Remote Desktop Web Access single sign-on now easier to enable in Windows Server 2012
First published on CloudBlogs on Jun, 25 2012
This is an old post. To learn about Remote Desktop Web Access, please visit the
RDS documentation page
Hi, I’m Sergey, one of the developers on the team that produces Remote Desktop Services. In Windows Server 2008 R2, we introduced
Web Single Sign-On
(web SSO), which reduced the number of times a user was asked for credentials when accessing RemoteApp programs published through Remote Desktop Web Access (RD Web Access). Enabling this was complex and difficult for users. In this post, I'll explain how easy it is to set this up in Windows Server 2012. It basically works "out of the box."
To set up single sign-on when connecting through RD Web Access
If your deployment is based solely on Windows Server 2012 and/or Windows 8 virtual machine VDI, and all the clients support Remote Desktop Protocol (RDP) 8.0, no special configuration is required.
To set up single sign-on when connecting by using the RemoteApp and Desktop Connections feed subscription
It is now easier to configure SSO by using logged-on user credentials for the intranet users who are subscribed to a RemoteApp and Desktop Connections feed. To enable SSO, the administrator only needs to add the fully qualified domain name (FQDN) of the RD Connection Broker server (with a “TERMSRV/” prefix) to the server list of the corresponding Credentials Delegation Group Policy setting.
For more information about how to configure the Credentials Delegation policy setting for single sign-on, see
How to enable single sign-on for my Terminal Server connections
Note: Any other Credentials Delegation policy setting can be applied to the deployment the same way. Also, credentials saved when connecting to any resource in the deployment will work for the entire deployment.
Web SSO with Remote Desktop Gateway
When you add the Remote Desktop Gateway (RD Gateway) role service to your deployment, it is configured to support web SSO by default. The deployment RD Gateway property responsible for this is “Use RD Gateway credentials for remote computers.”
To view or change this property, open Server Manager, navigate to
Server Manager > Remote Desktop Services > Overview
, and in the
section, on the
Edit Deployment Properties
(see the following screen shot).
In the Properties dialog box, select the
tab. For web SSO to work with RD Gateway, select the
Use RD Gateway credentials for remote computers
check box, and set the
Limitations of the new web SSO
For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO
the old way
. As before, web SSO with smart cards is not supported.
I hope I’ve clearly shown how we have made web single sign-on much easier to set up so that you can more easily reduce credential prompts, which helps make the end user more productive. If you have any questions or comments, please comment on this blog post.