Publishing Applications in a Windows Server 2008 R2 RD Session Host Farm

Note: This article is based on RDS 2008 (R2) and might not apply to RDS 2012 (R2)

Overview of Remote Desktop Services (RDS)

This is a landing page for information about publishing applications, including but not limited to the following topics:

• Application compatibility
• The application publishing architecture
• Publishing applications to RD Session Host servers
• Troubleshooting connection issues with RD Web Access
• Optimize my experience for a LAN network feature
• Configuring Single Sign On for RD Web Access

Please add links to the sections below, and feel free to add more links if appropriate.

Application Compatibility

The Remote Desktop Services (RDS) Application Compatibility Analyzer can be used to determine the compatibility of an application with a Remote Desktop Session Host (RD Session Host). You can start using the Analyzer by following the step-by-step guide below.

1. Install the RDS Application Compatibility Analyzer
2. Run an application in the RDS Application Compatibility Analyzer
3. Test an application for RDS compliance
4. Debug info and blog feeds
5. Filter noise, detailed stack trace, and logging
6. Interpret RDS Application Compatibility Analyzer logs

Application Publishing Architecture

http://blogs.msdn.com/blogfiles/rds/WindowsLiveWriter/PublishinginWindowsServer2008R2_F115/clip_image002_thumb.jpg

Publishing applications to RD Session Host servers

 Publishing in Windows Server 2008 R2

Troubleshooting connections through RD Web Access

1) How to resolve the issue: “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”
2) How to troubleshoot Logon Attempt Failed messages when connecting through RD Gateway
3) The case of invisible RemoteApp programs (a.k.a. No RemoteApp programs listed on RD Web Access site)

Optimize my experience for a LAN network feature

More info on the option "Optimize my experience for a LAN network when connecting to the computer or application." in RD WebAccess
http://social.technet.microsoft.com/wiki/contents/articles/3360.aspx

Configuring Single Sign On for RD Web Access

In Windows Server 2008 R2, the Web Single Sign-On (Web SSO) feature provides users with the ability to enter their credentials only once during logon to Remote Desktop Web Access (RD Web Access). After logon, users can launch RemoteApp programs that are part of the same connection in RemoteApp and Desktop Connections without any further credential prompts, even if the RemoteApp programs are configured to use RD Gateway.

Requirements

• To take advantage of the new Web SSO feature, the client must be running Remote Desktop Connection (RDC) 7.0.
• In order for Web SSO to work:

1. 1. The connection in RemoteApp and Desktop Connections must have an ID. By default, it is set to the Fully Qualified Domain Name (FQDN) of the RD Connection Broker server in case of RD Connection Broker mode. In RD Session mode, it is set to the FQDN of the RD Web Access server.
   2. RemoteApp programs must be digitally signed using a Server Authentication certificate [Secure Sockets Layer (SSL) certificate]. The certificate Enhanced Key Usage section must contain ‘Server Authentication (1.3.6.1.5.5.7.3.1)’. More details about the types of certificates used to digitally sign RemoteApp programs can be found here.
   3. Client operating systems must trust the certificate with which the RemoteApp programs are signed.

Configuring Web SSO when using RD Session Host mode

• Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Session Host server

• Step 2: Digitally sign the RemoteApp programs on the RD Session Host server

  Configuring Web SSO when using RD Connection Broker mode

• Step 1: Add the RD Web Access server to the TS Web Access Computers group on the RD Connection Broker server

• Step 2: Add RD Session Host servers as RemoteApp Sources on RD Connection Broker server

• Step 3: Add the RD Connection Broker server to TS Web Access Computers group on each RD Session Host server

• Step 4: Digitally sign the RemoteApp programs on each RD Session Host server

• Step 5: Specify certificate on RD Connection Broker server
  *Note: The certificate for digitally signing RemoteApp programs on each RD Session Host server and RD Connection Broker server should be the same.
  *

  Configuring the client computer for Web SSO

  If the RemoteApp programs are signed using a certificate from a public CA that participates in the Microsoft Root Certificate Program Members program (http://go.microsoft.com/fwlink/?LinkID=59547), then Web SSO should just work.

  If the certificate is not issued by a trusted public CA, the certificate must be imported into the Trusted Root Certification Authorities certification store on the client computer to be trusted by the client operating system. Members of the local Administrators group, or equivalent, on the client computer can import the certificate or it can be done by using Group Policy

  Web SSO with RD Gateway

  Web SSO also works when RemoteApp programs are set to use RD Gateway regardless of whether RD Web Access accesses RemoteApp programs in RD Session Host mode or RD Connection Broker mode.

  1. On the RD Session Host server, open RemoteApp Manager. To open RemoteApp Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager.
  2. In the Actions pane of RemoteApp Manager, click RD Gateway Settings. (Or, in the Overview pane, next to RD Gateway Settings, click Change.)
  3. Select the Use these RD Gateway server settings.
  4. In the Server name box, click the FQDN of the RD Gateway server.
  5. In the Logon box, select the Ask for password (NTLM).
  6. Select the Use the same user credentials for RD Gateway and RD Session Host server check box.
  7. Click OK to close the RemoteApp Deployment Settings dialog box.

  For more detailed information configuring Remote Desktop Services Web SSO see this blog post:
  http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

  Customizing RD Web Access (the Remote Desktop Web Portal)

  The RD Web Access Portal can be customized to put in the company/department name.   The following are some resources to get stated with:

  • Simple change instructions: http://blogs.technet.com/b/askperf/archive/2011/01/21/modifying-the-default-rdwebaccess-web-page-for-fun-and-profit.aspx
  • More in depth customization on this Wiki: http://social.technet.microsoft.com/wiki/contents/articles/7263.customizing-rd-webaccess.aspx
  • Windows Server 2008 prototype customization at http://archive.msdn.microsoft.com/tswebsilverlight  Video demo at http://technet.microsoft.com/en-us/edge/Video/ff710338