hello,
I am struggling at the moment with RD Gateway SSO IWA for RDS 2016/2019 from remote outside the local network and without vpn for the remote apps.
All the GPOs with delegation, trusted sites, RD Gateway authentication method (use locally logged on credentials) are set.
Inside the network or with vpn SSO IWA works fine for both, RD Web Access and remote apps resp. RD Gateway.
Outside only RD Web Access works without credentials prompt, but if a user clicks on a remote app he will be prompted with credentials dialog. (in the rdp client you will see the settings from the GPO with "Your Windows logon credentials will be used",
so this is not the problem).
So the first question is if SSO IWA for RDS and RD Gateway is even supported from remote without a third party solution?
To get RD Web Access SSO to work from remote, I must move the windows authentication provider NTLM to the first position before Negotiation. So it seems that the client first tries to logon with Kerberos and don't fall back automatically to NTLM if Kerberos
fails of course from outside the network.
I suppose this is also the problem for remote apps and RD Gateway, in fiddler you will see that after clicking on a remote app, the client will connect to the RD Gateway and will get an 401 access denied with the supported authentication providers. In this
list the first one is Negotiate before NTLM.
So the client only tries to connect over Kerberos and after failing he will not automatically fall back to NTML and use the locally logged on credentials. Instead he prompted a credential dialog. After enter the credentials the connection is established with NTLM.
I wonder if it is possible that the client automatically fall back to NTLM and use the local logon credentials without prompting for it from remote???
In the GPO "Set RD Gateway authentication method" you can enforce clients to use NTLM but only in combination with "Ask for Credentials".
Best regards,
Marcus