Mideye ADFS Module - RDS 2019
Requirements and prerequisites¶
- Mideye Server 5
- Functional Microsoft RDS-environment installed with a Remote Desktop Gateway.
- Functional Microsoft ADFS with WAP.
- WAP must be a member of the domain.
- Windows 10 client with Internet Explorer (This does not work with other browser)
1. Configure ADFS relying party¶
Open ADFS management console Relaying Party Trusts → Add Relaying Party Trust.
Create a relaying party that is configured manually (without any metadata), and without any enabled support for WS-federation Passive Protocol or SAML 2.0 WebSSO protocol. Only add a trust identifier that should be the public DNS of your RD-gateway (i.e https://remoteapps.mideye.dev)
You can either create a Relaying Party in the Windows Gui or in powershell.
Configure ADFS relying party in Windows gui¶
Step 1 - Windows GUI¶
Step 2 - Windows GUI¶
Step 3 - Windows GUI¶
Step 4 - Windows GUI¶
Step 5 - Windows GUI¶
Step 6 - Windows GUI¶
Step 7 - Windows GUI¶
Step 8 - Windows GUI¶
Step 9 - Windows GUI¶
Configure ADFS relying party in Powershell¶
Add-AdfsRelyingPartyTrust -Name "RDS-2019" -Identifier "https://remooteapps.mideye.dev"
Set-AdfsRelyingPartyTrust -TargetName "RDS-2019" -AccessControlPolicyName "Permit everyone and require MFA"
2. Active Directory - Configure ServicePrincipal Name on WAP¶
Add A service principal name for the Web Application Proxy (WAP), This should be the same as the external DNS for end users, in this scenario HTTP/remoteapps.mideye.dev
Do this configuration either in powershell or Windows GUI
Step 1 - Windows GUI¶
Enable Advanced features
Step 2 - Windows GUI¶
Select WAP computer properties
Step 3 - Windows GUI¶
Edit servicePrincipalName
Step 4 - Windows GUI¶
Add HTTP/remoteapps.mideye.dev (External RDGW URL) as SPN
Step 1 - Powershell¶
Get all ServicePrincipalNames of WAP server and verify HTTP/remoteapps.mideye.dev does not exist there already.
Get-ADcomputer -Identity "rdslab-wap" -Properties ServicePrincipalNames |Select-Object -ExpandProperty ServicePrincipalNames
WSMAN/rdslab-wap
WSMAN/rdslab-wap.mideye.local
TERMSRV/rdslab-wap
TERMSRV/rdslab-wap.mideye.local
RestrictedKrbHost/rdslab-wap
HOST/rdslab-wap
RestrictedKrbHost/rdslab-wap.mideye.local
HOST/rdslab-wap.mideye.local
Step 2 - Powershell¶
Add RDS gateway SPN to WAP server in a Active Directory Domain Controller.
3. Active Directory - Configure Delegation on WAP¶
Delegate HTTP/remoteapps.mideye.dev to WAP.
Do this configuration either in powershell or Windows GUI
Step 1 - Windows GUI¶
Select WAP computer properties
Step 2 - Windows GUI¶
Set Trust this computer for delegation to specified services only and Use any authentication protocol and click Add...
Step 3 - Windows GUI¶
Click Users or Computers... to find a computer to delegate from.
Step 4 - Windows GUI¶
Type the name of the WAP. Click check-names and OK.
Step 5 - Windows GUI¶
Select Service Type: HTTP and User or Computer: remoteapps.mideye.dev
Step 6 - Windows GUI¶
Now the http delegation should be added to the WAP server.
Step 1- Powershell¶
```
Get-ADComputer -Identity "rdslab-wap" | Set-ADAccountControl -TrustedToAuthForDelegation $True
Set-ADComputer -Identity "rdslab-wap" -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/remoteapps.mideye.dev')}
```
4. Web Application Proxy - Publish a web application¶
DNS RECORD
At this time remoteapps.mideye.dev DNS should externally point at the WAP. Internally remoteapps.mideye.dev needs to point at the Remote Desktop Services Web Access Gateway. If remoteapps.mideye.dev points at WAP internally also, then WAP remoteapps.mideye.dev needs to be in the hosts file.
Right-click Windows button and open Windows PowerShell (Admin)
Add a new entry that points to the internal ip of remoteapps.mideye.dev (Or Remote Desktop Services Web Access Gateway)10.10.10.10 remoteapps.mideye.dev
Publish remoteapps in wap
Open the WAP-console and click “publish”. Select ADFS followed by Web and MSOFBA. Select the Relaying party created on the ADFS-server and give the publish a friendly name followed by the external DNS and the internal DNS. This should be the same, and in this scenario https://rdweb.mideye.com. Select a valid certificate.
Do this configuration either in powershell or Windows GUI
Step 1 - Windows GUI¶
- Click Publish in Remote Access Management Console
Step 2 - Windows GUI¶
- Click Next in Welcome screen
Step 3 - Windows GUI¶
- Select Active Directory Federation Services (AD FS)
Step 4 - Windows GUI¶
- Select Web and MSOFBA
Step 5 - Windows GUI¶
- Select the ADFS relying prarty that was created in Configure ADFS relying party
Step 6 - Windows GUI¶
- Add a name, external URL, certificate and backend URL for RDGateway
Step 7 - Windows GUI¶
- Validate configuration or copy powershell command for documentation.
Step 8 - Windows GUI¶
- Continue when Application is published successfully.
Step 9 - Windows GUI¶
- Verify that name and external URL is correct in published web applications.
Step 1 - Powershell¶
Remember to change BackendServerUrl, ExternalUrl, ADFSRelyingPartyName and Thumbprint accordingly.
```powershell
Add-WebApplicationProxyApplication -BackendServerUrl 'https://remoteapps.mideye.dev' -ExternalCertificateThumbprint '86BF27B9EA4AC0D9A0996BA8D94F31595276443B' -EnableHTTPRedirect:$true -ExternalUrl 'https://remoteapps.mideye.dev' -Name 'remoteapps - rds 2019' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName 'RDS 2019'
```
Disable Cookie Protection
On the WAP server. Right-click Windows button and open Windows PowerShell (Admin)
-Name should be the same as in WebApplication Proxy Application created in previous step.
Get-WebApplicationProxyApplication -Name "remoteapps - rds 2019" | Set-WebApplicationProxyApplication -DisableHttpOnlyCookieProtection:$true
5. Configure RDweb / RDgateway¶
- Enable Windows Auth
Enable windows authentication and disable forms.
Step 1 - Windows Auth¶
- Open IIS and navigate to the server and open “Authentication”
Step 2 - Windows Auth¶
- Set Windows authentication to “Enabled”
- Set Forms Authentication to “Disabled”
- HTTP Redirect
Navigate to “Default Web Site” followed by “HTTP redirect”. Create a redirect to /RDweb and check the “Only redirect requests to content in this directory” box. Click apply.
Step 1 - HTTP Redirect¶
- Open IIS Management console
Step 2 - HTTP Redirect¶
- Navigate to Default Site and HTTP redirect
Step 3 - HTTP Redirect¶
- Change Redirect url to /RDweb
- Uncheck Redirect all requests to exact destination (instead of relative to destination)
- Check the Only redirect requests to content in this directory (not subdirectories)
- Modify web.config
Right-click Windows button and open Windows PowerShell (Admin)
Edit Webconfig - Download example file here
- Enable Windows authentication (uncomment)
- Disable Forms authentication (comment)
Enable Windows Authentication
File before edit
- Disable the forms authentication module
Disable Forms Module
File before Edit
- Set windowsauthentication to true
- Set anonymousAuthentication to false
Set authentication methods
Save and close Web.config file.
Modify default.aspx
Right-click Windows button and open Windows PowerShell (Admin)
Edit line 35 so it looks like following usually its just bPrivateMode = true that needs to be changed.
Save and close.
Right-click Windows button and open Windows PowerShell (Admin)
Run iisreset
6. Configuration Connection Broker(s)¶
From the active connection broker, run the following command from an elevated powershell prompt. Change collection name and pre-authentication server.
Right-click Windows button and open Windows PowerShell (Admin)
Import-Module RemoteDesktop
Set-RDSessionCollectionConfiguration -CollectionName RemoteApps -CustomRdpProperty "pre-authentication server address:s:https://remoteapps.mideye.dev`nrequire pre-authentication:i:1"
Verify configuration
(Get-RDSessionCollectionConfiguration -CollectionName RemoteApps).CustomRdpProperty
pre-authentication server address:s:https://remoteapps.mideye.dev
require pre-authentication:i:1
use redirection server name:i:1
Important
If the above Set-RDSessionCollectionConfiguration command is skipped. Everything except the last part (Opening the apps) will not work.
- Login to ADFS will work
- Getting OTP will work
- Redirect to RDWeb will work
- Download of RDP file will work
- Opening RDP-Connection will work but there will be an error when connecting to the application.
7. Configure Users Client Internet Explorer ONLY!¶
-
Open Internet Explorer and go to Internet Options. Select Security and add the URL to trusted sites (https://remoteapps.mideye.dev which should point at WAP)
-
Click Close and select Custom Level
-
At the bottom of the list, select automatic logon with current username and password.
Troubelshooting¶
Remote Desktop Connection Failed¶
Description: Error message with Your computer can't connect to the remote computer because authentication to the firewall failed due to missing firewall credentials...
This happens when opening the RDP file/link from something else than Internet Explorer to connect to RDWeb.