This Blog will detail the process of publishing RDS via Azure App Proxy with Single Sign On.

Pre-requirements:
Working internal RDS server with Gateway Role installed (this blog uses a simple 1 server setup) detail can be found here.
Application Proxy connector configured.

Steps:

Configure 2 On-Premise Applications:
(Because of a gateway error we will create 1 application for the portal using Azure Active Directory pre-auth and another application for the gateway using Passthough pre-auth)

1. Login Azure > Azure Active Directory > Enterprise Applications > Add an Application > On-Premises application
2. Name: RDSPortal
3. Internal URL: https://rdsserver.contoso.com/RDWeb/
4. External URL: https://rds.contoso.com/RDWeb/
5. Pre-Auth: Azure Active Directory
6. Translate URLs In Headers: No (You may see error “Error: Unable to display RD Web Access App proxy” otherwise)
7. Upload certificate – Usually public SSL certificate

1. Login Azure > Azure Active Directory > Enterprise Applications > Add an Application > On-Premises application
2. Name: RDSGateway
3. Internal URL: https://rdsserver.contoso.com/
4. External URL: https://rdsgateway.contoso.com/
5. Pre-Auth: Passthrough
6. Translate URLs In Headers: No (You may see error “Error: Unable to display RD Web Access App proxy” otherwise)
7. Upload certificate – Usually public SSL certificate

*Don’t forget to update public/internal DNS usually CNAME:
‘rds.contoso.com’ to ‘rds-contoso365.msappproxy.net’
‘rdsgateway.contoso.com’ to ‘rdsgateway-contoso365.msappproxy.net’

Configure Single Sign On:

1. For the RDSPortal App – Add SSO > Configure Integrated Windows Authentication (IWA)
2. SPN: http/rdsserver.contoso.com
3. Delegated Login Identity: User Principal Name

(If not already configured)
4. Configure SPN > Login to rdsserver > Open elevated command prompt
5. Run: setspn -s http/rdsserver.contoso.com rdsserver
6. Run: setspn -l rdsserver to check

7: Configure AD Impersonation > Login to Domain Controller > Open PowerShell > import AD module (import-module ActiveDirectory)
8. $ImpersonatingAccount = Get-ADComputer -Identity “rdsserver”
9. Set-ADComputer “rdsserver” -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount
10. $ImpersonatingAccount = Get-ADComputer -Identity “AppProxyConnectorServer”
11. Set-ADComputer “rdsserver” -PrincipalsAllowedToDelegateToAccount $ImpersonatingAccount

Configure Integrated Windows Authentication for RDS:
(note comment out means adding <!– to the start of the section and Authentication > Enable “Windows Authentication”
2. Go to C:\Windows\Web\RDWeb\Pages > Make a backup of “web.config”
3. Edit “web.config” in notepad, find the lines:
4. Uncomment the section
5. Comment the section below as per:

6. Next need to comment out following:

7. Next make a backup of C:\Windows\Web\RDWeb\Pages\en-US\default.aspx
8. Edit C:\Windows\Web\RDWeb\Pages\en-US\default.aspx with notepad
9. Search for bPrivateMode
10. Change the line to true:

public bool bShowPublicCheckBox = false, bPrivateMode = false, bRTL = false;

public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

11. Save the file
12. IISReset

Direct RDS traffic to Application Proxy:

1. Connect to the RDS server running the RD Connection Broker role.
2. Launch Server Manager.
3. Select Remote Desktop Services from the pane on the left.
4. Select Overview.
5. In the Deployment Overview section, select the drop-down menu and choose Edit deployment properties.
6. In the RD Gateway tab, change the Server name field to the External URL you set for RDSGateway app (https://rdsgateway.contoso.com/).
7. Change the Logon method field to Password Authentication.

Should you see error 4402 in NPS logs: There is no Domain Controller available for domain contoso

1. Open the NPS management console
2. Right-click on NPS (Local)
3. Click on Register server in Active Directory