SAML Remote Desktop Services Windows Server 2012R2Terminal Server rename to Remote Desktop servicesRemote...
How could a scammer know the apps on my phone / iTunes account?
If I am holding an item before I cast Blink, will it move with me through the Ethereal Plane?
How to terminate ping <dest> &
Describing a chess game in a novel
As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?
Is a party consisting of only a bard, a cleric, and a warlock functional long-term?
Why did it take so long to abandon sail after steamships were demonstrated?
How should I state my peer review experience in the CV?
When to use a slotted vs. solid turner?
Do I need to be arrogant to get ahead?
Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?
How are passwords stolen from companies if they only store hashes?
Meme-controlled people
Why one should not leave fingerprints on bulbs and plugs?
About the actual radiative impact of greenhouse gas emission over time
What does 高層ビルに何車線もの道路。mean?
Adventure Game (text based) in C++
Why Choose Less Effective Armour Types?
Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?
What are substitutions for coconut in curry?
Why does overlay work only on the first tcolorbox?
Is "upgrade" the right word to use in this context?
Knife as defense against stray dogs
This word with a lot of past tenses
SAML Remote Desktop Services Windows Server 2012R2
Terminal Server rename to Remote Desktop servicesRemote Desktop Services on Windows 2008Remote Desktop Services License on two Windows 2008 serversRemote desktop servicesHow to override client supplied logon domain in Windows Server 2012R2 Remote Desktop ServicesRemote Desktop Services - Licensing issueRemote Control with Remote Desktop Services Manager - error Access is denied (Windows Server 2012 R2)How to make Remote Desktop Services Deployment visible in Windows 2012R2 server manager when logging with a different user?Why is it bad to deploy Remote Desktop Services on a domain controller?Remote Desktop Service - UnifiedSessionId is empty
I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.
First, is it possible ?
Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx
At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.
windows-server-2012-r2 remote-desktop-services adfs saml
edited Feb 13 at 16:08
Dave M
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
bumped to the homepage by Community♦ 10 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.
First, is it possible ?
Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx
At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.
windows-server-2012-r2 remote-desktop-services adfs saml
edited Feb 13 at 16:08
Dave M
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
bumped to the homepage by Community♦ 10 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.
First, is it possible ?
Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx
At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.
windows-server-2012-r2 remote-desktop-services adfs saml
edited Feb 13 at 16:08
Dave M
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.
First, is it possible ?
Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx
At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.
windows-server-2012-r2 remote-desktop-services adfs saml
windows-server-2012-r2 remote-desktop-services adfs saml
edited Feb 13 at 16:08
Dave M
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
edited Feb 13 at 16:08
Dave M
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
edited Feb 13 at 16:08
Dave M
4,35982428
edited Feb 13 at 16:08
Dave M
4,35982428
edited Feb 13 at 16:08
Dave M
4,35982428
4,35982428
asked Feb 14 '17 at 11:12
ThibautThibaut
63
asked Feb 14 '17 at 11:12
ThibautThibaut
63
asked Feb 14 '17 at 11:12
ThibautThibaut
63
63
bumped to the homepage by Community♦ 10 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 10 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:
Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.
Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.
More details about the ADFS requirements to get it works you can refer to docs here:
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f832462%2fsaml-remote-desktop-services-windows-server-2012r2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:
Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.
Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.
More details about the ADFS requirements to get it works you can refer to docs here:
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
add a comment |
Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:
Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.
Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.
More details about the ADFS requirements to get it works you can refer to docs here:
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
add a comment |
Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:
Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.
Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.
More details about the ADFS requirements to get it works you can refer to docs here:
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:
Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.
Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.
More details about the ADFS requirements to get it works you can refer to docs here:
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
answered Feb 15 '17 at 10:08
Longfei Sun - MSFTLongfei Sun - MSFT
32914
32914
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
add a comment |
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
– Thibaut
Feb 15 '17 at 10:52
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
– Longfei Sun - MSFT
Feb 16 '17 at 1:34
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
– Longfei Sun - MSFT
Feb 16 '17 at 1:42
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f832462%2fsaml-remote-desktop-services-windows-server-2012r2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
