SAML Remote Desktop Services Windows Server 2012R2Terminal Server rename to Remote Desktop servicesRemote...

How could a scammer know the apps on my phone / iTunes account?

If I am holding an item before I cast Blink, will it move with me through the Ethereal Plane?

How to terminate ping <dest> &

Describing a chess game in a novel

As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

Why did it take so long to abandon sail after steamships were demonstrated?

How should I state my peer review experience in the CV?

When to use a slotted vs. solid turner?

Do I need to be arrogant to get ahead?

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

How are passwords stolen from companies if they only store hashes?

Meme-controlled people

Why one should not leave fingerprints on bulbs and plugs?

About the actual radiative impact of greenhouse gas emission over time

What does 高層ビルに何車線もの道路。mean?

Adventure Game (text based) in C++

Why Choose Less Effective Armour Types?

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

What are substitutions for coconut in curry?

Why does overlay work only on the first tcolorbox?

Is "upgrade" the right word to use in this context?

Knife as defense against stray dogs

This word with a lot of past tenses



SAML Remote Desktop Services Windows Server 2012R2


Terminal Server rename to Remote Desktop servicesRemote Desktop Services on Windows 2008Remote Desktop Services License on two Windows 2008 serversRemote desktop servicesHow to override client supplied logon domain in Windows Server 2012R2 Remote Desktop ServicesRemote Desktop Services - Licensing issueRemote Control with Remote Desktop Services Manager - error Access is denied (Windows Server 2012 R2)How to make Remote Desktop Services Deployment visible in Windows 2012R2 server manager when logging with a different user?Why is it bad to deploy Remote Desktop Services on a domain controller?Remote Desktop Service - UnifiedSessionId is empty













0















I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.



First, is it possible ?



Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx



At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.










share|improve this question
















bumped to the homepage by Community 10 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.



    First, is it possible ?



    Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx



    At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.










    share|improve this question
















    bumped to the homepage by Community 10 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.



      First, is it possible ?



      Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx



      At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.










      share|improve this question
















      I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.



      First, is it possible ?



      Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx



      At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.







      windows-server-2012-r2 remote-desktop-services adfs saml






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Feb 13 at 16:08









      Dave M

      4,35982428




      4,35982428










      asked Feb 14 '17 at 11:12









      ThibautThibaut

      63




      63





      bumped to the homepage by Community 10 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 10 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:




          1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.


          2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.



          More details about the ADFS requirements to get it works you can refer to docs here:






          share|improve this answer
























          • Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

            – Thibaut
            Feb 15 '17 at 10:52













          • Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:34











          • To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:42











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f832462%2fsaml-remote-desktop-services-windows-server-2012r2%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:




          1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.


          2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.



          More details about the ADFS requirements to get it works you can refer to docs here:






          share|improve this answer
























          • Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

            – Thibaut
            Feb 15 '17 at 10:52













          • Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:34











          • To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:42
















          0














          Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:




          1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.


          2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.



          More details about the ADFS requirements to get it works you can refer to docs here:






          share|improve this answer
























          • Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

            – Thibaut
            Feb 15 '17 at 10:52













          • Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:34











          • To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:42














          0












          0








          0







          Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:




          1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.


          2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.



          More details about the ADFS requirements to get it works you can refer to docs here:






          share|improve this answer













          Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:




          1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.


          2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.



          More details about the ADFS requirements to get it works you can refer to docs here:







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Feb 15 '17 at 10:08









          Longfei Sun - MSFTLongfei Sun - MSFT

          32914




          32914













          • Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

            – Thibaut
            Feb 15 '17 at 10:52













          • Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:34











          • To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:42



















          • Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

            – Thibaut
            Feb 15 '17 at 10:52













          • Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:34











          • To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

            – Longfei Sun - MSFT
            Feb 16 '17 at 1:42

















          Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

          – Thibaut
          Feb 15 '17 at 10:52







          Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?

          – Thibaut
          Feb 15 '17 at 10:52















          Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

          – Longfei Sun - MSFT
          Feb 16 '17 at 1:34





          Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.

          – Longfei Sun - MSFT
          Feb 16 '17 at 1:34













          To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

          – Longfei Sun - MSFT
          Feb 16 '17 at 1:42





          To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.

          – Longfei Sun - MSFT
          Feb 16 '17 at 1:42


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f832462%2fsaml-remote-desktop-services-windows-server-2012r2%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...