Windows Sso Settings

Single Sign-On (SSO) is the technology that allows an authenticated (signed on) user to access other domain services without re-authentication. Applied to the Remote Desktop Service, SSO allows a user logged on to the domain computer not to re-enter account credentials (username and password) when connecting to the RDS servers or launching published RemoteApps.

In this article, we’ll describe the peculiarities of configuring the transparent SSO (Single Sign-On) authentication on RDS servers running Windows Server 2016 and 2012 R2.

System requirements:

In the Settings list ensure that Security-Enable Integrated Windows Authentication is set. Exit the Internet Options window, close all instances of Internet Explorer, and retry access. Other browsers do not support automatic Single Sign-On (SSO) so you will be prompted for login credentials. Aug 17, 2017  Single Sign-On (SSO) allows users to authenticate once and access multiple resources without being prompted for additional credentials. This article describes the default AD FS behavior for SSO, as well as the configuration settings that allow you.

  • The Connection Broker server and all RDS servers must be running Windows Server 2012 or later;
  • SSO works only in the domain environment: Active Directory user accounts must be used, the RDS servers and user’s workstations must be included in the AD domain;
  • The RDP 8.0 or later must be used on the rdp clients (it won’t be possible to install this version of the RDP client in Windows XP);
  • The following OS versions are supported on the rdp-client side: Windows 10, 8.1 or 7;
  • SSO works only with password authentication (smart cards are not supported);
  • The RDP Security Layer in the connection settings should be set to Negotiate or SSL (TLS 1.0), and encryption mode to High or FIPS Compliant.

The procedure of Single Sign-On configuration consists of the following steps:

  • You need to issue and assign an SSL certificate on RD Gateway, RD Web and RD Connection Broker servers;
  • Web SSO has to be enabled on RDWeb server;
  • The group policy for credentials delegation has to be configured;
  • The certificate thumbprint has to be added to the trusted .rdp publishers using GPO.

Firstly, you need to issue and assign an SSL certificate. In the EKU (Enhanced Key Usage) certificate property, the Server Authentication identifier must be present. We won’t describe the procedure of obtaining the SSL certificate since it goes beyond the scope of this article (you can generate a self-signed SSL certificate yourself, but you will have to deploy it to the trusted cert on all clients using the group policy).

The certificate is assigned in the Certificates section of RDS Deployment properties.

Then you have to enable “Windows Authentication” on all servers with Web Access role for IIS RDWeb directory and disable “Anonymous Authentication”.

After you save the changes, restart IIS:

iisreset /noforce
If you are using RD Gateway, make sure that it is not used for connection of the internal clients (Bypass RD Gateway server for local address option has to be checked).

The next step is the configuration of the credentials delegation policy. Create a new domain GPO and link it to the OU with users (computers) who need to allow SSO access to the RDS server. If you want to allow SSO for all domain users, it is acceptable to edit the Default Domain Policy.

This policy is located in the following GPO section: Computer Configuration -> Policies -> Administrative Templates -> System -> Credential Delegation -> Allow delegation defaults credential. The policy allows certain servers to access the credentials of Windows users:

  • The policy has to be enabled (Enabled);
  • You have to add the names of RDS servers to the list of servers to which the client can automatically send user credentials to perform SSO authentication. The format of adding a server is as follows: TERMSRV/rd.contoso.com (note that all TERMSRV characters must be in upper case). If you have to give this permission to all terminal servers in the domain (less secure), you can use this construction: TERMSRV/*.contoso.com .

Then, to prevent a window warning of the remote application publisher being untrusted to appear, add the address of the server with the Connection Broker role to the trusted zone on the client computers using the policy “Site to Zone Assignment List” (similar to the article How to disable Open File security warning on Windows 10): User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page.

Specify FQDN server name RDCB and Zone 2 (Trusted sites).

Then enable Logon options policy in User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone and in the dropdown list select “Automatic logon with current username and password”.

After updating the group policies on the client, if you try to start the RemoteApp, a password prompt won’t appear, but a warning window will appear:

Do you trust the publisher of this RemoteApp program?

To prevent this message from being displayed each time at user logon, you need to get the SSL certificate thumbprint on the RD Connection Broker and add it to the list of trusted rdp publishers. To do this, run the PowerShell command on the RDS Connection Broker server:

Windows authentication sso

Get-Childitem CERT:LocalMachineMy

Copy the value of the certificate thumbprint and add it to the list of thumbprints in the policy Specify SHA1 thumbprints of certificates representing RDP publishers (Computer Configuration -> Administrative Templates -> Windows Desktop Services -> Remote Desktop Connection Client).

Now the SSO configuration is over, and after the policies have been applied, the user can connect to the Windows Server RDS farm using RDP without re-entering password.

Now, when you start mstsc.exe (Remote Desktop Connection client) and specify the name of the RDS server, the UserName field will automatically display the user name in the format (user@domain.com) with the caption:

Your Windows logon credentials will be used to connect.

To use RD Gateway with SSO, you need to enable the policy “Set RD Gateway Authentication Method” (User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RD Gateway) and set its value to “Use Locally Logged-On Credentials”.

To use Web SSO on RD Web Access, please note that it is recommended to use Internet Explorer with enabled Active X component named Microsoft Remote Desktop Services Web Access Control (MsRdpClientShell).

Installing SFTP (SSH FTP) Server on Windows with...

October 2, 2019

How to Approve and Decline WSUS Updates?

September 26, 2019

How to View and Parse WindowsUpdate.log on Windows...

September 25, 2019

How to Disable NTLM Authentication in Windows Domain?

September 24, 2019

Installing a Free Let’s Encrypt TLS/SSL Certificate on...

September 20, 2019

Although you'll typically create a Windows 10 account as you set up a new device, there are a lot of additional options you can configure using the Settings app to get the most out of your experience and make your account more secure.

Also, Windows 10 lets you create multiple user accounts with different levels of functionalities depending if you're adding a family member, a young person, or a friend. This allows everyone to have a personal space with their settings, desktop customization, and separate files based on specific requirements.

In this Windows 10 guide, we'll walk you through the steps to set up and configure user accounts on your PC using the Settings app.

How to view your account info on Windows 10

In order to view a summary of your account information on Windows 10, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Your info.

The Your info page doesn't include a lot of options you can configure, but it provides valuable information.

For example, if you're not sure whether you're using a local account or Microsoft account (MSA), the 'Your info' page is the first place you want to look. If you read 'Local account' under your username, then you're using an account that isn't connected to a MSA.

If that's the case, you can click the Sign in with a Microsoft account instead link, enter your account credentials, and only then, you'll be able to sync settings and files across devices.

Quick Tip: Usually, when setting up a new account, additional verification may be required. If so, you'll have to click the Verify button to launch the verification process, and only after entering the code, you'll be able to have full access to the account.

Under the 'Create your picture,' you can also change your account picture using the camera option or selecting a photo in your collection.

How to add extra email and app accounts on Windows 10

Instead of having to re-enter the same account information every time you want to set up an app, you can use the Email & app accounts page to add multiple accounts information in advanced.

To register additional accounts, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Email & app accounts.
  4. Click the Add an account button to register a new account with access to your emails, calendar, and contacts. If the information is from a MSA, it'll also be listed under Accounts used by other apps.

    If you only want to add the account, you'll be using to connect other apps, then click the Add a Microsoft account link. Using this option will not add the information to the Email, calendar, and contacts list.

  5. Select an account type.

  6. Continue with the on-screen direction to add a new account.

Once you've completed the steps, the accounts information will be available when you need to connect with Microsoft Store apps.

How to manage account sign-in options on Windows 10

In the Sign-in options page, you can manage many ways to authenticate with Windows 10 quickly. Using these settings, you can change your current password, set up Windows Hello using a PIN or picture password, and you can even turn on Dynamic lock to lock your device as you step away.

Changing password

To change your current password, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Sign-in options.
  4. Under 'Password,' click the Change button.

  5. Enter your current Microsoft account password.
  6. Click the Sign-in button.

  7. Enter your old password.
  8. Create a new password.
  9. Click the Next button.

It's worth noting that if you're using a Microsoft account, changing the password on your computer will also change the password you use to check your emails on the web associated with your MSA.

Adding a PIN

If you want to use a faster and more secure way to sign into Windows 10, you should be using a PIN password instead, which you can create using the following steps:

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'PIN,' click the Add button.

  4. Create a new PIN.

    • Quick Tip: You can also check the available option to allow letters and symbols as part of your PIN.
  5. Click the OK button.

While a PIN is usually more secure than a traditional password, because it's only tied to one device, and it's never transmitted over the network, remember that it only works locally. You can't use it to access your device remotely.

Adding picture password

You can also use a picture as a password. This authentication method lets you use touch gestures on a picture to sign into Windows 10. Usually, this option is more suited for a touchscreen device.

To configure a picture password, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'Picture password,' click the Add button.

  4. Enter your password to verify your information.
  5. Click the Choose picture button from the left pane.

  6. After selecting the image, click the Use this picture button.

  7. Draw three gestures on the image, including circles, straight lines, taps, or a combination of the three.

  8. Repeat the gestures to confirm.
  9. Click the Finish button.

Windows Sso Settings Windows 10

Once you've completed setting up a picture password, simply sign-out and sign back into your account to test the changes.

On compatible devices, such as Surface Book 2 and Surface Pro, you can also set up Windows Hello Face to sign onto your device using only your face.

If your laptop or desktop doesn't include biometric authentication, you can always get a fingerprint scanner or a camera with Windows Hello support.

Setting up Dynamic lock

Dynamic lock is a feature that locks your computer when you step away, adding an extra layer of security. The feature uses proximity technology, as such you'll need to connect a Bluetooth device like a phone or wearable to your PC before you can set it up.

To configure Dynamic lock, do the following:

  1. Open Settings.
  2. Click on Devices.
  3. Click on Bluetooth & other devices.
  4. Click the Add Bluetooth or other devices button.

  5. Click the Bluetooth option.

  6. Ready your Bluetooth device for pairing.
  7. Select your device from the list.

  8. Continue with the on-screen directions to complete the pairing.
  9. While in Settings, click on Accounts.
  10. Click on Sign-in options.
  11. Under 'Dynamic lock,' turn on the Allow Windows to detect when you're away and automatically lock the device toggle switch.

Once you've completed the steps, if you step away with your Bluetooth device, Windows 10 will wait 30 seconds, and then it'll lock your PC automatically.

Requiring password on wake

Using the Sign-in options settings, you can also decide whether or not Windows 10 should prompt you to enter a password when your computer wakes up from sleep using these steps:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Sign-in options.
  4. Under 'Require sign-in,' use the drop-down menu and select:

    • Never — A password will never require after your PC resumes from sleep.
    • When PC wakes up from sleep — You'll need to enter a password when your PC resumes from sleep.

How to connect to an organization on Windows 10

The Accounts work or school page allows you to connect your device to an organization to access shared resources, such as network, apps, and email.

Typically, if you work in an organization, your network administrator will provide the information needed to add your device to the network.

If you have the required information, you can connect to the network using these steps:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Access work or school.
  4. Click the Connect button.

  5. Type your work or school account.
  6. Click the Next button.

  7. Continue with the on-screen directions to complete the setup.

Usually, these are not settings you'll be customizing on a computer you use at home.

How to add multiple accounts on Windows 10

The Family & other people page is the place where you can add, remove, and manage user accounts.

Adding an account for a family member

Under 'Your family,' you can allow people you trust to use your PC with their accounts, settings, apps, and separate files.

You can add two types of accounts, including a 'Child' and 'Adult,' both providing different features.

Child account

A Child account offers the necessary features to keep children safe online. Using this account, a young person will be able to use your computer, personalize the desktop, use apps, store files, safely browse the internet using Microsoft Edge, and you'll be able to control their activities using the Microsoft family dashboard online.

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'Your family,' click the Add a family member option.

  4. Select Add a child option.

  5. Type their email address.
  6. Click the Next button.
  7. Click the Confirm button.
  8. Click the Close button.

Once you've completed the steps, the family member can sign-in immediately, but you won't be able to control the account until the new user accepts the invitation sent during the account creation.

Only after the new user accepts the email request, adults in the family will be able to see activity reports, limit computing time, configure limited rated content, apps, and games, give the user money to make Microsoft Store purchases, and more through the Microsoft account family dashboard{.nofollow}.

A Child account is technically a Standard account with more features, which also means that the user can't change security settings or install apps without permission.

Adult account

An Adult account is very similar to a traditional account, but adding someone as part of your family allows them to manage child accounts.

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'Your family,' click the Add a family member option.

  4. Select Add an adult option.

  5. Type their email address.
  6. Click the Next button.
  7. Click the Confirm button.
  8. Click the Close button.

After completing the steps, the new family member will receive an email invitation that must accept to use your computer and manage parental control settings using the online dashboard.

Similar to a traditional account, an Adult account uses a Standard account template, which gives the user freedom to do almost anything, but they can't change security settings, install apps, or modify anything that could affect other users.

Of course, you can always click the Change account type button, and set the account type to Administrator to allow the user to take full control of the device (not recommended).

Adding an account for a non-family member

Windows Sso Settings For Windows 7

Under 'Other people,' you can add new accounts for people that are not part of your family with or without a Microsoft account.

With a Microsoft account

Using a Microsoft account to create a new account is the recommended method to share your computer with other people because it's easier to set up, settings sync across devices, and users can quickly recover their password.

To add a new account using a MSA, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'Other people,' click the Add someone else to this PC option.

  4. Enter the email address or phone number of the person you want to add.
  5. Click the Next button.

    Quick Tip: Click the I don't have this person's sign-in information link to create a new MSA for the new user.

  6. Click the Finish button.

Once you've completed the steps, the user will be able to start using your computer immediately.

New accounts always use the Standard account template, which gives the users the freedom to do almost anything, but they can't change security settings, install apps, or modify anything that could affect other users.

It's possible to change the account type by clicking the Change account type button and selecting Administrator to allow the user to take full control of the device, but it's not recommended.

If the user wants to use an email address other than an Outlook address, you can use this guide.

Without a Microsoft account

It's also possible to set up an account without a Microsoft account, which is typically referred to a local account. This is a more traditional account that allows you to use a computer, but without the benefits of cloud integration, such as settings, apps data, and file syncing across devices.

Settings

To create a local account on Windows 10, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Under 'Other people,' click the Add someone else to this PC option.

  4. Click the I don't have this person's sign-in information link.

  5. Click the Add a user without a Microsoft account link.

  6. Create a username.
  7. Create a password.
  8. Create a hint phrase.
  9. Click the Next button.

After completing the steps, the new user can start using your computer using their username and password you created.

Local accounts also use a Standard account template that allows users to use the computer, but they won't be able to change advanced settings, install apps, or modify other users settings.

Only if required, you can change the account type by clicking the Change account type button and selecting Administrator to allow the user to take full control of the device.

How to remove an account on Windows 10

When an account is no longer needed, you can easily remove it using these steps:

To remove a family account, do the following:

Windows Sso Settings Download

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Family & other people.
  4. Under 'Your family,' click the Manage family settings online link. (In the Settings app, you can only block family accounts.)

  5. Sign-in with your Microsoft account (if required).
  6. In the family section, click the Remove from family link.

    Important: If you're trying to remove a Child account, under the account name, click the More options menu, and then click the Remove from family option.

  7. Click the Remove button.

Once you've completed the steps, the account will also be removed from your computer.

Sso Windows 10

To remove a non-family account, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Family & other people.
  4. Select the account you want to delete.
  5. Click the Remove button.

  6. Click the Delete account and data button.

After completing the steps, the account and data from the user will no longer be available on your computer.

How to manage account sync settings on Windows 10

Windows Sso Settings Windows 7

If you're using a Microsoft account, you can use the Sync your settings page to enable, disable, or specify exactly which settings should sync to the cloud and across devices.

To manage your sync settings, do the following:

  1. Open Settings.
  2. Click on Accounts.
  3. Click on Sync your settings.

In this page, you can turn on or off the Sync settings toggle switch to enable or disable settings syncing to the cloud and between devices using the same Microsoft account.

If the option is enabled, you can also decide which specific settings you want to sync by turning on or off the toggle switch for each setting.

Wrapping things up

Using the Accounts settings you can quickly set up and manage yours and other people accounts, and even though using a Microsoft account is the preferred method to add new users, it's still possible to create a local account without any restrictions. However, in the end, you'll find that a Microsoft account is a more convenient option, because it's easier to set up, maintain, and users get additional benefits.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources:

Comments are closed.