Ryfujk

How could a scammer know the apps on my phone / iTunes account?

If I am holding an item before I cast Blink, will it move with me through the Ethereal Plane?

How to terminate ping <dest> &

Describing a chess game in a novel

As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

Why did it take so long to abandon sail after steamships were demonstrated?

How should I state my peer review experience in the CV?

When to use a slotted vs. solid turner?

Do I need to be arrogant to get ahead?

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

How are passwords stolen from companies if they only store hashes?

Meme-controlled people

Why one should not leave fingerprints on bulbs and plugs?

About the actual radiative impact of greenhouse gas emission over time

What does 高層ビルに何車線もの道路。mean?

Adventure Game (text based) in C++

Why Choose Less Effective Armour Types?

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

What are substitutions for coconut in curry?

Why does overlay work only on the first tcolorbox?

Is "upgrade" the right word to use in this context?

Knife as defense against stray dogs

This word with a lot of past tenses

SAML Remote Desktop Services Windows Server 2012R2

Terminal Server rename to Remote Desktop servicesRemote Desktop Services on Windows 2008Remote Desktop Services License on two Windows 2008 serversRemote desktop servicesHow to override client supplied logon domain in Windows Server 2012R2 Remote Desktop ServicesRemote Desktop Services - Licensing issueRemote Control with Remote Desktop Services Manager - error Access is denied (Windows Server 2012 R2)How to make Remote Desktop Services Deployment visible in Windows 2012R2 server manager when logging with a different user?Why is it bad to deploy Remote Desktop Services on a domain controller?Remote Desktop Service - UnifiedSessionId is empty

0

I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.

First, is it possible ?

Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx

At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.

windows-server-2012-r2 remote-desktop-services adfs saml

share|improve this question

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

0

I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.

First, is it possible ?

Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx

At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.

windows-server-2012-r2 remote-desktop-services adfs saml

share|improve this question

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I want to implement SAML for Remote Desktop Services on Windows Server 2012R2.

First, is it possible ?

Then, I want to authenticate users from another AD with my RDS, like this architecture : https://technet.microsoft.com/en-us/library/dd807050(v=ws.11).aspx

At this point, I'm able to authenticate users with SSO on the same AD, but not with an other.

windows-server-2012-r2 remote-desktop-services adfs saml

share|improve this question

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

share|improve this question

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

share|improve this question

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

edited Feb 13 at 16:08

Dave M

4,35982428

edited Feb 13 at 16:08

Dave M

4,35982428

asked Feb 14 '17 at 11:12

ThibautThibaut

63

asked Feb 14 '17 at 11:12

ThibautThibaut

63

1 Answer
1

active

oldest

votes

0

Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:

1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.




2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.

More details about the ADFS requirements to get it works you can refer to docs here:

share|improve this answer

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
  
  – Thibaut
  Feb 15 '17 at 10:52
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:42
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f832462%2fsaml-remote-desktop-services-windows-server-2012r2%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:

1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.




2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.

More details about the ADFS requirements to get it works you can refer to docs here:

share|improve this answer

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
  
  – Thibaut
  Feb 15 '17 at 10:52
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:42
  

  
  
  
  

add a comment | 

0

Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:

1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.




2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.

More details about the ADFS requirements to get it works you can refer to docs here:

share|improve this answer

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your answer. ADFS on domain B is the Identification Provider and ADFS on domain A is the Service Provider ?
  
  – Thibaut
  Feb 15 '17 at 10:52
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes, that's correct. Users should be able to choose the identity partner on the ADFS redirect page based on which domain the user comes from.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  To add on, the domain A which the claim-aware application located in should be IDP & SP because it also provides identity for its own users.
  
  – Longfei Sun - MSFT
  Feb 16 '17 at 1:42
  

  
  
  
  

add a comment | 

Yes I think it should work while I haven't test this so far. Create & configure ADFS server on the domain B, then create claim provide trust on domain A to make the domain A can accept the users' security token issued by domain B. Also consider the followings:

1. Network consideration: No matter the users of domain B access the claim-aware application from the Intranet or Internet. The Federation Service Name of domain A and domain B should be able to resolve correctly. If you are using WAP then the external federation service name should be resolved to the IP of WAP server. The Port 443 should not be blocked by the firewall.




2. Certificate consideration: The SSL certificates used in these two domains should be trusted on each domain and the external accessed clients.

More details about the ADFS requirements to get it works you can refer to docs here:

share|improve this answer

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

share|improve this answer

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914

answered Feb 15 '17 at 10:08

Longfei Sun - MSFTLongfei Sun - MSFT

32914