What is Single Sign-On?
When applied to Terminal Services, Single Sign-On means using the credentials of the currently logged on user (also called default credentials) to log on to a remote computer. If you use the same user name and password logging on to your local computer and connecting to a Terminal Server, enabling Single Sign-On will allow you to do it seamlessly, without having to type in your password again.
Locally logged on credentials are used for connecting to TS Web Access, however, they cannot be shared across TS Web Access and TS or TS Gateway. Thus you will need to enable the Group Policy settings described below in order to use locally logged on credentials for TS or TS Gateway connections.
How to enable Single Sign-On?
Single sign-On can be enabled using domain or local group policy.
What are the limitations when using Single Sign-on?
Why is Single Sign-On controlled by Group Policy?
As a part of the logon process TS Client sends the actual user credentials (user name and password) to the server. If a code running as a regular user were allowed to enable Single Sign-On, any malicious software (virus, Trojan, spyware etc.) running in the user's session would be able to send the user's password to any machine on the network. So, only administrators should be allowed to decide which servers are safe for Single Sign-On.
Thus Single Sign-On can only be enabled on domain-joined client machines.
What if I have Single Sign-On enabled but want to use different credentials this time?
Start TS Client. Click the "Options" button. Select the "Always ask for credentials" checkbox. You will be asked for credentials next time you connect.
How do I enable Single Sign-on for TS Gateway Server?
If you have a non-domain client, then you cannot get single sign-on by using locally logon credentials to authenticate with TSG and TS since administrator cannot deploy single sign-on group policies to the non-domain client machines.
Thus, to provide the best connection experience for non-domain clients through TS Gateway, set the option “Use my TS Gateway credentials with remote server option” in RDP file or in the mstsc client advanced setting menu as per screenshot below. This will ensure that end users are prompted for credentials only once during the connection experience.
No. Unfortunately if a Smart Card is used to log on locally to the machine, these credentials cannot be used for Single Sign-On. Please also note that you cannot save Smart Card credentials in TS connections either.
With build 3244, the reg hacks as described above work.
However, with build 3282, they don't seem to.
Considering the ones in build 3244 match the ones from Vista SP1, I'm worried that they removed this feature. We will be pissed if that is the case.
We want single-sign on, but do NOT want to be forced to move to Vista for that, especially if we know it worked on one of the release candidates but was disabled from the final.
I've tried the released version of SP3 and can confirm the single-sign on functionality has been removed from the final.
I CAN'T move my desktops to Vista due to incompatibilities with certain software we use. Come on Microsoft, how about a standalone RDC 6.1 complete with single-sign on?
Interestingly, I've been trying additional things to make this work and a desktop with SP2 on, upgraded to build 3244 then upgraded to SP3 final appears to retain the SSO functionality, whereas SP2 straight to SP3 appears not to!
OK, I've managed to achieve the functionality. Here's what to do:
APPEND, don't replace: credssp.dll
APPEND, don't replace: tspkg
AGAIN, you need to APPEND these values, not replace what's there
With Single Sign-on enabled , the current user’s credentials, also known as “default credentials”, are
I used the info from the postings above and specifically from KB951608, scenario 2 on a windows xp sp3 machine and am still prompted for credentials. Has anyone had any luck getting SSO to work with XP SP3 (RTM SP3, that is) clients?
I spoke too soon... MANY thanks, Paul, the registry entries from the KB and your post did the trick (credssp.dll, tspkg). If you could share your source, I'd be very greatful... thanks in any event!
Got a question about SSO with Windows XP SP3.
If i connect to a TS RemoteApp on hostname of a server there is no problem at all. App starts with no problems at all. Now i configured 2 TS 2008 servers in a Farm.
I have put into DNS the Farm with the two ip's that are configured for it (Forward lookup zone)
In TS RemoteApp Manager i configure the dns name for the farm i created.
If i connect to the same TS RemoteApp with the farm-name i have to put in my credentials again, anyone have seen this problem before?
Got it working now on Farm name.
On XP it's impossible to get it to work with Ts Farm, so i used a Windows Vista machine. Now i got no problems anymore, can connect to the farm i configured!
I can confirm that SSO is not working with XP SP3 when connecting to a TS farm (using session broker). I have no issues when I connect to a standalone terminal server (following Paul's suggestions). If anyone has any ideas on how to make SSO work when connecting to a session brokered TS farm (besides upgrading to Vista), I'd love to hear them!
To enable server authentication in a server farm, use SSL certificates that are issued by a trusted Certificate Authority and that have the farm name in the subject field. Deploy them to all servers in your farm. The SSL certificate will provide server authentication for a TS server and therefore Credential Delegation policy will allow saved credentials to be used for remote desktop connections.
This is a test to see if comment works on your blog or not.
I'm sure this will work if comment is long enough because otherwise it will be considered as spam by blog algorithm. So shorter the length of comment , greater the chances of considering it as a spam by blog algorithm and you will end up seeing in blog home page instead of comment.
How I can use SSO from Windows XP x64?
Additional information for SSO for TS farms from XP SP3 clients:
There is a QFE availbe for SSO to TS farms from XP SP3 - please see kb article located here: "http://support.microsoft.com/kb/953760"
Also, please make sure you have CredSSP enabled on your XP SP3 client - please see kb article located here: "http://support.microsoft.com/kb/951608"
Does this work with the standalone version of RDC6.1 for XPSP2 or is XPSP3 required?