Remote Desktop (RD) Web Access Server (2012 R2) Integration Guide Introduction Use this guide to enable secure, Single Sign-on (SSO) access via WS-Federation to Remote Desktop (RD) Web Access Server (2012 R2). Prerequisites 1. Have RD Web Access Server (2012 R2) installed and operational 2. Create a New Realm in the SecureAuth IdP Web Admin for the RD Web Access Server integration 3. Configure the SecureAuth IdP realm to pass a UPN Claim to RD Web Access Server as the identity (Data Store Tab)
Windows Identity Federation (WIF) Configuration Steps Windows Identity Federation (WIF) is a Microsoft Framework used to build identity-aware applications, and is a core component that must be installed on both the RD Web Access and SecureAuth IdP servers before configuration 1. To install WIF on the RD Web Server, download WIF from Microsoft's Download Center For Windows Server 2012 R2+, use Roles and Features Installer Modify the C2WTShost.exe.config File 2. Run Notepad as Administrator and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config 3. Add the following lines to the existing configuration: <allowedcallers> <clear /> <add value="iis APPPOOL\RDWebAccess" /> </allowedcallers> 4. Save the file Enable the Claims to Windows Token Service (C2WTS) 5. On the RDWeb Server, open services.msc 6. In the list of services, right-click Claims to Windows Token Service and select Properties 7. Set the Startup type to Automatic 8. Click Start to begin the service Set the Claims to Windows Token Service (C2WTS) to start after the Cryptographic Services Service Per Microsoft, make sure that Cryptographic Services Service is guaranteed to start before C2WTS by explicitly adding the following dependency in the service definition: 9. Open a command prompt 10. Type sc config c2wts depend= CryptSvc 11. Select Start > Run > services.msc to open the Services console 12. Find the Claims to Windows Token Service 13. Open the Properties for the service 14. On the Dependencies tab, verify that Cryptographic Services is listed 15. Click OK
SecureAuth IdP Configuration Steps Important For these instructions, the expectation is that the correct attributes are passed to WSFedProvider.aspx. In some cases, however, it may be necessary to utilize the custom redirect page and pass the parameters directly. Post Authentication 1. Select WS-Federation Assertion from the Authenticated User Redirect dropdown in the Post Authentication s ection An unalterable URL will be auto-populated in the Redirect To field, which will append to the domain name and realm number in the address bar (Authorized/WSFedProvider.aspx) User ID Mapping 2. Select Authenticated User ID from the User ID Mapping dropdown
SAML Assertion / WS Federation 3. Set the WSFed Reply To/SAML Target URL to https://<rdweb-fqdn>/rdweb/pages/ 4. Set the WSFed/SAML Issuer to the Fully Qualified Domain Name (FQDN) of the SecureAuth IdP appliance, followed by the current RD Web Access integration realm, e.g. https://secureauth.co mpany.com/secureauth2 5. Set the SAML Audience to urn:microsoft:rdwe b No configuration is required for the SAML Consumer URL or SAML Recipient field s 6. Leave the Signing Cert Serial Number and Ass ertion Signing Certificate as default, unless using a third-party certificate Click Select Certificate to choose a different certificate 7. Download the Assertion Signing Certificate, which is used in the RD Web Access Configuration Steps below 8. In the Attribute 2 section, set Name to UPN 9. Set Namespace (1.1) to http://schemas.xmlso ap.org/ws/2005/05/identity/claims/upn 10. Select Basic from the Format dropdown 11. Select Authenticated User ID from the Value d ropdown Click Save once the configurations have been completed and before leaving the Post Authentication page to avoid losing changes (Optional) Parameters Troubleshooting If parameters are not passed to the WSFedProvider.aspx page correctly during execution, change the Authenticated User Redirect to Use Custom Redirect, then set the Redirect To field to include the required parameters, example: Authorized/WSFedProvider.asp x?wa=wsignin1.0&wtrealm=http s%3a%2f%2f<rdweb-fqdn>% 2fRDWeb%2fPages%2f&wctx=r m%3d0%26id%3dpassive%26ru %3d%252fRDWeb%252fPages% 252f
RD Web Access Configuration Steps Update the RDWeb Access Application Pool 1. Open the Internet Information Services (IIS) Manager 2. Click on Application Pools 3. Right-click on RDWebAccess pool and select Advance d Settings 4. Set the Load User Profile option to True Update the RD Web Access web.config Make a backup of the existing web.config file before any modifications 5. From Server 2012, run Notepad as Administrator and open C:\Windows\Web\RDWeb\Pages\web.config 6. At the top of the file after <configuration>, add the following lines: <!-- SecureAuth --> <configsections> <section name="microsoft.identitymodel" type="microsoft.identitymodel.configuration.microsoftident itymodelsection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configsections> <!-- /SecureAuth --> 7. Under the <system.web> tag, add the following lines: <!-- SecureAuth --> <httpruntime requestvalidationmode="2.0" /> <pages validaterequest="false" /> <!-- /SecureAuth --> 8. Under the <system.web> tag, modify / add the <authorization> and <authentication> tags to display the following lines: <!-- SecureAuth --> <authorization><deny users="?" /></authorization> <authentication mode="none" /> <!-- /SecureAuth --> 9. Alter the <modules> tag to match <modules runallmanagedmodulesforallrequests= true > 10. Within the <modules> section, add the following lines:
<!-- SecureAuth --> <add name="wsfederationauthenticationmodule" type="microsoft.identitymodel.web.wsfederationauthenticati onmodule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" precondition="managedhandler" /> <add name="sessionauthenticationmodule" type="microsoft.identitymodel.web.sessionauthenticationmod ule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" precondition="managedhandler" /> <!-- /SecureAuth --> 11. In the RD Web Access application, provide the certificate Thumbprint from the Assertion Signing Certificate d ownloaded from the SecureAuth IdP Web Admin earlier (SecureAuth IdP Configuration Step 7) Create Certificate Thumbprint: 1. Open the Assertion Signing Certificate, and enter the Details tab 2. Copy the Thumbprint value and paste it into Notepad (see the example on line 28 in the code below) IMPORTANT: In Notepad, be sure to remove all spaces and change all letters to UPPERCASE 12. Under </runtime>, add the following lines: Replace the values between the @@@ on lines 7, 20 and 28 with the actual FQDN of the SecureAuth Idp appliance and RD Web Access Server-integrated realm, e.g. secureauth.company.com/secureauth2 Replace RDWeb-FQDN with the actual FQDN of the RD Web Access Server The issuer value in the code must match the WSFed/SAML Issuer value set in the SecureAuth IdP Web Admin (SecureAuth IdP Configuration step 4) Delete the @@@ symbols from the code after entering the proper values
<!--SecureAuth--> <microsoft.identitymodel> <service> <audienceuris> <add value="urn:microsoft:rdweb" /> <add value="@@@https://rdweb-fqdn/rdweb/pages/@@@" /> </audienceuris> <securitytokenhandlers> <remove type="microsoft.identitymodel.tokens.sessionsecuritytokenh andler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <add type="microsoft.identitymodel.tokens.sessionsecuritytokenh andler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <sessiontokenrequirement usewindowstokenservice="true"/> </add> <add type="microsoft.identitymodel.tokens.saml11.saml11security TokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <samlsecuritytokenrequirement maptowindows="true" usewindowstokenservice="true" /> </add> </securitytokenhandlers> <federatedauthentication> <wsfederation passiveredirectenabled="true" issuer="@@@https://<secureauth-fqdn/rdwebaccessintegratedr ealm/@@@" realm="@@@https://rdweb-fqdn/rdweb/pages/@@@" requirehttps="true" /> <cookiehandler requiressl="false" /> </federatedauthentication> <applicationservice> </applicationservice> <issuernameregistry type="microsoft.identitymodel.tokens.configurationbasediss uernameregistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <trustedissuers> <add thumbprint="@@@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6abcd@@@ " name="@@@https://<secureauth-fqdn>/sardwebrealm@@@" /> </trustedissuers> </issuernameregistry> <certificatevalidation certificatevalidationmode="none" /> </service> </microsoft.identitymodel> <!--/SecureAuth-->
13. Save the web.config file To test the configuration, access the RD Web Access Server page URL directly or from the SecureAuth IdP realm. If a page showing application icons appears, then access into the RD Web Access application was successful.