Deploying Remote Desktop Web Access with Remote Desktop Connection Broker Step-by-Step Guide

Applies To: Windows 7, Windows Server 2008 R2

About this guide

RemoteApp and Desktop Connection allows administrators to provide a set of resources, such as RemoteApp programs and virtual desktops, to their users. Users can connect to RemoteApp and Desktop Connection in two ways:

  • From a computer running Windows® 7. When set up, resources that are part of RemoteApp and Desktop Connection appear in the Start menu under All Programs in a folder called RemoteApp and Desktop Connections.

  • From a Web browser by signing in to the website that is provided by RD Web Access. In this case, a computer that is running Windows 7 is not required.

This step-by-step guide walks you through the process of setting up a working RemoteApp source that is accessible by using Remote Desktop Web Access (RD Web Access). During this process, you will deploy the following components in a test environment:

  • A Remote Desktop Connection Broker (RD Connection Broker) server

  • A Remote Desktop Web Access (RD Web Access) server

This guide also explains how to configure Single Sign On so that users are only prompted once for credentials. When you deploy Single Sign On, consider the following certificate requirements:

  • The certificate must be trusted explicitly or from a trusted root certificate.

  • The certificate name or the Subject Alternative Name must match the fully-qualified domain name of the server.

  • The certificate must support Server Authentication or Remote Desktop Authentication Extended Key Usage.

  • Indirect certificate revocation lists are not supported.

  • Certificate revocation checks are performed by default.

  • When you use CredSSP, you can turn off certificate revocation checks by configuring the following registry entry to a value of 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors

  • When you use Transport Layer Security (TLS), you can turn off certificate revocation checks by configuring the following registry entries to a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\ CertChainRevocationCheck

Is guide includes the following topics:

This guide assumes that you previously completed the steps in the Installing Remote Desktop Session Host Step-by-Step Guide (, and that you have already deployed the following components:

  • An RD Session Host server

  • A Remote Desktop Connection client computer

  • An Active Directory® domain controller

The goal of a RemoteApp source is to provide users with programs that are available by using RD Web Access.

What this guide does not provide

This guide does not provide the following information:

Scenario: Deploying Remote Desktop Web Access with Remote Desktop Connection Broker in a test environment

We recommend that you first use the procedures provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows Server® features without supporting deployment documentation, and they should be used with discretion as stand-alone documents.

Upon completion of this step-by-step guide, your RemoteApp and Desktop Connection will be available for a user account that connects by using RD Web Access. You can then test and verify this functionality by opening a RemoteApp program as a standard user.

The test environment that is described in this guide includes five computers that are connected to a private network by using the following operating systems, applications, and services.

Computer name Operating system Applications and services


Windows Server 2008 R2

Active Directory Domain Services (AD DS), DNS


Windows Server 2008 R2

RD Session Host


Windows 7

Remote Desktop Connection


Windows Server 2008 R2

RD Connection Broker


Windows Server 2008 R2

RD Web Access

The computers form a private network, and they are connected through a common hub or Layer 2 switch. This step-by-step guide uses private addresses throughout the test lab configuration. The private network ID is used for the network. The domain controller is named CONTOSO-DC for the domain named The following figure shows the configuration of the test environment.