Skip to main content

HelloID

Microsoft RDWeb via WS-Federation application setup
Introduction

You can use HelloID as an Identity Provider (IdP) for Microsoft RDWeb, using WS-Federation (Web Services Federation).

This configuration requires communication with Tools4ever support.

Requirements

  • HelloID environment

  • RDWeb 2016 or 2019 environment with full administrative rights

Create or import a certificate

  1. Create or import a self-signed certificate named RDWeb.

  2. Download the certificate as a DER Encoded binary X.509 (.CER) file.

  3. Save the .CER file to the RDWeb server and make note of its location. You will need it shortly.

  4. Download the certificate as a Personal Information Exchange (.PFX) file.

  5. Supply it to Tools4ever support. Tools4ever will convert the .PFX certificate into a format compatible with the RDWeb server, and send you a copy.

  6. When you receive the converted certificate, import it into HelloID. Name it RDWeb WS-Federation. Ignore any certificate errors.

Application setup

  1. Open the HelloID application catalog.

  2. Add the Generic WS Federation application.

    2021-04-16_10-35-24.png
General tab

  • For the Default Login URL, enter your RDWeb URL. For example: https://remote.customer.com/RDWeb

    2021-01-06_13-28-36.png
Single Sign On tab

  1. For the Realm field, enter the RDWeb URL with the addition of /Pages/. For example: https://remote.customer.com/RDWeb/Pages/.

  2. For the Endpoint URL field, enter the RDWeb URL with the addition of /Pages. For example: https://remote.customer.com/RDWeb/Pages.

  3. For the X509 Certificate field, select the RDWeb WS-Federation certificate you received from Tools4ever support.

  4. Save the application.

    2021-01-06_13-30-05.png
Change mappings

  1. Edit the mapping set of the new WS Federation application.

  2. Select the Change mappings link.

  3. Remove all existing mappings.

  4. Add a mapping for {{user.contactEmail}} > Upn.

    2021-01-06_15-15-53.png

  5. Add additional custom mappings as desired.

  6. Select the Set Identifier link.

  7. Remove the existing mapping.

  8. Add a mapping for {{user.contactEmail}} > Name ID.

    2021-01-06_13-56-18.png

  9. Select the Close link, and then select the Save button.

RDWeb server configuration

  1. Install the certificate you previously copied to the RDWeb server.

  2. Open the Certificates snap-in.

  3. Double-click the added certificate.

  4. Select the Details tab.

  5. Select the Thumbprint field and copy its hex value.

  6. Install Windows Identity Foundation using the Server Manager Roles and Features Wizard.

  7. Open Notepad.exe as administrator. Open the file: C:\Program Files\Windows Identity Federation\v3.5\c2wtshost.exe.config. Create a backup if desired.

  8. Add <add value= "IIS APPPOOL\RDWebAccess" /> above the </allowedCallers> line. The result should look like this:

    <allowedCallers>
<clear/>
<!-- <add value="NT AUTHORITY\Network Service" /> -->
<!-- <add value="NT AUTHORITY\Local Service" /> -->
<!-- <add value="NT AUTHORITY\System" /> -->
<!-- <add value="NT AUTHORITY\Authenticated Users" /> -->
<add value= "IIS APPPOOL\RDWebAccess" />
</allowedCallers>

  9. Open the Services snap-in.

  10. Start the Claims to Windows Token Service.

  11. Set its Startup Type to Automatic.

  12. Ensure that it depends on the Cryptographic Service by running the following command as administrator: sc config c2wts depend= cryptsvc

  13. Open the IIS Manager.

  14. Browse to the RDWebAccess Application Pool.

  15. Select Advanced Settings.

  16. Set Load User Profile to True.

  17. Select OK.

  18. Recycle the application pool.

  19. Open Notepad.exe as administrator. Open the file: C:\Windows\Web\RDWeb\Pages\web.config. Create a backup if desired.

  20. Add the following directly under the <configuration> tag:

    <configSections>
<section name= "microsoft.identityModel" type= "Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

    The result should look like this:

    <configuration>
<configSections>
<section name= "microsoft.identityModel" type= "Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>
<!-- Admin Defined settings -->

  21. Add the following lines directly under the <system.web> tag:

    <httpRuntime requestValidationMode= "2.0" />
<pages validateRequest= "false" />

  22. Add the following lines inside the <system.web> tag:

    <authorization><deny users= "?" /></authorization>
<authentication mode= "None" />

  23. Disable all other authentication methods by commenting them out using <!-- -->.

    <!--
<authentication mode="Forms">
<forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
</authentication>
-->

  24. Change the runAllManagedModulesForAllRequests setting to True.

  25. Add the following two lines directly above the </modules> tag:

    <add name= "WSFederationAuthenticationModule" type= "Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />
<add name= "SessionAuthenticationModule" type= "Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition= "managedHandler" />

  26. Edit the following lines inside the <runtime> tag:

    <microsoft.identityModel>
<service>
<audienceUris>
<add value= "urn:microsoft:rdweb" />

<add value= "https://rdweburl/RDWeb/Pages/"/>

</audienceUris>
<securityTokenHandlers>
<remove type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<add type= "Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<sessionTokenRequirement useWindowsTokenService= "true" />
</add>
<add type= "Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<samlSecurityTokenRequirement mapToWindows= "true" useWindowsTokenService= "true" />
</add>
</securityTokenHandlers>
<federatedAuthentication>
<wsFederation passiveRedirectEnabled= "true" issuer= "https://we-identity.helloid.cloud/service/identity-server/wsfederation/suppliedbytools4ever" realm= " https://rdweburl/RDWeb/Pages/" " requireHttps= "true" />

<cookieHandler requireSsl= "false" />
</federatedAuthentication>
<applicationService>
</applicationService>
<issuerNameRegistry type= "Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" >
<trustedIssuers>
<add thumbprint= "Certificate thumbprint copied earlier" name= "Name of the certificate authority" />
</trustedIssuers>
</issuerNameRegistry>
<certificateValidation certificateValidationMode= "None" />
</service>
</microsoft.identityModel>

  27. Save the web.config file.

  28. Test the authentication, starting with the RDWeb server. Note the trailing / in the URL. If you receive errors about duplicate entries in the web.config file, comment out the duplicate lines and try again.

In this section: