RDS 2012 R2–Single sign on using Windows Authentication for RDWeb page

WebSSO is great and it works beautifully if configured correctly. If you go https://rdwebserver.company.com/RDWeb, you will be presented with form based authentication page.

What if we present the published apps/icons without presenting form-based authentication page, meaning use Kerberos or NTLM authentication with logged of user. This makes sense for internal corporate users, they are already logged in with their domain credentials and who do they have to logon again.

This blog is to achieve Windows Authentication for RDWeb logon. It’s really easy to do in Windows Server 2012 R2.

1. Logon to Remote Desktop Web Access server.
2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages
3. Make a backup copy of web.config file.
4. Open Notepad as Administrator
5. Open C:\Windows\Web\RDWeb\Pages\web.config
6. Uncomment Windows Authentication section and comment Formbased authentication. The end result would like this:

    <!--
        To turn on Windows Authentication:
            - uncomment <authentication mode="Windows"/> section
            - and comment out:
            1) <authentication mode="Forms"> section.
            2) <modules> and <security> sections in <system.webServer> section at the end of the file.
            3) Optional: Windows Authentication will work in https.  However, to turn off https, disable 'Require SSL' for both RDWeb and RDWeb/Pages VDIR.
               Launch IIS Manager UI, click on RDWeb VDIR, double click on SSL Settings in the middle pane, uncheck 'Require SSL' and
               click Apply in the top right in the right pane.  Repeat the steps for RDWeb/Pages VDIR.
    -->

    <authentication mode="Windows"/>
   
    <!--
    <authentication mode="Forms">
        <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
    </authentication>
    -->
    <webParts>
        <personalization defaultProvider="TSPortalProvider">
          <providers>
            <add name="TSPortalProvider" type="Microsoft.TerminalServices.Publishing.Portal.TSPortalProvider"/>
        </providers>
        <authorization>
            <allow users="*" verbs="enterSharedScope">
            </allow>
        </authorization>
      </personalization>
    </webParts>
</system.web>

That’s all, BUT there is one more thing. Since we don’t use form-based authentication, how would you specify it’s Public or Private. On RDWeb page there is a check box to make the RDWeb sessions private. It shows up in the bottom as below.

I made this Private checked by default since all my users are internal (& I have different Remote desktop web access server for external users with form-based authentication). To make that happen follow the steps below.

1. Logon to Remote Desktop Web Access server.
2. Open Explorer and go to C:\Windows\Web\RDWeb\Pages\en-US
3. Make a backup copy of Desktops.aspx file.
4. Open Notepad as Administrator
5. Open C:\Windows\Web\RDWeb\Pages\en-US\Desktops.aspx
6. Modify the variable bPrivateMode to true (from false). The modified variable line looks like this:

public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

Now it looks like this, since Private mode is checked by default.

Hope this helps you. Enjoy!!