Hi James The issue with this suggestion is that the external Cert from Verisign is issued for Gateway.xyz.com & my farm is xyzFARM.xyz.com (where the apps are hosted)
I am not sure if this will work (maybe I missing the point here totally) as I have said I am very "poor" with certs if I am can you please clarify this for me I have been using the domain\username format to logon all along. The account I am using to test is on the root & not a child domain account so I am not sure what impact this logon method will have when a user from a Child domain will logon Thanks Bill On 22 May 2012 10:25, James Hill <[email protected]> wrote: > It’s been a while since I’ve set this up but a cert from an external CA > should be installed on the Gateways and the same cert set in Remote app as > the cert to use. I don’t recall the need for a cert for the rd hosts > themselves.**** > > ** ** > > One thing that may be catching you is that when logging on to RD Web > Access ensure that just the username is entered. Domain\username can cause > it to prompt when attempting to launch a remoteapp. This is contrary to > what the help text says to put in but that one caught me out for quite a > while.**** > > ** ** > > James.**** > > ** ** > > *From:* helpdesk UK [mailto:[email protected]] > *Sent:* Tuesday, 22 May 2012 6:42 PM > *To:* NT System Admin Issues > *Subject:* Re: Web Single Sign on for Remote Web Access & Remote Desktop > Services**** > > ** ** > > Hi James**** > > ** ** > > Thanks for your response**** > > ** ** > > I cannot get the SSO to work externally as well. **** > > ** ** > > The current user experience is Logon to the webpage from home & they see > all the correct icons, as soon as they click on any apps get they prompts > for credentials**** > > ** ** > > When I click on a Remote App I get prompted for authentication details. I > (think) have made all the recomended changes to GPO's for SSO & the current > state of the RD Host servers are that they have Self Signed certs on them ( > I know this is one of the reasons) for SSO not working**** > > ** ** > > Thanks**** > > > Bill**** > > ** ** > > ** ** > > On 22 May 2012 00:09, James Hill <[email protected]> wrote:**** > > Just to clarify, SSO via RD Gateway is working correctly when accessed > externally? You are just after how to make it work on the internal network? > **** > > **** > > *From:* helpdesk UK [mailto:[email protected]] > *Sent:* Tuesday, 22 May 2012 3:42 AM > *To:* NT System Admin Issues > *Subject:* Web Single Sign on for Remote Web Access & Remote Desktop > Services**** > > **** > > Hi All**** > > **** > > I am in need of some help please with Remote Desktop Services & Single > Sign On - Both Web Access & Remote Desktop - Certificates**** > > **** > > My knowledge of certificate services is very poor**** > > **** > > This is my setup**** > > **** > > Enviornment is as follows**** > > **** > > Active Directory**** > > **** > > root Domain - xyz.local - No Clients devices present in the root all > client devices are in child domains across multiple sites**** > > Child Domains - child.xyz.local**** > > I have my Enterprise CA on - DC03.xyz.local which is in the root**** > > **** > > All Servers are Server 2008 R2**** > > **** > > All Remote Desktop Services Servers are on the same Vlan & behind a Kemp > LoadMaster**** > > **** > > The Session Host Servers are using a VIP**** > > The Remote Desktop Gateway Servers are using a VIP**** > > Session Broker is not using VIP (but might do in the future - I have not > worked this out yet & would like to keep things simple for now & not use > MNLB)**** > > **** > > Servers are**** > > a. 4 Remote Desktop Session Host Servers hosting all apps - in a FARM > configuration Farm Name = xyzFARM.xyz.com**** > > b. 1 Session Broker Servers**** > > c. 2 Remote Desktop Gateway Servers**** > > **** > > So coming to my problem**** > > 1. I would like my users to have the following user experience - When > they logon to using https://gateway.xyx.com/rdweb I would like them to > sign on with their child domain credentials (using either a domain device > or home device) and then once they sign on click on a Remote app > (i.e. Excel which is hosted on Remote Desktop Host server) which should not > prompt for any further authentication**** > > **** > > 2. When a user logs on using MSTSC assuming the MSTSC client is configured > for the correct gateway address I would like them to logon to the Farm > without any further prompts or warning.**** > > **** > > I have one certificate purchased from Verisign for my Gateway servers & > this seems to be working fine without any issues across both Gateway > servers which will be using TMG once the solution is stable after testing* > *** > > **** > > I am not sure what to do internally & how the whole sigle sign on process > should work - currently my Host servers are using Self Signed Certs - which > we know causes issues**** > > > > http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx > & > > http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx > I am attempting to follow these but not sure how this will impact my child > domains devices. The first article talks about user policies & I am not hot > with certificates by any means but maybe client devices might be a better > option.**** > > **** > > Can someone please assist me I am going a bit bananas with all of this & > cant seem to find any "Idiots" guide to this scenario**** > > **** > > Thanks all**** > > **** > > Bill**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
