Documentation


Microsoft Remote Desktop Web Access (Microsoft RD Web Access) is a Remote Desktop Services role in Windows Server 2016 (and later) that allows users to remotely access the desktop where they have remote desktop access (RDP). 

Use this guide to integrate SecureAuth® Identity Platform (formerly SecureAuth IdP) and enable secure, single sign-on (SSO) access via WS-Federation to use RD Web Access. 

Prerequisites

  • Active RD Web Access Server 2016 (or later)
  • Have a realm ready in the Identity Platform Web Admin for the RD Web Access Server integration
  • Configure the following tabs in the Web Admin before configuring the Post Authentication tab:
    • Overview – define the realm description and SMTP connections 
    • Data – an enterprise directory must be integrated with the Identity Platform
    • Workflow – define how users will access this resource
    • Multi-Factor Methods – define the multi-factor authentication methods (MFA), if any, to access this resource
  • Configure the realm to pass a UPN Claim to RD Web Access Server as the identity on the (Data tab)

Windows Identity Foundation (WIF) configuration

Windows Identity Foundation (WIF) is a Microsoft software framework used to build identity-aware applications, and is a core component that must be installed on both the RD Web Access and the Identity Platform servers before configuration. 

  1. Install Windows Identity Foundation on the RD Web Access Server.
    1. From the Microsoft Download Center, download and install Windows Identity Foundation. 
      Use the Roles and Features Installer.
  2. Configure Claims to Windows Token Service (C2WTS). 
    1. In a text editor (run as an administrator), open the c2wtshost.exe.config file located in C:\Program Files\Windows Identity Federation\v3.5. 
    2. Add the following line to the code: 

      <allowedCallers>
      <clear />
      <add value= "IIS APPPOOL\RDWebAccess" />
      </allowedCallers>
    3. Save the file. 
  3. Enable Claims to Windows Token Service (C2WTS).
    1. On the RDWeb Server, open services.msc.
    2. From the list of services, right-click Claims to Windows Token Service and select Properties
    3. Set the Startup type to Automatic
    4. Click Start to begin the service. 
  4. Set Claims to Windows Token Service (C2WTS).

    According to Microsoft, ensure that Cryptographic Services service (CryptSvc) is guaranteed to start before Claims to Windows Token Service by explicitly adding the following dependency in the service definition. 

    1. From the command prompt, type sc config c2swts depend= CryptSvc. 
    2. Open the Services console by selecting Start > Run > services.msc and locate Claims to Windows Token Service
    3. Open the Properties of the service. 
    4. On the Dependencies tab, verify the Cryptographic Service is listed. 
    5. Click OK

Identity Platform configuration 

  1. Go to the Post Authentication tab. 
  2. In the Post Authentication section, set Authenticated User Redirect to WS-Federation Assertion.  
    An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx)

    For an alternate configuration, see the Troubleshooting and common issues section at the end of this topic. 

  3. In the User ID Mapping section, set the following: 

    User ID MappingSet to Authenticated User ID.
    Name ID Format

    Leave the default value as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    If the service provider (SP) provides a different format for the RD Web Access, select a different option.  


  4. In the SAML Assertion / WS-Federation section, set the following: 

    WSFed Reply To/SAML Target URLSet to https://<RDWeb-FQDN>/RDWeb/Pages/. 
    WSFed/SAML Issuer

    Set to the fully qualified domain name (FQDN) of the Identity Platform appliance, followed by the current RD Web Access integration realm, for example,  https://company.secureauth.com/secureauth2. 

    SAML AudienceSet to urn:microsoft:rdweb
    WS-Fed VersionSet the version to 1.3

    Signing Cert Serial Number

    Leave this field as default, unless using a third-party certificate. 

    To choose a different certificate, click the Select Certificate link. 

    Assertion Signing CertificateDownload the Assertion Signing Certificate, which is used in the RD Web Access configuration procedure. 


  5. In the SAML Attributes / WS-Federation section, set the following for Attribute 1: 

    NameSet to UPN.
    Namespace (1.1)Set to  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    FormatSet to Basic (default). 
    Value

    Set to Aux ID 9 (default). 

    For example, Aux ID 9 was used on the Data tab to map UPN. 

  6. Save your changes. 

RD Web Access Server configuration

Configure the RD Web Access Server to integrate with the Identity Platform. 

Update the RD Web Access Application Pool

  1. Open the IIS Manager and select Application Pools.
  2. Right-click the RDWebAccess pool and select Advanced Settings
  3. Set Load User Profile to True.

Update the RD Web Access web.config file

Make a backup of the existing web.config file before making any modifications. 

  1. In a text editor (run as an administrator), open the web.config file located in C:\Windows\Web\RDWeb\Pages\.
  2. Search for and delete the line <httpRuntime targetFramework="4.5" />.
  3. At the top of the file, after the <configuration> tag, add the following lines:

    <!-- SecureAuth -->
    <configSections>
    <section name= "microsoft.identityModel" type= "Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </configSections>
    <!-- /SecureAuth -->
  4. After the <system.web> tag, add the following lines: 

    <!-- SecureAuth --> 
    <httpRuntime targetFramework= "4.5" requestValidationMode="2.0"/> 
    <pages validateRequest="false"/> 
    <!-- /SecureAuth -->
  5. After the <system.web> tag, modify and add the <authorization> and <authentication> tags to display the following lines:

    <!-- SecureAuth --> 
    <authorization><deny users="?"/></authorization> 
    <authentication mode="Windows"/> 
    <!-- /SecureAuth -->
  6. Edit the <modules> tag to <modules runAllManagedModulesForAllRequests="true">.

  7. In the <modules> section, add the following lines shown in the code block. 

    You must place the lines before any existing lines that begin with <add name=.

    <!-- SecureAuth -->
    <add name= "WSFederationAuthenticationModule" type= "Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />
    <add name= "SessionAuthenticationModule" type= "Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />
    <!-- /SecureAuth -->
  8. In the RD Web Access application, provide the certificate Thumbprint from the Assertion Signing Certificate downloaded from the Identity Platform Web Admin (Identity Platform configuration step 4). 
    1. Open the Assertion Signing Certificate, and select the Details tab. 
    2. Copy and paste the Thumbprint value into a text editor (see the following code example in line 28). 

      Important: Remove all spaces and change all letters to uppercase. 

  9. In the </runtime> section, from the following code block, copy and add the following lines (1-34). And do the following:

    1. In lines 7, 20, and 28, replace the values between the  @@@ with the actual FQDN of the Identity Platform appliance and integrated realm number for RD Web Access Server. For example, secureauth.com/company.com/secureauth2.

    2. Replace RDWeb-FQDN with the actual FQDN of the RD Web Access Server. 

    3. The issuer value in the code must match the WSFed/SAML Issuer value set in the Identity Platform Web Admin (Identity Platform configuration step 4).

      <!--SecureAuth-->
      <microsoft.identityModel>
      <service>
      <audienceUris>
      <add value= "urn:microsoft:rdweb" />
       
      <add value= "@@@https://RDWeb-FQDN/RDWeb/Pages/@@@"  />
       
      </audienceUris>
      <securityTokenHandlers>
      <remove type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
      <sessionTokenRequirement useWindowsTokenService= "true" />
      </add>
      <add type= "Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
      <samlSecurityTokenRequirement mapToWindows= "true" useWindowsTokenService= "true" />
      </add>
      </securityTokenHandlers>
      <federatedAuthentication>
      <wsFederation passiveRedirectEnabled= "true" issuer= "@@@https://<SecureAuthIdPFQDN/RDWebAccessIntegratedRealm/@@@" realm= "@@@https://RDWeb-FQDN/RDWeb/Pages/@@@" requireHttps= "true" />
       
      <cookieHandler requireSsl= "false" />
      </federatedAuthentication>
      <applicationService>
      </applicationService>
      <issuerNameRegistry type= "Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
      <trustedIssuers>
      <add thumbprint= "@@@A1B2C3D4E5F6A1B2C3D4E5F6A1B2C3D4E5F6ABCD@@@" name= "@@@https://<SecureAuthIdPFQDN/RDWebAccessIntegratedRealm@@@" />
      </trustedIssuers>
      </issuerNameRegistry>
      <certificateValidation certificateValidationMode= "None" />
      </service>
      </microsoft.identityModel>
      <!--/SecureAuth--> 
    4. Save the web.config file. 

Test the configuration

To test the configuration, access the RD Web Access Server page URL directly or from the Identity Platform realm. When a page displays the application icons, this indicates a successful access into the RD Web Access application.

Troubleshooting and common issues

Parameters not passing to the WSFedProvider.aspx page

Issue

Parameters are not passed correctly to the WSFedProvider.aspx page during execution.

Workaround

Do the following in lieu of Identity Platform configuration, step 2:

  1. Set Authenticated User Redirect to Use Custom Redirect
  2. Set Redirect To to include the following parameters as part of the URL, for example: 

    Authorized/WSFedProvider.aspx?wa=wsignin1.0&amp;wtrealm=https%3a%2f%2f&lt;RDWebAccessServerURL&gt;%2fRDWeb%2fPages%2f&amp;wctx=rm%3d0%26id%3dpassive%26ru%3d%252fRDWeb%252fPages%252f

ID4175 exception message

Issue

An exception message occurs: "Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer."

Workaround

In the RD Web Access application log, where the Identity Platform redirects back to the RD Web Access server after authentication, manually type the certificate thumbprint and trusted issuer name instead of copying and pasting this information.

The thumbprint must still be in ALL CAPS with spaces removed.

  • No labels