and displayed in that order.

Finally, select the default website (which includes RDWeb) and click "Restart" in the right column.

Note : if you want to do it via the command line, you can use this command : iisreset /restart

3. Testing RDS web access using Windows authentication

Because the Windows authentication is enabled, when you try to access Remote Desktop Services web access, your web browser will first ask you to log in.
Use an Active Directory user who is authorized to use RemoteApp programs and/or desktops on your RDS server and click OK.

If the user is allowed to access it, he will have access without problem to the RemoteApp programs and/or to the desktops available to him.

If you close the authentication window, you will not have access to this web access.