Those Credentials Delegation GPOs will set the following registry settings under the hood.ĬredSSP is enabled by default since Vista and Windows 7. This policy setting applies when server authentication was achieved by using a trusted X509 client certificate or Kerberos. This setting applies when the server authentication was achieved via NTLM, which is the case when you access your RDS environment from external outside of your companies network and without client certificates.ĭo the same for Allow delegating default credentials. Instead listing all your RDS servers separate, you can also use a wildcard FQDN likeīe aware that these wilcards can be a security risk!
Open Computer Configuration – Policies – Administrative Templates – System – Credentials DelegationĮnable Allow delegation default credentials with NTLM-only server authentication and add the names (FQDNs) of your RDS servers (RD Web Access, RD Gateway, RD Connection Broker and RD Session Host).Īdd the servers with the format of a Service Principal Name (SPN) So first we editing the Computer Configuration settings of this GPO! So I use one GPO and linked it to my users OU who wants to single-sign-on into RDS and also linked this GPO to an OU which includes my RDS servers. We need to configure both, Computer- and User Configuration settings at the GPO. In order to get Single-Sign-On kick in, we also needs to configure a bunch of Group Policy (GPO) settings. Set the bPrivateMode variable into true inside the C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx file. So we have to change this fix into This is a private computer. You have to comment out Form Authentication + the and sections in and uncomment Windows Authentication as described itself in the web.config file.įor SSO we also do not want to be asked whether we use a public or private computer as per default in C:\Windows\Web\RDWeb\Pages\en-US\Default.aspx is set. So disable Anonymous Authentication and enable Windows Authentication.Īlso you must enable Windows Authentication in the web.config file under C:\Windows\Web\RDWeb\Pages Then you must change the default authentication from Anonymous Authentication to Windows Authentication. If you are not using a wildcard certificate, make sure to include the DNS names from your RD Web Access FQDN and your RD Connection Broker FQDN.
In my case I use a wildcard certificate from the internal company CA (PKI/ADCS), therefore the certificates are trusted on all clients from the company as they will enrolled automatically to all domain members. Now let’s start with the setup for SSO to RDS!įirst check that you use a trusted certificate for the Role Services: Today I wanna go step by step through the points, to enable SSO Single-Sign-ON and passing your local windows credentials through the Remote Desktop Services RDS. If you want to access and open these programms, you will be prompted a second time with an annoying logon dialog to enter your username and password. These are the programms, published on the RD Session Host. Normally, if you want to access a remote desktop services environement, first you have to logon to the RD Web Access Page, therefore you will be prompted with a logon dialog where you have to enter your username and password.Īfter that logon, you will see depending on the deployment, more or less remoteapp programms.