if we summarize, then:
- if user tried Web page, went through HTTP/HTTP, he get authenticated through basic auth popup in web page
- if he is previously authenticated because of web access, then he can reach TS through identity-based policy #2
- if he attempt TS access via RDP first, and so he is unknown to firewall, he fail. How would you like to present user with firewall authentication pop-up (as for HTTP) when he used RDP protocol ?
That's why I tried to promote FSSO, because user will be, most probably, known to firewall long before he will try to access resources via protocols like RDP that are not that suited/adopted to additional authentication as HTTP.
Tom xSilver, planet Earth, over and out!