Enable Single Sign-On (SSO) Authentication on RDS Windows Server Ranjan.info

single sign on ,sso) Allows an authenticated (sign-on) user to re-authenticate (without re-entering a password) and access other domain services without using saved credentials (including RDP). SSO can be used when connecting to Remote Desktop Services (terminal Server. This prevents a user logged on to a domain computer from entering their account name and password multiple times in the RDP client window when connecting to different RDS hosts or running published RemoteApps.

This article shows how to configure transparent SSO (single sign-on) for users of an RDS server running Windows Server 2022/2019/2016.

System Requirements:

  • The Connection Broker server and all RDS hosts must be running Windows Server 2012 or newer;
  • You can use Windows 11,10,8.1 with Pro/Enterprise editions as client workstations.
  • SSO only works in a domain environment: Active Directory user accounts must be used, the RDS server and the user’s workstations must be joined to the same AD domain;
  • RDP 8.0 or later must be used on the RDP client;
  • SSO only works with password authentication (smart cards are not supported);
  • RDP security layer must be set in connection settings bargain Or ssl (TLS 1.0), and encryption mode High Or FIPS compliance,

The single sign-on setup process consists of the following steps:

  • You need to issue and assign SSL certificates to the RD Gateway, RD Web, and RD Connection Broker servers;
  • Web SSO has to be enabled on the RDWeb server;
  • Configure Credential Delegation Group Policy;
  • Add RDS certificate thumbprint to trusted .rdp publishers using GPO.

Enable SSO Authentication on RDS Host with Windows Server 2022/2019/2016

First, you need to issue and assign an SSL certificate to your RDS deployment. Certificate must be in Enhanced Key Usage (EKU) server authentication identifier. The process of obtaining an SSL certificate for an RDS deployment is not covered. This is beyond the scope of this article (you can create a self-signed SSL certificate yourself, but you must deploy it to trusted certificates on all clients using Group Policy).

assigned in the certificate certificate section of RDS deployment Property.

rds certificate

Then, enable on all servers with the RD Web Access role windows authentication and disable for IIS RDWeb directory anonymous authentication,

IIS Windows Authentication

After you save the changes, restart IIS:

iisreset /noforce

If Remote Desktop Gateway is used, ensure that it is used for internal clients ( bypass rd gateway server for local address option must be checked).

RD Gateway Deployment

Now you need to get the SSL certificate thumbprint of the RD connection broker and add it to the list of trusted RDP publishers. For that, run the following PowerShell command on the RDS Connection Broker host:

Get-Childitem CERT:\LocalMachine\My

Get-Childitem CERT:\LocalMachine\My

Copy and append the value of the thumbprint of the certificate Specify SHA1 thumbprints of certificates representing RDP publishers Policy (Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client).

Specify SHA1 thumbprints of certificates representing RDP publishers

Configure Remote Desktop Single Sign-On on Windows clients

The next step is to configure the credential delegation policy for the user computers.

  1. Open the Domain Group Policy Management Console (gpmc.msc,
  2. Create a new domain GPO and link it to an OU with users (computers) that need permission to use SSO to access the RDS server;
  3. enable policy Allow Delegation Default Credentials under Computer Configuration -> Administrative Templates -> System -> Credential Delegation
  4. Add the names of RDS hosts to which clients can automatically send user credentials to perform SSO authentication. Use the following format for the RDS host: TERMSRV/rd.contoso.com (All TERMSRV characters must be in upper case). If you need to allow credentials to be sent to all terminals in the domain (less secure), you can use this construct: TERMSRV/*.contoso.com ,TERMSRV/rd.contoso.com

Then, to prevent a window warning that the remote application publisher is untrusted, add the address of the server running the RD Connection Broker role to the trusted zone on the client computer using the policy “Site to Zone Assignment List” (Similar to the article How to disable Open File Security Warning on Windows 10):

  1. Go to GPO section User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security page,
  2. enable policy Site to Zone Assignment List
  3. Specify the FQDN of the RD Connection Broker hostname and set the zone 2 (trusted Sites).

Site to Zone Assignment: Trusted Zone

Next, you need to enable logon options under the policy User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. choose ‘Automatic logon with current username and password‘ from the dropdown list.

then navigate computer configuration , policies , Administrative Templates ,windows components ,Remote Desktop Services ,remote desktop connection client and disable the policy Prompt for credentials on the client computer,

GPO: Do not prompt for credentials on client computer

After updating the Group Policy settings on the client, open the mstsc.exe (Remote Desktop Connection) client and specify the FQDN of the RDS host. The Username field automatically displays your name in the format [email protected],

Your Windows logon credentials will be used to connect.

Now, when you start a RemoteApp or connect directly to a Remote Desktop Services host, you will not be prompted for your password.

Your Windows logon credentials will be used to connect.

Enable policy to use RD Gateway with SSO set rd gateway authentication method User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RD Gateway) and set its value Use locally logged-on credentials,

Active X Component Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell)

To use Web SSO on RD Web Access, please note that it is recommended to use Internet Explorer with an ActiveX component called Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell, MsRdpWebAccess.dll).

In modern versions of Windows, Internet Explorer is disabled by default and you will need to use microsoft edge instead. To use RD Web with SSO you must open this URL in Microsoft Edge in compatibility mode (Edge will not run Active-X components without compatibility mode).

For all client computers to be able to open RDWeb in compatibility mode, you need to install the MS Edge Administrative Templates GPO and configure the policy settings under Computer Configuration -> Administrative Templates -> Microsoft:

Possible errors:

Leave a Comment