0

We are essentially trying to provide a single sign-on scenario with a few of our products.

We would prefer to allow customers on their own machines (which are not in our control and cannot have the machine on our own active directory) to be able to log into a web application using a set of username/password credentials (authenticated against our domain), and from within there launch a link to an RDP session (either locally by using a URI handler we will install or using RD Web Access).

We of course then have the problem that the user is asked for their domain credentials (on our domain) again, and there seems to be no way for us to be able to pass a token of some kind from our web app (which has already authenticated against our AD) to allow SSO.

http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx seems to indicate that this is just not possible at the moment. Is that correct?

I've looked at a few options: - RD Web Access SSO (only gets halfway there and only works if the client is on the domain too) - http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx - Storing and forwarding the originally captured username/password - which is just shocking from a security point of view.

Any ideas?

Kieran Benton
  • 131
  • 1
  • 5
  • 16
  • Have you checked MS's Federation Service? – pfo Apr 18 '12 at 17:26
  • That sounds like it might be applicable, but there is no mention I can see of any integration with remote desktop or terminal services. Do you know of something specific? – Kieran Benton Apr 18 '12 at 17:35
  • 1
    Even if AD Federation Services worked with TS/RDS (which I don't believe it does) you'd have to set it up between your AD domain and all of your customers AD domains (assuming all of your customers are in their own AD domain) which is no mean feat. – joeqwerty Apr 19 '12 at 03:13
  • Links are now broken, anyone have a replacement? – duct_tape_coder Feb 15 '19 at 22:48

1 Answers1

1

I believe the answer would be "not with the Microsoft RD client" - it supports either username/password combinations or forwarding the NTLM logon credentials (which are not what you want in a non-domain environment). A possible option would be to use a virtual smart card which would pull a short-living certificate off your web server, but this not only would require software installation on your client's computers, but also an extensive (i.e. lengthy and probably expensive) certification process for drivers it would need.

You might consider using third party products (like Citrix XenDesktop) where your scenario (authentication passthrough after a web portal logon) is supported.

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • Thanks, that's confirmed my suspicions. Don't suppose you can point me in any Citrix documentation on the area? It'b be good to know how pluggable this is before we engage them. Thanks! – Kieran Benton Apr 19 '12 at 07:12