Steps:

  1. Use a trusted Cert for https on rds.company.com
  2. Use SSL URL for everything, not actual host name.

http://morgansimonsen.wordpress.com/2011/03/21/sha1-thumbprints-for-trusted-rdp-publishers/

create .wcx file for user config on win7:

 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
      <workspace name="Remote Apps" xmlns="http://schemas.microsoft.com/ts/2008/09/tswcx" xmlns:xs="http://www.w3.org/2001/XMLSchema">     
      <defaultFeed url="https://remotedesktop.brittenford.com/rdweb/feed/webfeed.aspx" />
 </workspace>

http://blog.kristinlgriffin.com/2010/01/rmeoteapp-and-desktop-connections-how.html

Add to user Windows profile silently: rundll32.exe tsworkspace,WorkspaceSilentSetup \connection-file.wcx

RemoteApp SSO, reduce login prompts: use alternate full address for TLS RDP:
Set-RDSessionCollectionConfiguration –CollectionName QuickSessionCollection -CustomRdpProperty "use redirection server name:i:1 `n alternate full address:s:remote.csbs.org”

GPO: Computer > Admin Templates > System > Credentials Delegation > Allow delegating default credentials > TERMSRV/remote.csbs.org and TERMSRV/csbs-rds1.csbs.local

SSO 2012 http://blogs.msdn.com/b/rds/archive/2012/06/25/remote-desktop-web-access-single-sign-on-now-easier-to-enable-in-windows-server-2012.aspx

SSO 2008 R2 http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx