What is the advantage of displaying a single credential prompt for TS Gateway Server and Terminal Server?

There are two levels of authentication required for a successful connection to a Terminal Server through a TS Gateway server. First level of authentication happens when the TS client connects to the TS Gateway server and the second level occurs when it connects to the Terminal Server. For this reason, the user is prompted for credentials for the TS Gateway server for the first authentication and prompted again for credentials to authenticate the Terminal Server.

If the user is going to use the same set of credentials for both the TS Gateway server and the Terminal Server then he/she can enable the single credential prompt setting in the TS client. With this setting enabled, the TS client prompts the user for credentials only once and uses the supplied credentials for authenticating to both TS Gateway and Terminal Server.

How do I configure single credential prompt?

Enabling the setting through the TS Client UI:

• 1. Start up the TS client and navigate to "Options", "Advanced", click on "Settings" under "connect from anywhere".
• 2. Enter the Server name (in our sample, "gateway.microsoft.com").
• 3. Under "Logon settings", use the checkbox "Use my TS Gateway server credentials for the remote computer" to enable or disable single credential prompt.
• 4. Please see the snapshot below.
  

• 5. Confirm the changes by clicking on the "OK" button.
• 6. Navigate to the "General" tab and make sure you have the right Terminal Server name in the "Computer" box.
• 7. Click "Connect".
• 8. A single credential prompt is displayed requesting the user to enter the credentials. Please see the snapshot below.
  

• 9. The header of the credential prompt (in the red box above) clearly mentions that the credentials that will be entered will be used to connect to those two servers.
• 10. The user can enter the Username/Password or smartcard/Pin combination for authentication.
• 11. If the user selects the checkbox "Remember the credentials" and enters the Username/Password then the credentials will be saved both for the TS Gateway server and the Terminal Server and is used in subsequent connections to the same TS Gateway server and Terminal Server.
• 12. If a smartcard is being using as the method of authentication then make sure that smartcard redirection is enabled. Also, smartcard CSP and drivers must be installed on the Terminal Server.
• 13. Click "OK" once the right credentials have been entered.
• 14. The TS client will continue to connect without any additional credential prompts.

Enabling the setting through the RDP file:

Alternatively, the single credential prompt setting can be manipulated from the RDP file.

• 1. Open the RDP file in Notepad.exe.
• 2. To enable the setting, the user can enter "promptcredentialonce:i:1" in the RDP file.
• 3. If the user wants to disable the setting, then user can enter "promptcredentialonce:i:0" in the RDP file.

What is the default behavior?

The feature is available in RDP 6.1 client and it is enabled by default. The setting can be altered by using one of the methods mentioned in the above section.

What are the various scenarios this setting is not applicable?

• 1. If the setting is disabled, then the TS client would prompt twice - once for the TS Gateway server and the second time for the Terminal Server.
• 2. Single credential prompt setting is ignored when the TS Gateway server already has saved credentials. The snapshot below shows that the TS Gateway server (in our sample, "gateway.microsoft.com") already has saved credentials. Notice that the checkbox shown in the first snapshot, "Use my TS Gateway server credentials for the remote computer" is not displayed to the user.
  

Therefore, when the user finally clicks "Connect", depending on the existence of saved credentials the TS Client might or might not display a credential prompt for the Terminal Server.

• 3. The setting is also ignored when Group Policy to enable locally logged on credentials for TS Gateway is enforced. The snapshot below shows the snapshot when the locally logged on credentials policy is enabled. Notice that the checkbox shown in the first snapshot, "Use my TS Gateway server credentials for the remote computer" is again not displayed to the user.