Recently for one of my enterprise banking customers, I configured SSO for Windows Server 2012 Remote Desktop Services solution.

But, while I was searching for a possible solutions, I figured out that very first thing you need to make sure is “for which part of RDS do you  want to enable SSO”? This is a critical question since if you search for a SSO solution in RDS, most probably you will come up with the following article:

http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

Actually yes, this is the correct article which allows you to configure SSO for the new version of RDS. Let’s discuss a little bit.

If you want to enable SSO for your Remote App programs you need to modify “Credentials Delegation Group Policy” setting to add server lists as “TERMSRV/ TSNAMES”. You can reference following article to configure this specific policy:

http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx

If you configure above settings you will have  a SSO feature for Remote App sessions. For instance if your domain users log on their computers using domain credentials, they will not need to re-enter their credentials for RemoteApp programs.

But you may want to enable SSO for one another component of your RDS design: RD WEB ACCESS web page.

If your users will browse RD Web Access page to start RemoteApps, you may want prevent additional credential form on RDWEB page. Because even you configure above SSO settings, users still will need to authenticate using IIS form based authentication. see below,

If you want to enable SSO for above form based authentication page you need to hack web.config file of your RDWEB site. To achieve this:

• Navigate C:WindowsWebRDWebPagesweb.config
• To turn on Windows Authentication:
                – uncomment <authentication mode="Windows"/> section
                – and comment out:
                1) <authentication mode="Forms"> section.
                2) <modules> and <security> sections in <system.webServer> section at the end of the file.

After that on ISS Manager, for RDWEB directory, enable Windows Authentication and disable Anonymous Authentication, restart IISADMIN service.

Now if your users browse rdweb page, their logged on credentials will be used to authenticate across IIS.

But I figure out one another problem for this scenario. If I configure SSO for both components (RemoteApp and Form Page), Remote App SSO is not working as expected. Your users should tick following checkbox if they want to enable SSO for RemoteApp.

You can also configure default.aspx located in the RDWebPagesen-US directory.

change below line

public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = false;

to

public bool fUserAdmin = false, fConfigPage = false, bShowPublicCheckBox = false, bPrivateMode = true;

or in body tag add bold text below

<body onload="onPageload(event); document.getElementById(‘WebPartManager1_TSPortalWebPart1PublicCheckbox’).checked=true;" onunload="onPageUnload(event)">

now checkbox will be enabled by default.