Single Sign On for RD Web Access (Server 2012)

This document will step through the process to accomplish the implementation and configuration of AuthAnvil Single Sign On for RD Web Access. This document assumes that the AuthAnvil SSO Server has already been configured as per the AuthAnvil SSO Installation Guide, and that a working RD Web implementation is already in place.

Note: This integration is not compatible with Server 2012r2

Step 1 – Ensure that Windows Identity Foundation (WIF) is installed on RD Web server

Windows Identity Foundation (WIF) is a Microsoft framework for building identity-aware applications. It is a core component in configuring RD Web for Single Sign On and will need to be in place before proceeding.

In Server 2012 this is installed as a Windows Feature. Open Server Manager and under Features make sure the box for Windows Identity Foundation 3.5 is checked.

Step 2 – Modify the C2WTShost.exe.config File

1. Run notepad elevated (Run as Administrator) and open C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config
2. Add the following BOLDED line to the existing configuration to allow the RD Web application pool access as an allowed caller:
     <allowedCallers>
    <clear />
    <add value="IIS APPPOOL\RDWebAccess" />
  </allowedCallers>
3. Save the file

Step 3 – Enable the C2WTS Service.

1. Open services.msc
2. In the list of services look for Claims to Windows Token Service
3. Right-click on this service and select Properties
4. Ensure the Startup type is set to Automatic
5. Ensure the service is started by clicking Start if it is not greyed out.

NOTE: If the service fails to start then the c2wtshost.exe.config is not properly configured. Please review Step 2 or contact Scorpion Software Support.

Step 4 – Configure the RD Web Application in AuthAnvil SSO

1. Log in to AuthAnvil Two Factor Auth and click on the Single Sign On tab.
2. Expand Applications and click on Add New Application.
3. Fill out the following information specific to your RD Web environment:
   • Display Name: RD Web
   • Reply To URL: https://<your RD Web domain>/RDWeb/Pages/
   • Audience URI: urn:microsoft:rdweb
   • Protocol: WS-Federation
   • Token Lifetime: 480 Minutes
4. Once your configuration is complete, click Save Changes.
5. Click into the RD Web application that we just created to modify the attribute settings.
6. At the top of the Application Settings click Edit Attribute Maps to open up the attribute editor.
7. Click Create New Mapand create an attribute with the following settings:
   • Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
   • Value: {Email}

   This attribute allows AuthAnvil SSO to use the UserName on your 2FA account as the login value.

8. Click Save Changes to apply this attribute.

Step 5 – Update the RDWebAccess Application Pool

1. Open up Internet Information Services (IIS) Manager
2. Click on Application Pools
3. Right-click on the RDWebAccess pool and select Advanced Settings
4. Set Load User Profile to True

Step 6 – Update the RDWA web.config

Note: Make a back up of all web.config files before any modifications are made. The original web.config files can be used to restore your original settings using username/password authentication.

1. Run notepad elevated (Run as Administrator) and open C:\Windows\Web\RDWeb\Pages\web.config
   
   
2. At the top of the file, after <configuration> add the following lines:
     <!-- SSO -->
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <!-- /SSO -->
   
   
3. Add the following lines immediately after the <system.web> tag:
   <!-- SSO -->
< httpRuntime requestValidationMode="2.0" />
< pages validateRequest="false" />
< !-- /SSO -->
   
   
4. Modify (or add) the <authorization> and <authentication> tags below the <system.web> tag to reflect the following lines:
     <!-- SSO -->
  <authorization><deny users="?" /></authorization>
  <authentication mode="None" />
  <!-- /SSO -->
   NOTE! You may need to comment out several lines of code by putting <!-- <authentication mode="Forms"> and closing the comment with </authentication> -->
   
   
5. Find the <modules> tag and make sure it matches <modules runAllManagedModulesForAllRequests=”true”>
   
   
6. After the <modules> section add the following lines:
   <!-- SSO -->
  <add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
  <add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
< !-- /SSO -->
   
   
7. • In the AuthAnvil Manager, click on the Single Sign On tab
   • Expand Applications and click on the RD Web Application.
   • Expand the Certificate Authority tab and look under THUMBPRINT. This is the certificate thumbprint for this application. Take note of this value for the next step.Get the certificate “Thumbprint” from the AuthAnvil SSO signing certificate in the RD Web application.
8. Add the following lines right after </runtime> (near the end of the file). Note that the values in red must be entered to match your RDWA and AuthAnvil SSO server configuration:

   <!-- SSO -->
  <microsoft.identityModel>
    <service>
      <audienceUris>
        <add value="urn:microsoft:rdweb" />
        <add value="https://<Your RD Web domain>/RDWeb/Pages/" /> <!-- EDIT THIS -->
      </audienceUris>
    <securityTokenHandlers>
      <remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      <add type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <sessionTokenRequirement useWindowsTokenService="true"/>
      </add>
      <add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" />
      </add>
    </securityTokenHandlers>
    <federatedAuthentication>
      <wsFederation passiveRedirectEnabled="true" issuer="https://<Your AuthAnvil SSO domain>/SSO/federation/passive/wsfed" realm="https://<Your RD Web domain>/RDWeb/Pages/" requireHttps="true" /> <!-- EDIT THIS -->
      <cookieHandler requireSsl="false" />
    </federatedAuthentication>
    <applicationService>
    </applicationService>
    <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
      <trustedIssuers>
        <add thumbprint="<Certificate Thumbprint from previous step>" name="<Token Issuer Name* from SSO tab>" /> <!-- EDIT THIS -->
      </trustedIssuers>
    </issuerNameRegistry>
    <certificateValidation certificateValidationMode="None" />
    </service>
  </microsoft.identityModel>
< !-- /SSO -->
   
   (*NOTE: The Token Issuer Name can be found in the AuthAnvil Manager -> Single Sign On -> Server Settings.
   Example: https://www.YourAuthAnvilDomain.com/AuthAnvil/SSO/Trust/site1)

9. Save the file.

Verifying Functionality

Once the configuration is complete, you should test that everything is working as expected. Log into the SSO portal with a user that is authorized to access RD Web and attempt to click on the “RD Web” application. You should automatically be redirected to your RD Web Access dashboard.

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.