Hi Thim,
Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
Domic V.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I have recently built an RDWeb which is currently published with the MS Entra Application Proxy. The login sequence is:
The total credentials required are 3 times, I was wondering if there is anyway that when the user clicked on the collections, they will straight away use the credentials when they are using the RDWeb, so user will not be asked again for the credentials. I have found a lot of solutions but then, everyone seems to have their own way of doing things or it does not work for me. FYI, the server built:
I hope that I can reduce the credentials to 2 instead of 3. Any help would be greately appreciated.
Hi Thim,
Has your issue been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
Domic V.
Hi Thim,
To reduce your authentication prompts to two, publish your RDWeb and RD Gateway roles as a single enterprise application in Entra ID using a common root URL. Within the Entra admin center application settings, you must disable both URL header translation and the HTTP-Only cookie. Disabling the HTTP-Only setting is the critical step that allows the native Windows Remote Desktop client to read the Entra session token, passing it silently to the gateway and eliminating the middle credential prompt entirely.
Internally, open Server Manager, access your Remote Desktop Services deployment properties, and navigate to the RD Gateway tab. Configure the server name to match your external Entra Application Proxy URL exactly. Select Password Authentication as the logon method and enable the option to use RD Gateway credentials for remote computers. This native, cookie-based handoff requires no legacy Internet Explorer mode and will successfully condense your logon sequence to just the initial Entra ID MFA prompt and the final Session Host prompt.
Domic V.
AI answer
Reducing the prompts from three to two is supported, but full end-to-end SSO (single prompt only) isn’t supported in this scenario.
For Remote Desktop Services with Microsoft Entra application proxy, the supported and expected behavior is:
This gives two prompts total (Entra + RD Web). The third prompt (for the session host) should not appear when RDS is configured according to the supported SSO model.
Key points and required configuration:
https://<rdhost>.com/RDWeb).With this configuration:
If a third prompt still appears after aligning with this configuration, it typically indicates that one of the required SSO conditions (RD Web auth type, RD Gateway auth type, or “Use RD Gateway credentials for remote computers”) is not set as required, or the traffic is not actually flowing through the configured RD Gateway/application proxy path.
References: