Single Sign On for RD Web Access

Note: This integration is not compatible with Server 2016.

Note: Before attempting this integration ensure that all noted config files are backed up safely.

Ensure that Windows Identity Foundation (WIF) is installed on RD Web server

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring RD Web for Single Sign On and will need to be in place before proceeding.

In Server 2012 this is installed as a Windows Feature. Open Server Manager and under Features make sure the box for Windows Identity Foundation 3.5 is checked.

Modify the C2WTShost.exe.config File

  1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
  2. Add the following BOLDED line to the existing configuration to allow the RD Web application pool access as an allowed caller:
        <clear />
        <add value="IIS APPPOOL\RDWebAccess" />
  3. Save the file

Enable the C2WTS Service.

    1. Open services.msc
    2. In the list of services look for Claims to Windows Token Service
    3. Right-click on this service and select Properties
    4. Ensure the Startup type is set to Automatic
    5. Ensure the service is started by clicking Start if it is not greyed out.

Note: If the service fails to start then the c2wtshost.exe.config is not properly configured. Please review Step 2 or contact Scorpion Software Support.


Setting up RDWeb in your On-Demand Tenant

  1. Select Directory Manager.
  2. Select Groups.
  3. Select the green plus sign in the bottom right corner.
  4. Name the Group RDWeb Users.
    Note: If you have other existing Groups for SSO users you can use one of these as well.
  5. Select ADD GROUP.
  6. Select SSO Manager.
  7. Add (+) Application from catalog and click on Remote Desktop Web Access.
  8. Check the Application is Enabled box.
  9. Make sure it is assigned to a policy that is appropriate.
  10. In the Protocol Setup tab, edit the Reply to URI and the Audience URI, and change them both to "https://<your RDWeb Domain>/RDWeb/pages/" (case and the terminating slash are important).
  11. Once your configuration is complete, click Save Changes and Add Application.
  12. Click into the RD Web application that we just created to modify the attribute settings.
  13. At the top of the Application Settings click Attribute Transformation and confirm the the following is set:
    • Attribute Name:
    • Value: {Email}
  14. This attribute allows AuthAnvil SSO to use the UserName on your 2FA account as the login value.

Update the RDWebAccess Application Pool

  1. Open up Internet Information Services (IIS) Manager
  2. Click on Application Pools
  3. Right-click on the RDWebAccess pool and select Advanced Settings
  4. Set Load User Profile to True


Update the RDWA web.config

Note: Make a back up of all web.config files before any modifications are made. The original web.config files can be used to restore your original settings using username/password authentication.

  1. Run notepad elevated (Run as Administrator) and open C:\Windows\Web\RDWeb\Pages\web.config

  2. At the top of the file, after <configuration> add the following lines:
      <!-- SSO -->
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <!-- /SSO -->

  3. Add the following lines immediately after the <system.web> tag:
    <!-- SSO -->
    < httpRuntime requestValidationMode="2.0" />
    < pages validateRequest="false" />
    < !-- /SSO -->

  4. Modify (or add) the <authorization> and <authentication> tags below the <system.web> tag to reflect the following lines:
      <!-- SSO -->
      <authorization><deny users="?" /></authorization>
      <authentication mode="None" />
      <!-- /SSO -->

    Note: You may need to comment out several lines of code by putting <!-- <authentication mode="Forms"> and closing the comment with </authentication> -->

  5. Find the <modules> tag and make sure it matches <modules runAllManagedModulesForAllRequests=”true”>

  6. After the <modules> section add the following lines:
    <!-- SSO -->
      <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
      <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
    < !-- /SSO -->

  7. Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the RD Web application.
      • In the AuthAnvil Manager, click on the Single Sign On tab
      • Expand Applications and click on the RD Web Application.
      • Expand the Certificate Authority tab and look under THUMBPRINT. This is the certificate thumbprint for this application. Take note of this value for the next step.


  8. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your RDWA and AuthAnvil SSO server configuration:

    <!-- SSO -->
            <add value="urn:microsoft:rdweb" />
            <add value="https://<Your RD Web domain>/RDWeb/Pages/" /> <!-- EDIT THIS -->
          <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <sessionTokenRequirement useWindowsTokenService="true"/>
          <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
          <wsFederation passiveRedirectEnabled="true" issuer="https://<yourAAODhomereal>/trust/launch" realm="https://<Your RD Web domain>/RDWeb/Pages/" requireHttps="true" /> <!-- EDIT THIS -->
          <cookieHandler requireSsl="false" />
        <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <add thumbprint="<Certificate Thumbprint from previous step>" name="<Token Issuer Name* from SSO tab>" /> <!-- EDIT THIS -->
        <certificateValidation certificateValidationMode="None" />
    < !-- /SSO -->

    The Token Issuer Name can be found in the SSO Manager tab-> Remote Desktop Web Access -> Singing and Encryption.
    Example: CN=<homerealm> Signing Certificate

  9. Save the file.



Have more questions? Submit a request


Article is closed for comments.