ADFS WAP: How to configure SSO with RDWeb

1.  System Deploy

  • ADFS : th-adfs2012.mfalab3.com
  • ADFS WAP : th-adfs2012wap.mfalab3.com
  • RDWeb : th-rds.mfalab3.com
A public IP for ADFS WAP points to ADFS/RDS as well

2.  Setting on ADFS

Create a Relying Parth Trust


3.  Setting on ADFS WAP

Create WAP Application,
Add-WebApplicationProxyApplication -Name 'rdweb' -ExternalUrl 'https://th-rds.mfalab3.com/rdweb/' -BackendServerURL 'https://th-rds.mfalab3.com/rdweb/' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName rdweb1 -ExternalCertificateThumbprint '67D438BDDBB455E53CA83D6F5DEC34CC546F711A'

4.  Setting on RDS
Important : Change authentication method to “Windows”

5.  Setting on the Client Computers

6. See how it works




Comments

  1. ChetanSeptember 18, 2020 at 4:24 AM

    I have tried this setup but it throws following error - Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
    Do we need to have any claims ??

    ReplyDelete

Post a Comment

Popular posts from this blog

Secure RDWeb using Azure Multi-Factor Authentication

Image
1. Change RDWeb authentication mode from "Forms" to "Windows" Edit C:\Windows\Web\RDWeb\Pages\web.config     <authentication mode="Windows"/> <!--     <authentication mode="Forms">         <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />     </authentication> --> . . . <system.webServer> <!--     <modules runAllManagedModulesForAllRequests="true">       <remove name="FormsAuthentication" />       <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />     </modules>     <security>         <authentication>             <windowsAuthentication enabled="false" />             <anonymousAuthentication enabled="true&q
Read more

Collect AzureStack Update Verbose log

Image
The following commands will collect "UpdateVerboseLog". 1. Create a PEP session, in this example $pepsession is the name of established PEP session $pepsession = New-PSSession -ComputerName ercs_ip -ConfigurationName PrivilegedEndpoint -Credential (get-credential) 2. Collect verbose log $log = Invoke-Command -Session $pepsession -ScriptBlock { Get-AzureStackUpdateVerboseLog } 3. Save it to local folder $log > “c:\temp\UpdateVerboseLog.txt” 4. Example
Read more