question

JohnNickell-7457 avatar image
0 Votes"
JohnNickell-7457 asked JohnNickell-7457 answered

RemoteApp SSO over SSLVPN

First I want to start by saying that I have this working as desired over our existing SSLVPN solution.
In the desired behavior while either in or out (while on the VPN) a user is able to open the RemoteApp and be signed on automatically. Works great.

I am trying to see if we can move to an alternate VPN solution due to some infrastructure changes we making.

The VPN connects but following the same workflow to open the RemoteApp prompts for credentials before allowing the user to sign on. Once the credentials are supplied, it works as expected.

I have a GPO enable for Allowing Delegated Default, Fresh and Saved Credentials.
With the new infrastructure change the IP address the clients are coming in from is a different subnet. I thought it might be something to do with AD Sites and Services not having the subnet in the right location, but that doesn't seem to have had any effect.

Could someone provide a few ideas of things I can check that might cause this behavior? I am guessing something to do with Kerberos, but I am not strong in that area. Our RemoteApp setup is fairly simple, (one server running all roles, and we are running enough of an internal PKI to provide the required trusted internally trusted certificates.

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jingruihan-MSFT avatar image
0 Votes"
Jingruihan-MSFT answered

Hi, I am doing some research for current issue, thanks for your waiting.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnNickell-7457 avatar image
0 Votes"
JohnNickell-7457 answered

Did you have any luck with your research?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jingruihan-MSFT avatar image
0 Votes"
Jingruihan-MSFT answered Jingruihan-MSFT edited

Hi,
Sorry to have kept you waiting. Is it possible provide a screenshot and attach a description, which will help us to troubleshooting.
Best regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnNickell-7457 avatar image
0 Votes"
JohnNickell-7457 answered

Here are screenshots that try to describe the process and difference.

104759-2021-06-11-08-51-46-loginprocessdocx-word.png



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jingruihan-MSFT avatar image
0 Votes"
Jingruihan-MSFT answered

Hi,

One more question, on the alternate VPN, is there a tab to allow saved credentials when you launching RemoteApp?

Best regards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnNickell-7457 avatar image
0 Votes"
JohnNickell-7457 answered

There is no option to save credentials within the box that pops up.
"Advanced Options" only gives me the choice to use the existing profile I'm trying to connect with or "Use a Different Account"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jingruihan-MSFT avatar image
0 Votes"
Jingruihan-MSFT answered

Hi,

Please check whether this policy is enabled on the client. If so, try disable and see if you can save the password.

Best regards.

107508-image.png



image.png (105.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JohnNickell-7457 avatar image
0 Votes"
JohnNickell-7457 answered

That would not address my initial question. What "should" be happening is there be no prompt for password at all. I don't want to introduce saved passwords that will then need to be updated when the user has to change their password.

What should be able to take place is that the delegated credentials should be allowed to pass through and no password prompt is generated. This is how it works across one SSL VPN product, but not across the other.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.