Skip to main content

Remote Desktop (RD) Web Access Server (2012 R2) Integration Guide

Introduction

Use this guide to enable secure, Single Sign-on (SSO) access via WS-Federation to Remote Desktop (RD) Web Access Server (2012 R2).

Prerequisites

  • Have RD Web Access Server (2012 R2) installed and operational

  • Create a New Realm in the SecureAuth IdP Web Admin for the RD Web Access Server integration

  • Configure the following tabs in the Web Admin before configuring the Post Authentication tab:

    • Overview – the description of the realm and SMTP connections must be defined

    • Data – an enterprise directory must be integrated with SecureAuth IdP

    • Workflow – the way in which users will access this application must be defined

    • Multi-Factor Methods – the Multi-Factor Authentication methods that will be used to access this page (if any) must be defined

  • Configure the SecureAuth IdP realm Data Tab to pass a UPN Claim to RD Web Access Server as the identity

Windows Identity Federation (WIF) Configuration Steps

Windows Identity Federation (WIF) is a Microsoft Framework used to build identity-aware applications, and is a core component that must be installed on the RD Web Access server before configuration

  • To install WIF on the RD Web Server, download WIF from Microsoft's Download Center

    For Windows Server 2012 R2+, use Roles and Features Installer

Modify C2WTShost.exe.config File

  1. To modify the C2WTShost.exe.config file, run Notepad as administrator, and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config

  2. Add the following line to the code:

    <allowedCallers>
<clear />
<add value= "IIS APPPOOL\RDWebAccess" />
</allowedCallers>

  3. Save the file

Enable Claims to Windows Token Service (C2WTS)

70489022.png

  1. To enable the Claims to Windows Token Services (C2WTS), open services.msc on the RDWeb Server

  2. In the list of services, right-click Claims to Windows Token Service and select Properties

  3. Select Automatic from the Startup type dropdown

  4. Click Start to begin the service

Set Claims to Window Token Service (C2WTS)

Notice

Per Microsoft, ensure that Cryptographic Services Service is guaranteed to start before C2WTS by explicitly adding the following dependency in the service definition

  1. Open the command prompt window

  2. Enter sc config c2wts depend= CryptSvc

  3. Select Start > Run > services.msc to open the Services console, and locate the Claims to Windows Token Service

  4. Open the Properties of the service

  5. In the Dependencies tab, ensure that Cryptographic Service is listed

  6. Click OK

SecureAuth IdP Configuration Steps

Post Authentication

70489024.png

  1. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication section

  2. An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx)

    Note

    See the Troubleshooting / Common Issues section below for alternate configuration in this section

User ID Mapping

44832709.png

  1. Select Authenticated User ID from the User ID Mapping dropdown

  2. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format (default)

    Select a different option if RD Web Access requires it, which the Service Provider (SP) provides

SAML Assertion / WS-Federation

70489018.png

  1. Set the WSFed Reply To/SAML Target URL to https://<RDWeb-FQDN>/RDWeb/Pages/

  2. Set the WSFed/SAML Issuer to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the current RD Web Access integration realm, e.g. https://company.secureauth.com/secureauth2

  3. Set the SAML Audience to urn:microsoft:rdweb

  4. Set the WS-Fed Version to 1.3

    Notice

    No configuration is required for the SAML Consumer URL, SAML Recipient, or SP Start URL fields

    70489017.png

  5. Leave the Signing Cert Serial Number and Assertion Signing Certificate as default, unless using a third-party certificate

    Click Select Certificate to choose a different certificate

  6. Download the Assertion Signing Certificate, which is used in the RD Web Access Configuration Steps

SAML Attributes / WS-Federation

70489020.png

  1. Set the Name of Attribute 1 to UPN

  2. Set the Namespace (1.1) to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

  3. Select Basic from the Format dropdown (default)

  4. Select Aux ID 9 from the Value dropdown (default)

    For example, Aux ID 9 was used on the Data tab to map UPN.

70489021.png

Warning

Click Save once the configurations have been completed and before leaving the Post Authentication tab to avoid losing changes

RD Web Access Configuration Steps

Update RD Web Access Application Pool

70489023.png

  1. To update the RD Web Access Application Pool, open the IIS Manager, and select Application Pools

  2. Right-click the RDWebAccess pool, and select Advanced Settings

  3. Select True from the Load User Profile options

Update RD Web Access web.config File

Notice

Be sure to make a backup of the existing web.config file before making any modifications

  1. To update the RD Web Access web.config file, from the Server 2012, run Notepad as administrator and open C:\Windows\Web\RDWeb\Pages\web.config

  2. At the top of the file, following <configuration>, add the following lines:

    <!-- SecureAuth -->
<configSections>
<section name= "microsoft.identityModel" type= "Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<!-- /SecureAuth -->

  3. Under the <system.web> tag, add the following lines:

    <!-- SecureAuth -->
<httpRuntime requestValidationMode= "2.0" />
<pages validateRequest= "false" />
<!-- /SecureAuth -->

  4. Under the <system.web> tag, modify / add the <authorization> and <authentication> tags to display the following lines:

    <!-- SecureAuth -->
<authorization><deny users= "?" /></authorization>
<authentication mode= "None" />
<!-- /SecureAuth -->

  5. Alter the <modules> tag to <modules runAllManagedModulesForAllRequests="true">

  6. Within the <modules> section, add the following lines shown in the code block (beneath the NOTE box below):

    Notice

    NOTE: The lines added above must be placed above any existing lines that start with <add name=

    <!-- SecureAuth -->
<add name= "WSFederationAuthenticationModule" type= "Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />
<add name= "SessionAuthenticationModule" type= "Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />
<!-- /SecureAuth -->

  7. In the RD Web Access application, provide the certificate Thumbprint from the Assertion Signing Certificate downloaded from the SecureAuth IdP Web Admin

    Note

    To create the certificate thumbprint:

    1. Open the Assertion Signing Certificate, and enter the Details tab

    2. Copy the Thumbprint value and paste it into Notepad (see the example on line 28 in the code below)

    IMPORTANT: In Notepad, be sure to remove all spaces and change all letters to UPPERCASE

  8. Under </runtime>, add the following lines(1-34) shown in the code block (beneath the NOTE box below):

    Note

    NOTE: Replace the values between the @@@ on lines 7, 20 and 28 with the actual FQDN of the SecureAuth IdP appliance and RD Web Access Server-integrated realm, e.g. secureauth.company.com/secureauth2

    Replace RDWeb-FQDN with the actual FQDN of the RD Web Access Server

    The issuer value in the code must match the WSFed/SAML Issuer value set in the SecureAuth IdP Web Admin (SecureAuth IdP Configuration step 6)

    Delete the @@@ symbols from the code after entering the proper values

    <!--SecureAuth-->
<microsoft.identityModel>
<service>
<audienceUris>
<add value= "urn:microsoft:rdweb" />
 
<add value= "@@@https://RDWeb-FQDN/RDWeb/Pages/@@@" />
 
</audienceUris>
<securityTokenHandlers>
<remove type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<sessionTokenRequirement useWindowsTokenService= "true" />
</add>
<add type= "Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<samlSecurityTokenRequirement mapToWindows= "true" useWindowsTokenService= "true" />
</add>
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled= "true" issuer= "@@@https://<SecureAuthIdPFQDN/RDWebAccessIntegratedRealm/@@@" realm= "@@@https://RDWeb-FQDN/RDWeb/Pages/@@@" requireHttps= "true" />
 
<cookieHandler requireSsl= "false" />
</federatedAuthentication>
<applicationService>
</applicationService>
<issuerNameRegistry type= "Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<trustedIssuers>
<add thumbprint= "@@@A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD@@@" name= "@@@https://<SecureAuthIdPFQDN/RDWebAccessIntegratedRealm@@@" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode= "None" />
</service>
</microsoft.identityModel>
<!--/SecureAuth-->

  9. Save the web.config file

Notice

To test the configuration, access the RD Web Access Server page URL directly or from the SecureAuth IdP realm. If a page showing application icons appears, then access into the RD Web Access application was successful.

Troubleshooting / Common Issues

70489019.png

If parameters are not passed to the WSFedProvider.aspx page correctly during execution, then select Use Custom Redirect from the Authenticated User Redirect dropdown (in lieu of step 1 in the SecureAuth IdP Configuration Steps above)

Set the Redirect To to include the parameters as part of the URL, example:

Authorized/WSFedProvider.aspx?wa=wsignin1.0&wtrealm=https%3a%2f%2f <RDWebAccessServerURL>%2fRDWeb%2fPages%2f&wctx=rm%3d0%26id %3dpassive%26ru%3d%252fRDWeb%252fPages%252f

Note

Workaround to use if the exception message ID4175 appears

If the ID4175 message appears, stating:

"Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer."

Then use this solution:

In the RD Web Access application log, where SecureAuth IdP redirects back to the RD Web Access server after authentication, hand-type the certificate thumbprint and trusted issuer name instead of copying and pasting this information.

NOTE: The thumbprint must still be in ALL CAPS with spaces removed.

In this section: