Single credential prompt for TS Gateway Server and Terminal Server

Single credential prompt for TS Gateway Server and Terminal Server

  • Comments 8

What is the advantage of displaying a single credential prompt for TS Gateway Server and Terminal Server?


There are two levels of authentication required for a successful connection to a Terminal Server through a TS Gateway server. First level of authentication happens when the TS client connects to the TS Gateway server and the second level occurs when it connects to the Terminal Server. For this reason, the user is prompted for credentials for the TS Gateway server for the first authentication and prompted again for credentials to authenticate the Terminal Server.

If the user is going to use the same set of credentials for both the TS Gateway server and the Terminal Server then he/she can enable the single credential prompt setting in the TS client. With this setting enabled, the TS client prompts the user for credentials only once and uses the supplied credentials for authenticating to both TS Gateway and Terminal Server.

 

How do I configure single credential prompt?

Enabling the setting through the TS Client UI:

  • 1. Start up the TS client and navigate to "Options", "Advanced", click on "Settings" under "connect from anywhere".
  • 2. Enter the Server name (in our sample, "gateway.microsoft.com").
  • 3. Under "Logon settings", use the checkbox "Use my TS Gateway server credentials for the remote computer" to enable or disable single credential prompt.
  • 4. Please see the snapshot below.

  • 5. Confirm the changes by clicking on the "OK" button.
  • 6. Navigate to the "General" tab and make sure you have the right Terminal Server name in the "Computer" box.
  • 7. Click "Connect".
  • 8. A single credential prompt is displayed requesting the user to enter the credentials. Please see the snapshot below.
  • 9. The header of the credential prompt (in the red box above) clearly mentions that the credentials that will be entered will be used to connect to those two servers.
  • 10. The user can enter the Username/Password or smartcard/Pin combination for authentication.
  • 11. If the user selects the checkbox "Remember the credentials" and enters the Username/Password then the credentials will be saved both for the TS Gateway server and the Terminal Server and is used in subsequent connections to the same TS Gateway server and Terminal Server.
  • 12. If a smartcard is being using as the method of authentication then make sure that smartcard redirection is enabled. Also, smartcard CSP and drivers must be installed on the Terminal Server.
  • 13. Click "OK" once the right credentials have been entered.
  • 14. The TS client will continue to connect without any additional credential prompts.

 

Enabling the setting through the RDP file:

Alternatively, the single credential prompt setting can be manipulated from the RDP file.

  • 1. Open the RDP file in Notepad.exe.
  • 2. To enable the setting, the user can enter "promptcredentialonce:i:1" in the RDP file.
  • 3. If the user wants to disable the setting, then user can enter "promptcredentialonce:i:0" in the RDP file.

 

What is the default behavior?


The feature is available in RDP 6.1 client and it is enabled by default. The setting can be altered by using one of the methods mentioned in the above section.

 

What are the various scenarios this setting is not applicable?

 

  • 1. If the setting is disabled, then the TS client would prompt twice - once for the TS Gateway server and the second time for the Terminal Server.
  • 2. Single credential prompt setting is ignored when the TS Gateway server already has saved credentials. The snapshot below shows that the TS Gateway server (in our sample, "gateway.microsoft.com") already has saved credentials. Notice that the checkbox shown in the first snapshot, "Use my TS Gateway server credentials for the remote computer" is not displayed to the user.

Therefore, when the user finally clicks "Connect", depending on the existence of saved credentials the TS Client might or might not display a credential prompt for the Terminal Server.

  • 3. The setting is also ignored when Group Policy to enable locally logged on credentials for TS Gateway is enforced. The snapshot below shows the snapshot when the locally logged on credentials policy is enabled. Notice that the checkbox shown in the first snapshot, "Use my TS Gateway server credentials for the remote computer" is again not displayed to the user.

 

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • Will the RDP 6.1 be available for XPSP2, also? The 6.0 does not have those special logon settings for the RPC-HTTPS proxy.

  • Yes, RDP 6.1 will be available XPSP2.

  • I've installed Windows 2008 and turned on the TS Gateway, installed a digital certificate, but I'm getting "This computer can't conenct to the remove comptuer because the Terminal; Services Gateway server is temporaily unavailable."

    Are there any trouble shooting tips to figure out how to get it working?

  • So how do you allow users to use a TS gateway from untrusted non-domain PCs (home computers, public computers at places like a library, trade show, guest PC at a customer/partner office, etc.) while at the same time protecting against a user (for whatever reason) saving their credentials locally where they can be used by whoever happens to start up RDC next on that machine, or walking away from the machine and having the connection through the gateway maintained indefinitely? With regular terminal services you can set policies to always prompt for credentials on the client computer, and you can set idle session disconnect timeouts. But neither of those seem possible with TS gateway?

    It seems like the security mindset around TS gateway is that the client machines coming into the gateway are domain/trusted machines, whereas one of the most logical uses of a gateway would be for users to be able to connect to their XP desktop at the office from a non-domain/untrusted home PC.

  • There is no protection against a user walking away and giving control over the TS session to some other guy. It does not matter if the client machine is trusted, domain-joined or not. You’ll have to trust your users to be careful about this.

    As for preventing a user from saving credentials: you can configure the server not to allow connections with saved credentials. But again, this is not a foolproof protection, because it implies that TS Client supports this feature (i.e. it’s a genuine MS TS Client v6.1). If TS Client is replaced it may not honor this policy.

  • One of the things that is annoying is the double-login for TSWebInterface and TSGateway.  Its great that the gateway and TS server can use the same credentials but you're forced to login before you even get the website within the Web Interface part.  Would it possible to make this more like the Citrix approach?  (i.e. 'web interface' > then login > then see published apps > then select, without need for new credential).

    Thanks,

    Ross

  • Single Sign-On for TS Web Access scenarios is one of the new features we are adding to the next Windows version.

    Thx,

    sergey.

  • I'm still having double credential prompts when using rdp 7. It does not help even after i enable CredSSP. Any advise?

Page 1 of 1 (8 items)