Hi,

I'm trying to publish RD WebAccess on TMG server and to have the users authenticate with TMG's Forms based authentication. The web access rule in TMG is configured for NTLM authentication delegation. But I end up hitting the RD webaccess authentication forms, after I complete authentication with the TMG's forms. Is there anyway I can avoid the RD web access forms and authenticate the users only with the TMG's forms.

Both RD-WA and the TMG server run on Win Server 2008 R2.

Any info on this will be much appreciated !

Pras

Hi Pras_inquirer,

This is possible. I've found out how:  Edit c:\Windows\web\rdweb\pages\web.config  (Read the informational remarks in that file, that explains all). Remove the <authentication mode="Forms"> or replace it with <authenticaton mode="Windows"/>  Comment out modules and security in the section <system.webServer>

Change the web publishing rule in TMG2010 to: Authentication Delegation / Negotiate(Kerberos/NTLM) and fill in a SPN name (http/<fqdn RD webaccess>)

How to create that SPN correctly:

Example:

URL=rdgw.test.com (=Remote Desktop WebAccess website); TMG2010 server= TMG01.domain.local; Remote Desktop Gateway NETBIOS name= RDGSERVER

Run with domain administrative rights the command: SPN -A http://rdgw.test.com RDGSERVER

Open Active Directory Users & Computers, get the properties of the TMG01.domain.local object, select the tab Delegation (Trust this computer for delegation to specified services only/Use any authentication protocol) click on ADD, click on 'Users or Computers', fill in the name RDGSERVER, scroll down to the newly created http service type with the name rdgw.test.be and select it. / OK

This SSO worked for me...

Regards.

Hi Pras_inquirer,

This is possible. I've found out how:  Edit c:\Windows\web\rdweb\pages\web.config  (Read the informational remarks in that file, that explains all). Remove the <authentication mode="Forms"> or replace it with <authenticaton mode="Windows"/>  Comment out modules and security in the section <system.webServer>

Change the web publishing rule in TMG2010 to: Authentication Delegation / Negotiate(Kerberos/NTLM) and fill in a SPN name (http/<fqdn RD webaccess>)

How to create that SPN correctly:

Example:

URL=rdgw.test.com (=Remote Desktop WebAccess website); TMG2010 server= TMG01.domain.local; Remote Desktop Gateway NETBIOS name= RDGSERVER

Run with domain administrative rights the command: SPN -A http://rdgw.test.com RDGSERVER

Open Active Directory Users & Computers, get the properties of the TMG01.domain.local object, select the tab Delegation (Trust this computer for delegation to specified services only/Use any authentication protocol) click on ADD, click on 'Users or Computers', fill in the name RDGSERVER, scroll down to the newly created http service type with the name rdgw.test.be and select it. / OK

This SSO worked for me...

Regards.

Super nice:)

Thanks for the answer.

But I still have a question? SSO from TMG 2010 to RDWA 2012R2 is working correctly, but when I want to open an application, a login form is asking for my credentials to logon to the Remote Desktop Gateway (RDSG). Is it possible to passthrough the credentials from TMG to the RDSG?

When I disable Windows Authentication on Web Access, and change it back to FBA. The SSO is working from RDWA to RDSG. Can someone please help me?