What is Single Sign-On?
When applied to Terminal Services, Single Sign-On means using the credentials of the currently logged on user (also called default credentials) to log on to a remote computer. If you use the same user name and password logging on to your local computer and connecting to a Terminal Server, enabling Single Sign-On will allow you to do it seamlessly, without having to type in your password again.
Locally logged on credentials are used for connecting to TS Web Access, however, they cannot be shared across TS Web Access and TS or TS Gateway. Thus you will need to enable the Group Policy settings described below in order to use locally logged on credentials for TS or TS Gateway connections.
How to enable Single Sign-On?
Single sign-On can be enabled using domain or local group policy.
What are the limitations when using Single Sign-on?
Why is Single Sign-On controlled by Group Policy?
As a part of the logon process TS Client sends the actual user credentials (user name and password) to the server. If a code running as a regular user were allowed to enable Single Sign-On, any malicious software (virus, Trojan, spyware etc.) running in the user's session would be able to send the user's password to any machine on the network. So, only administrators should be allowed to decide which servers are safe for Single Sign-On.
Thus Single Sign-On can only be enabled on domain-joined client machines.
What if I have Single Sign-On enabled but want to use different credentials this time?
Start TS Client. Click the "Options" button. Select the "Always ask for credentials" checkbox. You will be asked for credentials next time you connect.
How do I enable Single Sign-on for TS Gateway Server?
If you have a non-domain client, then you cannot get single sign-on by using locally logon credentials to authenticate with TSG and TS since administrator cannot deploy single sign-on group policies to the non-domain client machines.
Thus, to provide the best connection experience for non-domain clients through TS Gateway, set the option “Use my TS Gateway credentials with remote server option” in RDP file or in the mstsc client advanced setting menu as per screenshot below. This will ensure that end users are prompted for credentials only once during the connection experience.
No. Unfortunately if a Smart Card is used to log on locally to the machine, these credentials cannot be used for Single Sign-On. Please also note that you cannot save Smart Card credentials in TS connections either.
Can we get SSO on a thin client with windows XP SP3 embedded?
I have a Session broker with NLB and I keep getting double prompts and on remote apps although I have setup credssp I am still being asked for a prompt. Is there something different I need to do for getting SSO on remote apps? I am doing all this on XP SP3 (standard) and later.
TS and SSB are windows 2008 R2.
I cannot get this work with my Vista x64
When I enable this policy, I can see registy:
I think this is wrong place. Should not be under wow6432Node?
Anybody lucky with x64 OS?
Sorry, Not Vista, I have Windows 7
Dah, it did work. I just forget that I need use full domain name to connect.
why is this not working for me??? i have added the reg values and still get prompted for credentials when i click the .rpd remote app icon. xp-sp3
am i missing something else??
THANKS FOR THIS POST!
Is there a utility which can APPEND these values on XP SP3 platform which can be deployed via. GPO? Quite tricky going to 25x PCs to manually edit, and if I roll out a reg key, it will REPLACE the data, and I might replace something that I didn't know was there in the first place.
I have a 4 node RDS farm, 2 host , 1 broker and 1 web. My users use the web http:\\myserver.local\rdweb to connect to thier applications. When I try the above settings, they are still prompted for user/pass. Is there more to do for this type of connection?
I have 02 disjoint domains, I want to provide SSO to users from one the domain when accessing TSE to the other domain. In this case how can I do?
Here is another resource with interesting tips on configuring terminal services:
There is also information on load balancing.
Can someone tell me a script to enable this setting
I am able to add the registry in via reg add however the settings it not enabled when i go into gpedit.msc on the local machine
> Single Sign-on only works with Passwords. Does not work with Smartcards
Is this statement still valid? For Windows 8 / Server 2012 in particular?
> I am able to add the registry in via reg add however the settings it not enabled when i go into gpedit.msc on the local machine
If you change the registry using Regedit or REG command, it could not appear in policy settings. Group Policy has its own database, and it is not refreshed automatically when a registry value get changed.
Yes, this statement is still valid for Windows 8 and Server 2012.