Adding RD Web Access (Server 2012)

This document will step through the process to accomplish the implementation and configuration of AuthAnvil Single Sign On for RD Web Access. This document assumes that a working RD Web implementation is already in place.

Note: This integration is not compatible with Server 2012r2

Step 1 – Ensure that Windows Identity Foundation (WIF) is installed on RD Web server

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring RD Web for Single Sign On and will need to be in place before proceeding.

In Server 2012 this is installed as a Windows Feature. Open Server Manager and under Features make sure the box for Windows Identity Foundation 3.5 is checked.


Step 2 – Modify the C2WTShost.exe.config File

  1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
  2. Add the following BOLDED line to the existing configuration to allow the RD Web application pool access as an allowed caller:
        <clear />
        <add value="IIS APPPOOL\RDWebAccess" />
  3. Save the file

Step 3 – Enable the C2WTS Service.

    1. Open services.msc
    2. In the list of services look for Claims to Windows Token Service
    3. Right-click on this service and select Properties
    4. Ensure the Startup type is set to Automatic
    5. Ensure the service is started by clicking Start if it is not greyed out.

Note: If the service fails to start then the c2wtshost.exe.config is not properly configured. Please review Step 2 or contact Scorpion Software Support.

Step 4 – Configure the RD Web Application in your AAoD tenant.

  1. Select Directory Manager.
  2. Select Groups.
  3. Select the green plus sign in the bottom right corner.
  4. Name the Group RD Web Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well.
  5. Select ADD GROUP.
  6. Select SSO Manager.
  7. Select the green plus sign in the bottom right corner.
  8. Select the Catalog Icon.
  9. Select Custom Application from the Catalog.
  10. Select Application is Enabled.
  11. Name the Application RD Web.
  12. Select the Authentication Policy you want to use.
  13. Select Protocol Configuration.
  14. Select Protocol Type WS-Federation
  15. Set the Reply to URL as https://<your RD Web domain>/RDWeb/Pages/
  16. Set the Audience URI as urn:microsoft:rdweb
  17. Token lifetime: 60
  18. Select Attribute Transformation
  19. Select specify custom attribute
  20. Select Add Custom Attribute Map.
    Attribute Value: {Email}
    Issue as type:
    Note: This attribute allows AuthAnvil SSO to use the UserName on your 2FA account as the login value.
  21. Select Add Mapping.
  22. Select Add Application.
  23. Select Permissions.
  24. Select Add Groups.
    Select the Group you chose in Step 4.
  25. Select Signing and Encryption.
  26. Select Copy.
    Copy the encoded certificate like this sample including the 
    -----END CERTIFICATE-----
    Note: Save this using a notepad document using a .CER file type. You will need this for the RD Web portion of the configuration.
  27. Select Save Changes.


Step 5 – Update the RDWebAccess Application Pool

  1. Open up Internet Information Services (IIS) Manager
  2. Click on Application Pools
  3. Right-click on the RDWebAccess pool and select Advanced Settings
  4. Set Load User Profile to True

Step 6 – Update the RDWA web.config

Note: Make a back up of all web.config files before any modifications are made. The original web.config files can be used to restore your original settings using username/password authentication.

  1. Run notepad elevated (Run as Administrator) and open C:\Windows\Web\RDWeb\Pages\web.config

  2. At the top of the file, after <configuration> add the following lines:
      <!-- SSO -->
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <!-- /SSO -->

  3. Add the following lines immediately after the <system.web> tag:
    <!-- SSO -->
    < httpRuntime requestValidationMode="2.0" />
    < pages validateRequest="false" />
    < !-- /SSO -->

  4. Modify (or add) the <authorization> and <authentication> tags below the <system.web> tag to reflect the following lines:
      <!-- SSO -->
      <authorization><deny users="?" /></authorization>
      <authentication mode="None" />
      <!-- /SSO -->

    Note: You may need to comment out several lines of code by putting
    <!-- <authentication mode="Forms"> and closing the comment with </authentication> -->

  5. Find the <modules> tag and make sure it matches
    <modules runAllManagedModulesForAllRequests=”true”>

  6. After the <modules> section add the following lines:
    <!-- SSO -->
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    < !-- /SSO -->

  7. Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the RD Web application. Use the certificate from the above section.
  8. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your RDWA and AuthAnvil SSO server configuration:
    <!-- SSO -->
            <add value="urn:microsoft:rdweb" />
            <add value="https://<Your RD Web domain>/RDWeb/Pages/" /> <!-- EDIT THIS -->
          <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <sessionTokenRequirement useWindowsTokenService="true"/>
          <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
          <wsFederation passiveRedirectEnabled="true" issuer="https://<Your AuthAnvil SSO domain>/SSO/federation/passive/wsfed" realm="https://<Your RD Web domain>/RDWeb/Pages/" requireHttps="true" /> <!-- EDIT THIS -->
          <cookieHandler requireSsl="false" />
        <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <add thumbprint="<Certificate Thumbprint from previous step>" name="<Token Issuer Name* from SSO tab>" /> <!-- EDIT THIS -->
        <certificateValidation certificateValidationMode="None" />
    < !-- /SSO -->
    Note: The Token Issuer Name can be found in the AuthAnvil Manager -> Single Sign On -> Server Settings.
  9. Save the file.


Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO Launchpad with a user that is authorized to access RD Web and attempt to click on the “RD Web” application. You should automatically be redirected to your RD Web Access dashboard.

Have more questions? Submit a request


Article is closed for comments.