Force the use of the RDS gateway for local users on Windows Server 2012 / 2012 R2 / 2016
- Windows Server
- 19 May 2019 at 12:09 UTC
-
- 2/2
4. Manage permissions on the RDS gateway
Since the user now goes through the gateway to access your RDS infrastructure, your users will need to be authorized by the gateway AND by the remote RDS server to access the desktops and/or RemoteApp programs that you want them to access.
This means that if you allow only administrators on the gateway, your users will no longer be able to connect to your RDS infrastructure.
As you can see, all users of the domain are supposed to be able to access our RemoteApp program collection.
But, this will not work because standard users are no longer allowed on the RDS gateway.
If the user attempts to launch a RemoteApp program or a RDS desktop, Windows will request that it authenticate for the RDS gateway.
And your standard users will receive an error message stating clearly that they are not allowed to access the RDS gateway (because their user account and/or their computer are not allowed).
In a nutshell, this demo shows you that you'll need to pay attention to your gateway permissions, because if your users are not allowed on the target RDS server AND on the RDS gateway, your users will not be able to access your RDS infrastructure.
Note that this is true only because we have forced the use of the gateway for everyone (including access to resources from the local network).
You could of course block access to some resources only for users wishing to access them from outside.
5. Enable single sign-on (SSO) for the gateway
As you can see, by default, the user had to specify his credentials even if he was already connected to the web access.
To prevent it from reconnecting a second time, you will need to configure settings in the "RD Gateway" section of your RDS deployment.
For single sign-on (SSO) to be possible :
- choose the logon method : Password Authentication
- make sure the "Use RD Gateway credentials for remote computers" box is checked
Now, the user can launch a RemoteApp program or access a desktop without having to authenticate a second time.
Note : if Windows still asks you to authenticate on your RDS server (and not the gateway), also configure the SSO for your RDS server by following this tutorial : RDS - Enable single sign-on (SSO) for access to RemoteApp programs and published desktops
And as you can see, we always go through the gateway.
Share this tutorial
To see also
-
Windows Server 6/7/2019
WS 2012 / 2012 R2 - RDS - Set up HA on your RDS infrastructure
-
Windows Server 3/8/2019
WS 2012 / 2012 R2 / 2016 - RDS - Access RemoteApp via a modern application
-
Windows Server 4/28/2019
WS 2012 / 2012 R2 / 2016 - RDS - Attempt to unblock the session as a user
-
Windows Server 3/16/2019
WS 2012 / 2012 R2 / 2016 - RDS - Change the properties of RemoteApps
No comment