This blogpost is the second part in the series about publishing your RDS environment with Azure AD Application Proxy. In the first part of the series I’ve described the improvements made to RDS 2016 and the basic configuration of Azure AD Application Proxy for publishing both the RDWeb and RD Gateway role. In the first part we’ve configured pass-through authentication, this blogpost will cover all the changes needed to configure pre-authentication with Azure AD. When configured users will be redirected to the AzureAD login form and after a successful logon you will get the logged-in RDWeb feed.
Let’s first look into Azure AD pre-authentication compared to pass-through authentication. With both types of authentication the RD Web/Gateway role can be placed in your internal network (LAN). Conclusion: no difference regarding security. Then looking to the authentication part, with pre-authentication you can authenticate against your Azure AD or against your local AD with ADFS. If you have a federated domain configured in Azure AD your ADFS environment will be used for authentication. If federation is not configured your Azure AD will be used for authentication. For both authentication options your local Active Directory need to be synchronized to Azure AD with Azure AD Connect. Also the UPN of your users should be the same on premise and in Azure AD.
The last thing to discuss before we dive into the configuration is Single-Sign-On. With pass-through authentication you will have Single-Sign-On from the moment the user logs in to the RD Web page. With pre-authentication based on Azure AD/ADFS you will lose the Web SSO if you were utilizing Internet Explorer. Each user will get a second login prompt when starting a RemoteApp or Session Desktop. The reason behind this is that with pass-through authentication the SSO ActiveX component utilized by RD Web will be used and with pre-authentication this ActiveX component will not be used. Instead, the Application Proxy connector will automatically log the user into the RD Web feed using delegation, landing users immediately to their feed after they perform pre-authentication. If you want more information about this, please let me know. Let’s now dive into the configuration of pre-authentication. I advise you to first follow the steps of part 1 and then continue with the steps below:
- First we need to configure a SPN on the VM where you’ve installed the Azure AD Application Proxy. Go to the Computer in the Active Directory Users and Computers tool and go to the Attribute tab. Add the SPN:
- Now go to the Delegation tab and add the SPN to list of services:
- Next step is to configure the SPN and activate pre-authentication in Azure AD Proxy. Go to https://manage.windowsazure.com. Open your Azure Active Directory and go to the Applications Tab. Open the properties of your RD Web application which you’ve created in the first part of my series.
- Now select ‘Azure Active Directory’ as preauthentication method:
- Now select and fill in the information needed for Azure Active Directory authentication:
- Save your Application by clicking save in the bar below.
- If you now go to the URL of your RD web page you the redirection to the Azure AD login should be active.
- The next and last step is to activate Windows Authentication on the RD Web. Open the IIS console on your RD Web server
- Active Windows Authentication in the IIS Console:
- Edit the file %SYSTEMROOT%\Web\RDWeb\Pages\web.config. Change the following sections:
<!-- <authentication mode="Forms"> <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" /> </authentication> -->
<!-- <modules runAllManagedModulesForAllRequests="true"> <remove name="FormsAuthentication" /> <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> </modules> -->
<security> <authentication> <windowsAuthentication enabled="true" /> <anonymousAuthentication enabled="false" /> </authentication> </security>
- Save and close the file and now edit the file %SYSTEMROOT%\Web\RDWeb\Pages\en-us\Default.aspx
public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;
Save and close this file.
Everything should now be in place so let’s test the scenario:
When I enter the URL of my RD Web page I’m send to the Azure AD Login Page:
When I enter my username I’m send to my ADFS environment:
When I enter my credentials and click on Login I’m logged in to my RD Web feed:
When I now click on my Desktop I need to enter my credentials:
When my credentials are entered a connection to my desktop is made:
Personally I think using pre-authentication using Azure AD/ADFS is the preferred way because it will give you all the powerful functionality which we can do with Azure AD applications like Conditional Access and Multi-Factor authentication (RD Web). The following functionality need to be fixed to make it the ultimate solution:
- Support for this authentication in the clients apps (iOS and Android). Currently performing this ADAL login doesn’t work in the Remote Desktop client applications, but works well when using desktops/web browsers.
- Single-Sign-On is needs to be solved in the future, when that’s fixed it’s the ultimate solution to publish your RD Web and RD gateway.
In the next part of the series I want to look into making this solution high available and sharing some excellent content published by Microsoft about setting up Azure AD Application Proxy.