Publish Remote Desktop Web and Webclient via Azure AD Application Proxy

What’s up, everyone! 

In this post I will talk about the Azure AD Application Proxy. 

Simply put, the Azure AD Application Proxy is a great way to provide secure remote access to on-premise web applications, apps hosted behind a Remote Desktop Gateway or rich client apps that are integrate with MSAL. 

We can make use of Conditional Access to enable MFA and we can setup Single Sign-On.

In this demo I will publish an RDS collection via an Azure AD Application Proxy.

Requirements

The Azure AD Application Proxy works with: 

  • Web applications that use Integrated Windows authentication for authentication
  • Web applications that use form-based or header-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)
Microsoft has defined the following requirements:
  • Both the RD Web and RD Gateway endpoints must be located on the same machine, and with a common root. RD Web and RD Gateway are published as a single application with Application Proxy so that you can have a single sign-on experience between the two applications.
  • You should already have deployed RDS, and enabled Application Proxy. Ensure you have satisfied the pre-requisites to enable Application Proxy, such as installing the connector, opening required ports and URLs, and enabling TLS 1.2 on the server. To learn which ports need to be opened, and other details, see Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory.
  • Your end users must use a compatible browser to connect to RD Web or the RD Web client. For more details see Support for client configurations.
  • When publishing RD Web, it is recommended to use the same internal and external FQDN. If the internal and external FQDNs are different then you should disable Request Header Translation to avoid the client receiving invalid links.
  • If you are using RD Web on Internet Explorer, you will need to enable the RDS ActiveX add-on.
  • If you are using the RD Web client, you will need to use the Application Proxy connector version 1.5.1975 or later.
  • For the Azure AD pre-authentication flow, users can only connect to resources published to them in the RemoteApp and Desktops pane. Users can’t connect to a desktop using the Connect to a remote PC pane.
  • If you are using Windows Server 2019, you may need to disable HTTP2 protocol. For more information, see Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory.

Step 1: Install And Configure The Connector

Log on to the Azure portal and open Azure Active Directory. 

Click on the Application Proxy node. This screen will provide an overview of all the connector groups and assigned connectors. 

Let’s create a connector group for RDS. Click on the + New Connector Group button.

Enter a name and check the region under advanced settings.

Click the Create button on the top left corner. The Connector Group will now appear in the overview with an exclamation mark in front of the name. 

We can get more information on why we get the exclamation mark by hovering over it with the mouse. In this case, we see that no connectors are assigned. That would be our next step. 

In the next step we will install and confgure the connector. So logon to the server and download the Connector Service (from the Azure portal). 

Click on + Download connector service in the portal. The following screen will appear:

Click Accept terms & Download to download the installation file ‘AADAplicationProxyConnectorInstaller.exe’

The application proxy can be installed on Windows server 2012 R2  and up. I will install the proxy on Windows server 2019 which means I have to disable HTTP2 protocol support in the WinHTTP component for Kerberos Constrained Delegation. 

This can be done via the registry:

Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp] "EnableDefaultHTTP2"=dword:00000000

or via a Powershell command:

Set-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\' -Name EnableDefaultHTTP2 -Value 0

I used the Powershell command.

We need to enable TLS 1.2 before we can install the Azure AD Application Proxy connector. To do so, just add the following code to the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

So let’s import the code to the registry;

Restart the server to make sure the changes are applied.

The next step is to check the firewall;

Once these are checked, we can move on to the installation and registration of a connector.

We already downloaded the installation file earlier in this demo. So the next step is to run the installer. Make sure to Disable the IE Enhanced Security Configuration during the installation, or the installation will fail.

If the installation failed, just disable IE Enhanced Security and run the installer again.

Check the box and click Install.

Sign in using your credentials.

The installation will complete.

Repeat this process for each connector that you need to install.

Let’s check the Azure portal to see if the connectors registered succesfully. After refreshing the page I could see the new connectors in the default group. 

To add the connectors to the RDS2019 Connector group, just click the connector group and check the box in front of the connector name. Click Save.

Step 2: Add RDS to Azure AD

In this step we will add an on-premise app, in this case we will add the RD Web. 

Log in to the Azure portal, open Azure Active Directory and click on Enterprise Applications.

Click on the + New application button.

Select Add an on-premises application.

Fill in the required values:

  • Name: Enter a name.
  • Internal URL: Enter the internal URL used by the app. Remember to end with the trailing ‘/’.
  • External URL: Enter the desired external URL.
  • Pre-authentication: Azure Active Directory
  • Connector Group: Choose the connector group we created earlier, RDS2019.

Additional Settings

  • Backend Application Timeout: Default
  • Use HTTP-Only Cookie: No
  • Use Secure Cookie: Yes
  • Use Persistant Cookie: No
  • Translate URLs in:
    • Headers: No
    • Application Body: No

Once done, the on-premises application should look something like this:

Click on + Add to save the Enterprise App.

Then go back to the overview of the Enterprise Applications. Open the newly created app, in my case RDS2019.

We will see the following screen;

Click on the Assign Users and Groups box. Search the groups (or users) and add them. It’s also possible to add a role if needed.

In my case I added two groups.

Click the Assign button on the bottom of the page to complete the assignment.

The Single Sign-On methode shows up as Disabled. Leave it that way, since we use Azure AD.

Go to App Registrations in Azure AD. Choose your app from the list.

Click on Branding & properties under Manage.

Update the Home page URL, add /RDWeb.

It should look something like:

Click the Save button on the bottom of the screen.

Step 3: Direct RDS traffic to the Application Proxy

The next configuration steps are needed on the on-prem side. Logon to the server with the RD Connection Broke role and open up Servermanager. Make sure all servers of the RDS deployment are added to Servermanager.

Click on the Remote Desktop Services Role.

Click on the tasks dropdown box. Select Edit deployment properties.

Update the Use these RD Gateway server settings URL to the External URL in the Enterprise Application and choose Password Authentication as the Logon method.

Now it’s time to enable SSO between the RD Web and RD Gateway. We need to do this for each collection.

Microsoft provides us with the following example code:

Set-RDSessionCollectionConfiguration -CollectionName "<yourcollectionname>" -CustomRdpProperty "pre-authentication server address:s:<proxyfrontendurl>`nrequire pre-authentication:i:1"

Replace the collectionname and proxyfrontendurl with your own names.

Use the following command to view the contents of the .RDP file. This allows us to verify the connection details:

(get-wmiobject -Namespace root\cimv2\terminalservices -Class Win32_RDCentralPublishedRemoteDesktop).RDPFileContents

Once these steps are configured, you could check the configuration. For instance, logon to https://myapps.microsoft.com. Authenticate using your credentials and MFA. 

Click on the name of the app and log in to the RDweb site. Click on the resource to test.

Should it fail, check if you are using a supported solution (URL).

Step 4: Enable The Web Client

The webclient is a package that presents the desktop in a (up-to-date) browser screen. It installs in the RDWeb role.

Follow the next steps to install the RD webclient.

Edit the RDS deployment and check which certificate is used. Export that certificate to a .cer file.

Copy the .cer file to server containing the RD Web role.

Use the following Powershell commands:

# You might need to restart Powershell after you run the following command:
Install-Module -Name PowerShellGet -Force
# Install the RD Web Client Management PS Module from the Powershell gallery
Install-Module -Name RDWebClientManagement
# Download the latest version
Install-RDWebClientPackage
# Import the certificate you copied before
Import-RDWebClientBrokerCert "C:\Temp\Certificate.cer"
# Publish the RD Web Client
Publish-RDWebClientPackage -Type Production -Latest
 RDWebClientManagement

The server should be able to present the webclient using the FQDN. Check the following URL:

https://server_FQDN/RDWeb/webclient/index.html

We get to see the published resources after we log in:

Resources

Related Post

One thought on “Publish Remote Desktop Web and Webclient via Azure AD Application Proxy

  1. Yo, Thank you for the guide. Rocks hard and didn’t have any issues.

    However, Im trying to get the SSO to work for the rdweb/webclient – Which it wont, I still get the Sign In prompt. The SSO is working for hostname.com.au/rdweb

    Thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *