Hi James Thanks for your response
I cannot get the SSO to work externally as well. The current user experience is Logon to the webpage from home & they see all the correct icons, as soon as they click on any apps get they prompts for credentials When I click on a Remote App I get prompted for authentication details. I (think) have made all the recomended changes to GPO's for SSO & the current state of the RD Host servers are that they have Self Signed certs on them ( I know this is one of the reasons) for SSO not working Thanks Bill On 22 May 2012 00:09, James Hill <[email protected]> wrote: > Just to clarify, SSO via RD Gateway is working correctly when accessed > externally? You are just after how to make it work on the internal network? > **** > > ** ** > > *From:* helpdesk UK [mailto:[email protected]] > *Sent:* Tuesday, 22 May 2012 3:42 AM > *To:* NT System Admin Issues > *Subject:* Web Single Sign on for Remote Web Access & Remote Desktop > Services**** > > ** ** > > Hi All**** > > **** > > I am in need of some help please with Remote Desktop Services & Single > Sign On - Both Web Access & Remote Desktop - Certificates**** > > **** > > My knowledge of certificate services is very poor**** > > **** > > This is my setup**** > > **** > > Enviornment is as follows**** > > **** > > Active Directory**** > > **** > > root Domain - xyz.local - No Clients devices present in the root all > client devices are in child domains across multiple sites**** > > Child Domains - child.xyz.local**** > > I have my Enterprise CA on - DC03.xyz.local which is in the root**** > > **** > > All Servers are Server 2008 R2**** > > **** > > All Remote Desktop Services Servers are on the same Vlan & behind a Kemp > LoadMaster**** > > **** > > The Session Host Servers are using a VIP**** > > The Remote Desktop Gateway Servers are using a VIP**** > > Session Broker is not using VIP (but might do in the future - I have not > worked this out yet & would like to keep things simple for now & not use > MNLB)**** > > **** > > Servers are**** > > a. 4 Remote Desktop Session Host Servers hosting all apps - in a FARM > configuration Farm Name = xyzFARM.xyz.com**** > > b. 1 Session Broker Servers**** > > c. 2 Remote Desktop Gateway Servers**** > > **** > > So coming to my problem**** > > 1. I would like my users to have the following user experience - When > they logon to using https://gateway.xyx.com/rdweb I would like them to > sign on with their child domain credentials (using either a domain device > or home device) and then once they sign on click on a Remote app > (i.e. Excel which is hosted on Remote Desktop Host server) which should not > prompt for any further authentication**** > > **** > > 2. When a user logs on using MSTSC assuming the MSTSC client is configured > for the correct gateway address I would like them to logon to the Farm > without any further prompts or warning.**** > > **** > > I have one certificate purchased from Verisign for my Gateway servers & > this seems to be working fine without any issues across both Gateway > servers which will be using TMG once the solution is stable after testing* > *** > > **** > > I am not sure what to do internally & how the whole sigle sign on process > should work - currently my Host servers are using Self Signed Certs - which > we know causes issues**** > > > > http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx > & > > http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx > I am attempting to follow these but not sure how this will impact my child > domains devices. The first article talks about user policies & I am not hot > with certificates by any means but maybe client devices might be a better > option.**** > > **** > > Can someone please assist me I am going a bit bananas with all of this & > cant seem to find any "Idiots" guide to this scenario**** > > **** > > Thanks all**** > > **** > > Bill**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
