Grant B2B users access to on-premise RDS servers (apps)

%3CLINGO-SUB%20id%3D%22lingo-sub-362501%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20B2B%20users%20access%20to%20on-premise%20RDS%20servers%20(apps)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362501%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20JM_Tech%2C%20no%20but%20it%20has%20been%20a%20while%20that%20we%20tested%20this.%20For%20now%20we%20just%20have%20to%20live%20with%20it%20that%20we%20manage%20seperate%20accounts.%20But%20this%20gives%20lots%20of%20extra%20support%20calls.%20So%20like%20you%20said%20it%20would%20be%20great%20if%20a%20full%20SSO%20solution%20is%20possible.%20Partners%2C%20etc%20can%20then%20just%20manage%20their%20own%20accounts.%20When%20i%20have%20some%20time%20i%20will%20try%20to%20test%20this%20again.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-362498%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20B2B%20users%20access%20to%20on-premise%20RDS%20servers%20(apps)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-362498%22%20slang%3D%22en-US%22%3E%3CP%3EThx%20for%20the%20reply!%20Nice%20to%20hear%20that%20it%20could%20work%20for%20on-premise%20applications.%20It%20has%20been%20almost%20a%20year%20ago%20that%20we%20tried%20this%20solution%20with%20RDS%2C%20maybe%20things%20have%20been%20improved.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361318%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20B2B%20users%20access%20to%20on-premise%20RDS%20servers%20(apps)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361318%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293474%22%20target%3D%22_blank%22%3E%40Axians_CSS%3C%2FA%3E%26nbsp%3B%20did%20you%20get%20this%20to%20work%3F%20still%20trying%3F%20or%20not%20possible%3F%20as%20you%20pointed%20out%20would%20be%20great%20to%20be%20able%20to%20use%20something%20like%20AD%20B2B%20to%20provide%20RDS%20based%20desktops%20and%20apps%20to%20external%20partners%20and%20let%20them%20manage%20their%20own%20password%20resets%20etc.%20Cheers!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-359458%22%20slang%3D%22en-US%22%3ERe%3A%20Grant%20B2B%20users%20access%20to%20on-premise%20RDS%20servers%20(apps)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-359458%22%20slang%3D%22en-US%22%3EI%20can't%20tell%20you%20if%20and%20how%20well%20it%20works%20with%20RDS%20but%20for%20other%20apps%20I%20got%20this%20working.%20You%20can%20create%20shadow%20accounts%20in%20your%20AD%20with%20matching%20UPNs%20and%20use%20KCD%20at%20the%20AppProxy.%3CBR%20%2F%3EThe%20trick%20is%20to%20use%20the%20UPN%20of%20the%20guest%20account%20in%20the%20format%20name_domain%23EXT%40tenant.onmicrosoft.com%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20my%20case%20the%20users%20don't%20need%20to%20know%20the%20passwords%20of%20their%20OnPrem%20AD%20user%20and%20we%20can%20deny%20interactive%20logons.%20In%20combination%20with%20the%20restrictions%20for%20guest%20users%20in%20the%20tenant%20the%20design%20is%20increasing%20security.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358782%22%20slang%3D%22en-US%22%3EGrant%20B2B%20users%20access%20to%20on-premise%20RDS%20servers%20(apps)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358782%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20looking%20for%20this%20issue%20on%20the%20internet%2C%20but%20can't%20really%20find%20a%20good%20answer%20or%20solution.%20We%20have%20a%20on-premise%20(iaas)%202016%20RDS%20(mainly%20remoteapp)%20solution%20that%20we%20would%20like%20to%20share%20with%20other%20companies.%20Basicly%20through%20RDWeb.%20This%20is%20no%20problem%20when%20we%20give%20them%20user%20accounts%20from%20our%20RDS%20domain.%20But%20more%20and%20more%20often%20they%20want%20SSO%20with%20there%20own%20user%20accounts%20(AzureAD%2C%20ADFS%2C%20etc).%20I%20know%20we%20can%20make%20it%20work%20with%20a%20domain%20trust%2C%20but%20that%20is%20something%20usually%20out%20of%20the%20question.%20Begin%202018%20we%20have%20been%20looking%20at%20the%20Azure%20B2B%20connector%20and%20publishd%20the%20RDWeb%20with%20the%20AD%20application%20proxy.%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fb2b%2Fhybrid-cloud-to-on-premises%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fnl-nl%2Fazure%2Factive-directory%2Fb2b%2Fhybrid-cloud-to-on-premises%3C%2FA%3E).%20With%20a%20shadow%20account%20we%20could%20make%20it%20possible%20to%20access%20SSO%20to%20the%20RDWeb%2C%20but%20from%20there%2C%20starting%20remote%20apps%2C%20desktop%20wasn't%20possible.%20So%20...%20the%20question%20is%3F%20Is%20this%20possible%3F%20SSO%20for%20external%20(other%20domains)%20access%20to%20our%20RDS%20solution%3F%20Anyone%20got%20a%20simular%20situation%20or%20some%20kind%20of%20direction%3F%20I%20know%20Citrix%20has%20a%20simular%20solution%20with%20FAS%20and%20b2b%2C%20but%20we%20would%20rather%20stick%20with%20a%20Microsoft%20only%20solution.%20Thx!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-358782%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EB2B%20collaboration%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi there,

 

I've been looking for this issue on the internet, but can't really find a good answer or solution. We have a on-premise (iaas) 2016 RDS (mainly remoteapp) solution that we would like to share with other companies. Basicly through RDWeb. This is no problem when we give them user accounts from our RDS domain. But more and more often they want SSO with there own user accounts (AzureAD, ADFS, etc). I know we can make it work with a domain trust, but that is something usually out of the question. Begin 2018 we have been looking at the Azure B2B connector and publishd the RDWeb with the AD application proxy. (https://docs.microsoft.com/nl-nl/azure/active-directory/b2b/hybrid-cloud-to-on-premises). With a shadow account we could make it possible to access SSO to the RDWeb, but from there, starting remote apps, desktop wasn't possible. So ... the question is? Is this possible? SSO for external (other domains) access to our RDS solution? Anyone got a simular situation or some kind of direction? I know Citrix has a simular solution with FAS and b2b, but we would rather stick with a Microsoft only solution. Thx! 

4 Replies
I can't tell you if and how well it works with RDS but for other apps I got this working. You can create shadow accounts in your AD with matching UPNs and use KCD at the AppProxy.
The trick is to use the UPN of the guest account in the format name_domain#EXT@tenant.onmicrosoft.com

In my case the users don't need to know the passwords of their OnPrem AD user and we can deny interactive logons. In combination with the restrictions for guest users in the tenant the design is increasing security.

@Axians_CSS  did you get this to work? still trying? or not possible? as you pointed out would be great to be able to use something like AD B2B to provide RDS based desktops and apps to external partners and let them manage their own password resets etc. Cheers!

Thx for the reply! Nice to hear that it could work for on-premise applications. It has been almost a year ago that we tried this solution with RDS, maybe things have been improved. 

Hi JM_Tech, no but it has been a while that we tested this. For now we just have to live with it that we manage seperate accounts. But this gives lots of extra support calls. So like you said it would be great if a full SSO solution is possible. Partners, etc can then just manage their own accounts. When i have some time i will try to test this again.