Enabling SSO with RemoteApp on UAG

by Shijaz Abdulla on 22.02.2010 at 23:47

If you are publishing RemoteApp or Remote Desktop Services on Forefront Unified Access Gateway 2010, and have enabled Single Sign On (SSO) on the RDS application in UAG, you might find that UAG tries to perform user logon on the published server using computernameusername instead of domainusername.

I’ve researched this issue and found that there’s nothing I can do about it, at least at the time of writing this, as it is listed as a known issue in UAG.

Workaround

A workaround would be to ask users to log in using “domainnameusername” while logging on to the UAG portal instead of just “username”.

Just a thought – you might be able to automate the appending of “domainname” to the username string by customizing the UAG login page code, although I haven’t attempted it.

Publishing Remote Desktop Services on UAG

by Shijaz Abdulla on 22.02.2010 at 22:22

If you’re trying to publish Remote Desktop Services or RemoteApp on Microsoft Forefront Unified Access Gateway 2010, and if you encounter the following error, read on:

“Your computer can’t connect to the remote computer because no certificate was configured to use at the Remote Desktop Gateway server. Contact your network administrator for assistance”.

image

Before we look into how to fix this, we need to understand how RDS publishing works with UAG:

  1. A UAG client accesses a Forefront UAG portal using a Web browser and evaluating the endpoint compliance and session access policies defined on UAG by the administrator.
  2. The end user launches a Remote Desktop application in the portal. The portal uses the RDS ActiveX component to activate the RDC client software running on the endpoint. If the ActiveX component doesn’t exist, it is installed.
  3. The RDC client on the endpoint initiates an RDP-over-HTTPS connection with the Forefront UAG server.
  4. The HTTPS connection terminates on the Forefront UAG server. Forefront UAG uses its integrated RD Gateway to handle the connection. Forefront UAG verifies that the user logged on to the portal successfully, and was authenticated using a session cookie, and then enforces the endpoint access policies.
  5. An RDP session is established from Forefront UAG to the backend RDS hosts.

As you can see in step 3 and 4, the HTTPS connection terminates on the Forefront UAG server, which also acts a Remote Desktop Gateway. The error appears because no SSL certificate is configured by default on the RD Gateway running on the Forefront UAG computer.

The Solution

  1. On the computer running UAG, open the RD Gateway Manager (Administrative Tools > Remote Desktop Services > Remote Desktop Gateway Manager)

    image

  2. You will see that “A server certificate is not yet installed or selected”. Click on View or modify certificate properties

    image
  3. Choose the option Select an existing certificate from the RD Gateway <computername>. Click the Import Certificate button.
  4. Choose the certificate that matches the public DNS name of your UAG portal. In my case it is uag.tech.com – this is the URL that users connecting from outside your organization will type into the browser to get into the UAG portal. It can be the same certificate that you are using on your HTTPS trunk.

    image

  5. Click Import and OK.
  6. Try to connect to the RDS Session Host from the UAG portal. It should work (if you have configured the application and your endpoint is compliant with the endpoint security policies that you defined).