RDS 2019 Getting Prompted for Credentials Twice

%3CLINGO-SUB%20id%3D%22lingo-sub-827160%22%20slang%3D%22en-US%22%3ERDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-827160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%223%22%3EJust%20set%20up%20a%20new%20RDS%202019%20deployment%2C%20and%20am%20having%20an%20issue%20with%20getting%20prompted%20twice%20for%20credentials.%26nbsp%3B%20Once%20when%20they%20sign%20into%20the%20web%20page%2C%20and%20once%20when%20they%20launch%20the%20remote%20desktop.%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EI've%20tried%20making%20this%20policy%20change%2C%20but%20it%20didn't%20seem%20to%20help%20-%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3E%3CSTRONG%3EComputer%20Configuration%5CAdministrative%20Templates%5CWindows%20Components%5CRemote%20Desktop%20Services%5CRemote%20Desktop%20Session%20Host%5CSecurity%3C%2FSTRONG%3E%E2%80%9D%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%222%22%3ESet%20the%20%E2%80%9C%3CSTRONG%3EAlways%20prompt%20for%20password%20upon%20connection%3C%2FSTRONG%3E%E2%80%9D%20setting%20to%20%3CSTRONG%3EDisabled%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20size%3D%223%22%3EWe%20have%20a%20pretty%20simple%20set%20up%2C%20broker%20and%20licensing%20running%20on%20one%20server%2C%20gateway%20and%20web%20running%20on%20another%2C%20and%20two%20session%26nbsp%3B%3C%2FFONT%3E%3CFONT%20size%3D%222%22%3E%3CFONT%20size%3D%223%22%3Ehosts.%26nbsp%3B%3C%2FFONT%3E%20%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20happens%20if%20I%20try%20internally%20or%20externally.%26nbsp%3B%20Also%2C%20the%20certificate%20is%20showing%20trusted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-827160%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828558%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828558%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20all%20browsers%20support%20Single-Sign-On%20to%20a%20RDSH-Session%20from%20Web-Access.%20To%20test%20this%20make%20sure%20that%20you%20put%20your%20RD-WebAccess%20URI%20into%20the%20intranet%20site%20zone%20and%20use%20Internet%20Explorer%20instead%20of%20an%20alternative%20browser.%20If%20SSO%20works%20there%2C%20your%20configuration%20is%20correct.%3C%2FP%3E%3CP%3EOur%20RDSH-Farms%20works%20fine%20with%20SSO.%20We%20have%20https%3A%2F%2F*.ourdomain.com%20in%20the%20trusted%20sites%20list%2C%20defined%20as%20intranet%20site%2C%20and%20put%20a%20link%20to%20RD-Webaccess%20on%20the%20users%20desktop%2C%20which%20opens%20with%20Internet%20Explorer.%3C%2FP%3E%3CP%3EAlternatively%2C%20if%20you%20just%20need%20a%20full%20Session%20for%20your%20end-users%2C%20and%20not%20other%20features%20of%20WebAccess%2C%20you%20could%20skip%20RD-WebAccess%20and%20just%20use%20a%20direct%20RDP-Connection.%20Download%20the%20.rdp%20file%20from%20Web%20Access%20and%20deploy%20it%20to%20your%20endusers.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F141531%22%20target%3D%22_blank%22%3E%40Faye%20Jasman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828855%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828855%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261242%22%20target%3D%22_blank%22%3E%40dretzer%3C%2FA%3E%26nbsp%3BOk%2C%20so%20based%20on%20your%20response%2C%20is%20there%20no%20way%20to%20avoid%20the%20double%20logon%20for%20remote%20users%20for%20whom%20I%20may%20have%20no%20control%20over%20the%20system%20(or%20a%20device%20such%20as%20an%20iPad%20or%20Android%20tablet)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20won't%20have%20a%20lot%20of%20internal%20use%2C%20and%20are%20trying%20to%20get%20people%20away%20from%20using%20IE.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20require%20two%20factor%20authentication%20(using%20DUO%2C%20which%20I've%20set%20up)%2C%20so%20don't%20think%20the%20.rdp%20file%20would%20be%20a%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20is%20no%20way%20to%20avoid%20it%2C%20thats%20fine%2C%20I%20just%20have%20to%20be%20prepared%20to%20explain%20that%20to%20our%20end%20users.%26nbsp%3B%20This%20would%20be%20a%20change%20for%20them%20since%20they%20don't%20currently%20have%20to%20do%20this%20with%20Citrix.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-828999%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-828999%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20could%20try%20deploying%20RD-Webclient%20which%20should%20be%20included%20in%20Server%202019%20RDSH-Deployments.%20This%20will%20allow%20you%20to%20have%20the%20RD-Session%20directly%20inside%20the%20browser%20(HTML5-capable%20browser%20only).%20It%20should%20work%20with%20all%20modern%20browsers%2C%20on%20PC%2C%20Mac%2C%20Tablets%20and%20Phones.%20Also%20this%20does%20not%20need%20a%20double-authentication%20so%20it%20would%20solve%20your%20particular%20problem%20as%20well.%3C%2FP%3E%3CP%3EPersonally%20I%20hand't%20the%20time%20to%20test%20RD-Webclient%20with%20Server%202019%20yet%2C%20but%20you%20should%20definitely%20take%20a%20look%20at%20it%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-desktop-services%2Fclients%2Fremote-desktop-web-client-admin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fremote%2Fremote-desktop-services%2Fclients%2Fremote-desktop-web-client-admin%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F141531%22%20target%3D%22_blank%22%3E%40Faye%20Jasman%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-829000%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-829000%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261242%22%20target%3D%22_blank%22%3E%40dretzer%3C%2FA%3E%26nbsp%3BThanks%2C%20I'll%20give%20that%20a%20try%20and%20let%20you%20know%20how%20it%20goes.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1292141%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1292141%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F261242%22%20target%3D%22_blank%22%3E%40dretzer%3C%2FA%3E%26nbsp%3BReplying%20kind%20of%20late%20but%20installed%20the%20web%20client%20per%20the%20instructions%2C%20but%20must%20have%20done%20something%20wrong%2C%20I%20see%20no%20resources%20presented%20after%20I%20log%20in%20(currently%20only%20publishing%20a%20desktop).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1562777%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1562777%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F141531%22%20target%3D%22_blank%22%3E%40Faye%20Jasman%3C%2FA%3E%26nbsp%3Bdid%20you%20ever%20get%20this%20working%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1565017%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1565017%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F747951%22%20target%3D%22_blank%22%3E%40gillyx0101%3C%2FA%3E%26nbsp%3BNope%2C%20sure%20haven't.%26nbsp%3B%20Its%20probably%20the%20biggest%20factor%20holding%20us%20back%20from%20using%20RDS%20more%20widely.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1765884%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1765884%22%20slang%3D%22en-US%22%3EIts%20a%20shame%20theres%20no%20easy%20fix%20for%20this.%20I%20don't%20think%20this%20would%20be%20acceptable%20for%20our%20user%20base%20also.%20In%20our%20test%20environment%20I%20ended%20up%20deploying%20the%20web%20client%20(HTML%205)%20version%2C%20which%20has%20a%20nicer%20look%20and%20feel%20and%20doesn't%20have%20the%20issue%20of%20logging%20in%20twice.%20Maybe%20this%20might%20be%20an%20option%20for%20your%20environment%3F%20Having%20said%20this%20I%20did%20run%20into%20issues%20when%20publishing%20through%20a%20web%20application%20proxy%20as%20it%20does%20not%20support%20web%20sockets%20(as%20long%20as%20you%20have%20a%20supporting%20firewall%2Fload%20balancer%20this%20shouldn't%20be%20an%20issue).%20The%20other%20point%20to%20note%20is%20not%20all%20MFA%20providers%20support%20HTML%205%20web%20version.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1766284%22%20slang%3D%22en-US%22%3ERe%3A%20RDS%202019%20Getting%20Prompted%20for%20Credentials%20Twice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1766284%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F747951%22%20target%3D%22_blank%22%3E%40gillyx0101%3C%2FA%3E%26nbsp%3BWeb%20Application%20Proxy%20supports%20the%20HTML5%20client%20as%20of%20newer%20versions%20of%20the%20App%20Proxy%20agent%20(August%202020).%26nbsp%3B%20Works%20pretty%20well%20with%20WHFB%20for%20a%20native%20AD%20joined%20client%20and%20gives%20SSO%20to%20the%20HTML5%20web%20logon%20form%20whereupon%20it's%20time%20to%20enter%20those%20on-prem%20AD%20creds.%26nbsp%3B%20It's%20nice%20to%20put%20RDS%20behind%20proper%20MFA%20with%20Conditional%20Access%2C%20but%20until%20true%20SSO%20can%20be%20integrated%20into%20the%20MFA%2FRemote%20Desktop%2C%20it's%20multiple%20prompts%20for%20logon.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Just set up a new RDS 2019 deployment, and am having an issue with getting prompted twice for credentials.  Once when they sign into the web page, and once when they launch the remote desktop.

 

I've tried making this policy change, but it didn't seem to help - 

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security

Set the “Always prompt for password upon connection” setting to Disabled

 

We have a pretty simple set up, broker and licensing running on one server, gateway and web running on another, and two session hosts.   

 

This happens if I try internally or externally.  Also, the certificate is showing trusted.

 

Any help would be appreciated.

 

9 Replies
Highlighted

Not all browsers support Single-Sign-On to a RDSH-Session from Web-Access. To test this make sure that you put your RD-WebAccess URI into the intranet site zone and use Internet Explorer instead of an alternative browser. If SSO works there, your configuration is correct.

Our RDSH-Farms works fine with SSO. We have https://*.ourdomain.com in the trusted sites list, defined as intranet site, and put a link to RD-Webaccess on the users desktop, which opens with Internet Explorer.

Alternatively, if you just need a full Session for your end-users, and not other features of WebAccess, you could skip RD-WebAccess and just use a direct RDP-Connection. Download the .rdp file from Web Access and deploy it to your endusers.

@Faye Jasman 

Highlighted

@dretzer Ok, so based on your response, is there no way to avoid the double logon for remote users for whom I may have no control over the system (or a device such as an iPad or Android tablet)?

 

We won't have a lot of internal use, and are trying to get people away from using IE.  

 

We require two factor authentication (using DUO, which I've set up), so don't think the .rdp file would be a solution.

 

If there is no way to avoid it, thats fine, I just have to be prepared to explain that to our end users.  This would be a change for them since they don't currently have to do this with Citrix.

 

Thanks

Highlighted

You could try deploying RD-Webclient which should be included in Server 2019 RDSH-Deployments. This will allow you to have the RD-Session directly inside the browser (HTML5-capable browser only). It should work with all modern browsers, on PC, Mac, Tablets and Phones. Also this does not need a double-authentication so it would solve your particular problem as well.

Personally I hand't the time to test RD-Webclient with Server 2019 yet, but you should definitely take a look at it: https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-deskto...

 

@Faye Jasman 

Highlighted

@dretzer Thanks, I'll give that a try and let you know how it goes.

Highlighted

@dretzer Replying kind of late but installed the web client per the instructions, but must have done something wrong, I see no resources presented after I log in (currently only publishing a desktop).

Highlighted

@Faye Jasman did you ever get this working ?

Highlighted

@gillyx0101 Nope, sure haven't.  Its probably the biggest factor holding us back from using RDS more widely.

Highlighted
Its a shame theres no easy fix for this. I don't think this would be acceptable for our user base also. In our test environment I ended up deploying the web client (HTML 5) version, which has a nicer look and feel and doesn't have the issue of logging in twice. Maybe this might be an option for your environment? Having said this I did run into issues when publishing through a web application proxy as it does not support web sockets (as long as you have a supporting firewall/load balancer this shouldn't be an issue). The other point to note is not all MFA providers support HTML 5 web version.
Highlighted

@gillyx0101 Web Application Proxy supports the HTML5 client as of newer versions of the App Proxy agent (August 2020).  Works pretty well with WHFB for a native AD joined client and gives SSO to the HTML5 web logon form whereupon it's time to enter those on-prem AD creds.  It's nice to put RDS behind proper MFA with Conditional Access, but until true SSO can be integrated into the MFA/Remote Desktop, it's multiple prompts for logon.