Hi, I’m Sergey, one of the developers on the team that produces Remote Desktop Services. In Windows Server 2008 R2, we introduced Web Single Sign-On (web SSO), which reduced the number of times a user was asked for credentials when accessing RemoteApp programs published through Remote Desktop Web Access (RD Web Access). Enabling this was complex and difficult for users. In this post, I’ll explain how easy it is to set this up in Windows Server 2012. It basically works “out of the box.”
To set up single sign-on when connecting through RD Web Access
If your deployment is based solely on Windows Server 2012 and/or Windows 8 virtual machine VDI, and all the clients support Remote Desktop Protocol (RDP) 8.0, no special configuration is required.
To set up single sign-on when connecting by using the RemoteApp and Desktop Connections feed subscription
It is now easier to configure SSO by using logged-on user credentials for the intranet users who are subscribed to a RemoteApp and Desktop Connections feed. To enable SSO, the administrator only needs to add the fully qualified domain name (FQDN) of the RD Connection Broker server (with a “TERMSRV/” prefix) to the server list of the corresponding Credentials Delegation Group Policy setting.
For more information about how to configure the Credentials Delegation policy setting for single sign-on, see How to enable single sign-on for my Terminal Server connections.
Note: Any other Credentials Delegation policy setting can be applied to the deployment the same way. Also, credentials saved when connecting to any resource in the deployment will work for the entire deployment.
Web SSO with Remote Desktop Gateway
When you add the Remote Desktop Gateway (RD Gateway) role service to your deployment, it is configured to support web SSO by default. The deployment RD Gateway property responsible for this is “Use RD Gateway credentials for remote computers.”
To view or change this property, open Server Manager, navigate to Server Manager > Remote Desktop Services > Overview, and in the DEPLOYMENT OVERVIEW section, on the TASKS menu, click Edit Deployment Properties (see the following screen shot).
In the Properties dialog box, select the RD Gateway tab. For web SSO to work with RD Gateway, select the Use RD Gateway credentials for remote computers check box, and set the Logon method to Password Authentication.
Limitations of the new web SSO
For the new web SSO to work, the RD Connection Broker server and the RD Session Host servers in the deployment must run Windows Server 2012, and all virtual desktops must run Windows 8. The accessing clients must support RDP 8.0. In mixed environments, you’ll have to configure web SSO the old way. As before, web SSO with smart cards is not supported.
I hope I’ve clearly shown how we have made web single sign-on much easier to set up so that you can more easily reduce credential prompts, which helps make the end user more productive. If you have any questions or comments, please comment on this blog post.