APM "Remote Desktop Web Access" Kerberos SSO option

Currently working with a customer who is very interested in APM's Remote Desktop Web Access feature. MFA is strictly enforced in this environment so username and passwords are a no go, so NTLM is out. But within the Remote Desktop Web Access object definition, there is a "Kerberos SSO Configuration" option where you can select a predefined Kerberos SSO profile. Through contextual clues, I assumed that this would be to setup a Kerberos Constrained Delegation scenario. Mostly geared towards environments where passwords are not an option.

 

In setting this up..

 

I have confirmed that the Windows server hosting the RemoteApp Web portal has been setup to accept Windows Integrated authentication along with assigning the appropriate SPNs to the Computer Object in AD. I have validated that kerberos authentication works going directly to the RemoteApp web portal (bypassed forms page, saw the security event of the kerberos logon within windows security events, etc etc). I have setup the delegation account in AD for the kerberos SSO profile and have verified that it has the appropriate permissions and delegated spns. After all of this I still receive the logon box from Webtop requiring a username, password and domain.

 

I haven't found any documentation on this particular option in APM, "Remote Desktop Web Access".

 

So my question is,

 

1. Can a KCD setup be done with this APM feature and is this particular Kerberos SSO drop down used in this setup?
2. If it can not be done, what does this Kerberos SSO drop down menu do?

Thanks any and all who can share their wisdom!