We are essentially trying to provide a single sign-on scenario with a few of our products.
We would prefer to allow customers on their own machines (which are not in our control and cannot have the machine on our own active directory) to be able to log into a web application using a set of username/password credentials (authenticated against our domain), and from within there launch a link to an RDP session (either locally by using a URI handler we will install or using RD Web Access).
We of course then have the problem that the user is asked for their domain credentials (on our domain) again, and there seems to be no way for us to be able to pass a token of some kind from our web app (which has already authenticated against our AD) to allow SSO.
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx seems to indicate that this is just not possible at the moment. Is that correct?
I've looked at a few options:
– RD Web Access SSO (only gets halfway there and only works if the client is on the domain too) – http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
– Storing and forwarding the originally captured username/password – which is just shocking from a security point of view.
Any ideas?
Best Answer
I believe the answer would be "not with the Microsoft RD client" - it supports either username/password combinations or forwarding the NTLM logon credentials (which are not what you want in a non-domain environment). A possible option would be to use a virtual smart card which would pull a short-living certificate off your web server, but this not only would require software installation on your client's computers, but also an extensive (i.e. lengthy and probably expensive) certification process for drivers it would need.
You might consider using third party products (like Citrix XenDesktop) where your scenario (authentication passthrough after a web portal logon) is supported.