Aug 28 2019 09:00 AM
Aug 28 2019 09:00 AM
Just set up a new RDS 2019 deployment, and am having an issue with getting prompted twice for credentials. Once when they sign into the web page, and once when they launch the remote desktop.
I've tried making this policy change, but it didn't seem to help -
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security”
Set the “Always prompt for password upon connection” setting to Disabled
We have a pretty simple set up, broker and licensing running on one server, gateway and web running on another, and two session hosts.
This happens if I try internally or externally. Also, the certificate is showing trusted.
Any help would be appreciated.
Aug 28 2019 11:37 PM - edited Aug 28 2019 11:39 PM
Not all browsers support Single-Sign-On to a RDSH-Session from Web-Access. To test this make sure that you put your RD-WebAccess URI into the intranet site zone and use Internet Explorer instead of an alternative browser. If SSO works there, your configuration is correct.
Our RDSH-Farms works fine with SSO. We have https://*.ourdomain.com in the trusted sites list, defined as intranet site, and put a link to RD-Webaccess on the users desktop, which opens with Internet Explorer.
Alternatively, if you just need a full Session for your end-users, and not other features of WebAccess, you could skip RD-WebAccess and just use a direct RDP-Connection. Download the .rdp file from Web Access and deploy it to your endusers.
Aug 29 2019 04:37 AM
@dretzer Ok, so based on your response, is there no way to avoid the double logon for remote users for whom I may have no control over the system (or a device such as an iPad or Android tablet)?
We won't have a lot of internal use, and are trying to get people away from using IE.
We require two factor authentication (using DUO, which I've set up), so don't think the .rdp file would be a solution.
If there is no way to avoid it, thats fine, I just have to be prepared to explain that to our end users. This would be a change for them since they don't currently have to do this with Citrix.
Aug 29 2019 05:41 AM
You could try deploying RD-Webclient which should be included in Server 2019 RDSH-Deployments. This will allow you to have the RD-Session directly inside the browser (HTML5-capable browser only). It should work with all modern browsers, on PC, Mac, Tablets and Phones. Also this does not need a double-authentication so it would solve your particular problem as well.
Personally I hand't the time to test RD-Webclient with Server 2019 yet, but you should definitely take a look at it: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-deskto...
Apr 08 2020 07:44 AM
@dretzer Replying kind of late but installed the web client per the instructions, but must have done something wrong, I see no resources presented after I log in (currently only publishing a desktop).
Aug 04 2020 05:12 AM
@gillyx0101 Nope, sure haven't. Its probably the biggest factor holding us back from using RDS more widely.
Oct 09 2020 12:30 PM
Oct 09 2020 02:19 PM
@gillyx0101 Web Application Proxy supports the HTML5 client as of newer versions of the App Proxy agent (August 2020). Works pretty well with WHFB for a native AD joined client and gives SSO to the HTML5 web logon form whereupon it's time to enter those on-prem AD creds. It's nice to put RDS behind proper MFA with Conditional Access, but until true SSO can be integrated into the MFA/Remote Desktop, it's multiple prompts for logon.