Publish your RDS environment with Azure AD Application Proxy – Part 2

Standard

This blogpost is the second part in the series about publishing your RDS environment with Azure AD Application Proxy. In the first part of the series I’ve described the improvements made to RDS 2016 and the basic configuration of Azure AD Application Proxy for publishing both the RDWeb and RD Gateway role. In the first part we’ve configured pass-through authentication, this blogpost will cover all the changes needed to configure pre-authentication with Azure AD. When configured users will be redirected to the AzureAD login form and after a successful logon you will get the logged-in RDWeb feed.

Let’s first look into Azure AD pre-authentication compared to pass-through authentication. With both types of authentication the RD Web/Gateway role can be placed in your internal network (LAN). Conclusion: no difference regarding security. Then looking to the authentication part, with pre-authentication you can authenticate against your Azure AD or against your local AD with ADFS. If you have a federated domain configured in Azure AD your ADFS environment will be used for authentication. If federation is not configured your Azure AD will be used for authentication. For both authentication options your local Active Directory need to be synchronized to Azure AD with Azure AD Connect. Also the UPN of your users should be the same on premise and in Azure AD.

The last thing to discuss before we dive into the configuration is Single-Sign-On. With pass-through authentication you will have Single-Sign-On from the moment the user logs in to the RD Web page. With pre-authentication based on Azure AD/ADFS you will lose the Web SSO if you were utilizing Internet Explorer. Each user will get a second login prompt when starting a RemoteApp or Session Desktop. The reason behind this is that with pass-through authentication the SSO ActiveX component utilized by RD Web will be used and with pre-authentication this ActiveX component will not be used. Instead, the Application Proxy connector will automatically log the user into the RD Web feed using delegation, landing users immediately to their feed after they perform pre-authentication. If you want more information about this, please let me know. Let’s now dive into the configuration of pre-authentication. I advise you to first follow the steps of part 1 and then continue with the steps below:

  1. First we need to configure a SPN on the VM where you’ve installed the Azure AD Application Proxy. Go to the Computer in the Active Directory Users and Computers tool and go to the Attribute tab. Add the SPN:
  2. Now go to the Delegation tab and add the SPN to list of services:
  3. Next step is to configure the SPN and activate pre-authentication in Azure AD Proxy. Go to https://manage.windowsazure.com. Open your Azure Active Directory and go to the Applications Tab. Open the properties of your RD Web application which you’ve created in the first part of my series.
  4. Now select ‘Azure Active Directory’ as preauthentication method:
  5. Now select and fill in the information needed for Azure Active Directory authentication:
  6. Save your Application by clicking save in the bar below.
  7. If you now go to the URL of your RD web page you the redirection to the Azure AD login should be active.
  8. The next and last step is to activate Windows Authentication on the RD Web. Open the IIS console on your RD Web server
  9. Active Windows Authentication in the IIS Console:

  10. Edit the file %SYSTEMROOT%\Web\RDWeb\Pages\web.config. Change the following sections:

    Enable:

    authentication mode="Windows"
    

    Disable:

    <!--
    <authentication mode="Forms">
    <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
    </authentication>
    -->
    

    Disable:

    <!--
    <modules runAllManagedModulesForAllRequests="true">
    <remove name="FormsAuthentication" />
    <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />
    </modules>
    -->
    

    Change:

    <security>
     <authentication>
     <windowsAuthentication enabled="true" />
     <anonymousAuthentication enabled="false" />
     </authentication>
    </security>
    

  11. Save and close the file and now edit the file %SYSTEMROOT%\Web\RDWeb\Pages\en-us\Default.aspx
    Change:

    public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
    

    Save and close this file.

Everything should now be in place so let’s test the scenario:

When I enter the URL of my RD Web page I’m send to the Azure AD Login Page:

When I enter my username I’m send to my ADFS environment:

When I enter my credentials and click on Login I’m logged in to my RD Web feed:

When I now click on my Desktop I need to enter my credentials:

When my credentials are entered a connection to my desktop is made:

Personally I think using pre-authentication using Azure AD/ADFS is the preferred way because it will give you all the powerful functionality which we can do with Azure AD applications like Conditional Access and Multi-Factor authentication (RD Web). The following functionality need to be fixed to make it the ultimate solution:

  • Support for this authentication in the clients apps (iOS and Android). Currently performing this ADAL login doesn’t work in the Remote Desktop client applications, but works well when using desktops/web browsers.
  • Single-Sign-On is needs to be solved in the future, when that’s fixed it’s the ultimate solution to publish your RD Web and RD gateway.

In the next part of the series I want to look into making this solution high available and sharing some excellent content published by Microsoft about setting up Azure AD Application Proxy.

14 thoughts on “Publish your RDS environment with Azure AD Application Proxy – Part 2

  1. Biri

    Hi,

    Thank you for this amazing blogpost.
    Just one question. Is it possible to get more information on why each user gets a second login prompt when starting a RemoteApp or Session Desktop? Why with AAD pre-authentication does the SSO ActiveX component not get used?

    • Arjan Vroege

      Hi Biri,

      Thanks for your comment. The reason that each user gets a second login prompt when using Pre-Authentication is that the ActiveX Components is not able to provide the SSO. The Reason why this ActiveX component is not used is that AzureAD Pre-authentication is doing a SSO based on Windows Authentication (Kerberos Constrained Delegation) and not using form based authentication of the RDS Web Access. This is the same when using on premise ADFS to publish your RDS environment.

      Hope this answers your questions.

      Regards, Arjan

  2. Tim

    Thanks for the post, it really helps a lot! Access via Passthrough is working fine, but when I enable pre-authentication, I get an access denied error directly after login in Azure. I confirmed that my login has rights in Azure to access the app, what else should I check? Does the RPC app in Azure also need to be changed to pre-authentication too? Thanks again for your help!

    • Tim

      I think I’ve solved the issue; I created SPNs for both the internal and external names of the RDS server, and made sure both were on the delegation tab of the Proxy Server. Now it’s working! Thanks again!

  3. Josh

    Hi, This has been a great help however, I seem to be having an isse when the internal RDWeb site loads. As it fails to display all the images. An ideas on what may be causing this?

  4. Jason

    I’ve been working on setting this up but I noticed something that was not apparent at first glance. This setup is only using Azure AD pre-authentication for the RD Web Access website and using passthrough authentication for the remote desktop application. If someone were to open up Remote Desktop and manually type in the gateway server all Azure authentication (including 2 factor) is bypassed.

  5. Great guide, just used it to set up RDS via Azure AD Application Proxy at my workplace. The only issue is the lack of support for the ADAL login on the Remote Desktop mobile apps, which is really disappointing.

    Is it the Gateway credentials it’s not passing through? Seems odd it doesn’t work as the .rdp file prompts for credentials before connecting (as you’d expect without the RDWeb ActiveX control).

    • Arjan Vroege

      I haven’t tested that but it should work, do you receive an errors when logging out?

      Regards, Arjan

Leave a Reply