SSO or bypass credential request when in RDWeb

Thim 65 Reputation points
2026-06-03T07:26:19.2666667+00:00

Hi,

I have recently built an RDWeb which is currently published with the MS Entra Application Proxy. The login sequence is:

  1. MS Entra with MFA
  2. RDWeb login (once successful, presented with the remote app collections which include .rdp files)
  3. When user click on the icon with .rdp, they are asked for credentials for the machine

The total credentials required are 3 times, I was wondering if there is anyway that when the user clicked on the collections, they will straight away use the credentials when they are using the RDWeb, so user will not be asked again for the credentials. I have found a lot of solutions but then, everyone seems to have their own way of doing things or it does not work for me. FYI, the server built:

  1. RDWeb is built as an 'internal' server. There are 2 servers for the 'RDWeb' servers, the RDWeb+Gateway and Session Broker.
  2. RDWeb and the servers that was connected via the collection .rdp files are in the same domain.

I hope that I can reduce the credentials to 2 instead of 3. Any help would be greately appreciated.

Windows for business | Windows Server | User experience | Remote desktop services and terminal services
0 comments No comments

3 answers

Sort by: Most helpful
  1. Domic Vo 25,675 Reputation points Independent Advisor
    2026-06-07T13:39:57.2666667+00:00

    Hi Thim,

    Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)

    Domic V.

    Was this answer helpful?


  2. Domic Vo 25,675 Reputation points Independent Advisor
    2026-06-03T08:05:29.3966667+00:00

    Hi Thim,

    To reduce your authentication prompts to two, publish your RDWeb and RD Gateway roles as a single enterprise application in Entra ID using a common root URL. Within the Entra admin center application settings, you must disable both URL header translation and the HTTP-Only cookie. Disabling the HTTP-Only setting is the critical step that allows the native Windows Remote Desktop client to read the Entra session token, passing it silently to the gateway and eliminating the middle credential prompt entirely.

    Internally, open Server Manager, access your Remote Desktop Services deployment properties, and navigate to the RD Gateway tab. Configure the server name to match your external Entra Application Proxy URL exactly. Select Password Authentication as the logon method and enable the option to use RD Gateway credentials for remote computers. This native, cookie-based handoff requires no legacy Internet Explorer mode and will successfully condense your logon sequence to just the initial Entra ID MFA prompt and the final Session Host prompt.

    Domic V.

    Was this answer helpful?


  3. AI answer

    2026-06-03T07:26:44.7733333+00:00

    Reducing the prompts from three to two is supported, but full end-to-end SSO (single prompt only) isn’t supported in this scenario.

    For Remote Desktop Services with Microsoft Entra application proxy, the supported and expected behavior is:

    1. First authentication: Microsoft Entra ID (pre-auth) – MFA, Conditional Access, etc.
    2. Second authentication: RD Web form-based logon.
    3. Single sign-on from RD Web to RD Gateway and the session host.

    This gives two prompts total (Entra + RD Web). The third prompt (for the session host) should not appear when RDS is configured according to the supported SSO model.

    Key points and required configuration:

    1. Use Microsoft Entra application proxy, not Web Application Proxy
      • RDS does not support Web Application Proxy.
      • RDS is supported with Microsoft Entra application proxy and is the recommended approach.
    2. Publish RD Web and RD Gateway as a single app through application proxy
      • RD Web and RD Gateway must be on the same machine and share a common root URL.
      • Publish that common root as one application in application proxy with:
        • Pre-authentication method: Microsoft Entra ID
        • Translate URL headers: No
        • Use HTTP-Only Cookie: No
      • Set the app’s home page URL to the RD Web endpoint (for example, https://<rdhost>.com/RDWeb).
    3. Configure the RDS deployment to route through the application proxy
      • On the RD Connection Broker (Server Manager → Remote Desktop Services → Overview → Edit deployment properties → RD Gateway tab):
        • Set the RD Gateway server name to the external URL of the application proxy app.
        • Set the logon method to Password Authentication.
    4. Use the supported Web SSO configuration
      • RD Web must use form-based authentication (default).
      • RD Gateway must use password authentication (default).
      • In the RDS deployment properties, use the default option “Use RD Gateway credentials for remote computers.”
      • Users connect to RD Web via a supported browser (for example, Edge in IE mode with the RDS ActiveX add-on for classic RD Web).

    With this configuration:

    • Users authenticate once to Microsoft Entra ID (prompt 1).
    • Users authenticate once to RD Web (prompt 2).
    • The RD Web form logon creates a client-side credential store that is reused by the Remote Desktop Connection client (mstsc.exe) for RemoteApps and desktops, so they are not prompted again when launching the .rdp files.

    If a third prompt still appears after aligning with this configuration, it typically indicates that one of the required SSO conditions (RD Web auth type, RD Gateway auth type, or “Use RD Gateway credentials for remote computers”) is not set as required, or the traffic is not actually flowing through the configured RD Gateway/application proxy path.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.