There are two levels of authentication required for a successful connection to a Terminal Server through a TS Gateway server. First level of authentication happens when the TS client connects to the TS Gateway server and the second level occurs when it connects to the Terminal Server. For this reason, the user is prompted for credentials for the TS Gateway server for the first authentication and prompted again for credentials to authenticate the Terminal Server.
If the user is going to use the same set of credentials for both the TS Gateway server and the Terminal Server then he/she can enable the single credential prompt setting in the TS client. With this setting enabled, the TS client prompts the user for credentials only once and uses the supplied credentials for authenticating to both TS Gateway and Terminal Server.
Alternatively, the single credential prompt setting can be manipulated from the RDP file.
The feature is available in RDP 6.1 client and it is enabled by default. The setting can be altered by using one of the methods mentioned in the above section.
Therefore, when the user finally clicks "Connect", depending on the existence of saved credentials the TS Client might or might not display a credential prompt for the Terminal Server.
Will the RDP 6.1 be available for XPSP2, also? The 6.0 does not have those special logon settings for the RPC-HTTPS proxy.
Yes, RDP 6.1 will be available XPSP2.
I've installed Windows 2008 and turned on the TS Gateway, installed a digital certificate, but I'm getting "This computer can't conenct to the remove comptuer because the Terminal; Services Gateway server is temporaily unavailable."
Are there any trouble shooting tips to figure out how to get it working?
So how do you allow users to use a TS gateway from untrusted non-domain PCs (home computers, public computers at places like a library, trade show, guest PC at a customer/partner office, etc.) while at the same time protecting against a user (for whatever reason) saving their credentials locally where they can be used by whoever happens to start up RDC next on that machine, or walking away from the machine and having the connection through the gateway maintained indefinitely? With regular terminal services you can set policies to always prompt for credentials on the client computer, and you can set idle session disconnect timeouts. But neither of those seem possible with TS gateway?
It seems like the security mindset around TS gateway is that the client machines coming into the gateway are domain/trusted machines, whereas one of the most logical uses of a gateway would be for users to be able to connect to their XP desktop at the office from a non-domain/untrusted home PC.
There is no protection against a user walking away and giving control over the TS session to some other guy. It does not matter if the client machine is trusted, domain-joined or not. You’ll have to trust your users to be careful about this.
As for preventing a user from saving credentials: you can configure the server not to allow connections with saved credentials. But again, this is not a foolproof protection, because it implies that TS Client supports this feature (i.e. it’s a genuine MS TS Client v6.1). If TS Client is replaced it may not honor this policy.
One of the things that is annoying is the double-login for TSWebInterface and TSGateway. Its great that the gateway and TS server can use the same credentials but you're forced to login before you even get the website within the Web Interface part. Would it possible to make this more like the Citrix approach? (i.e. 'web interface' > then login > then see published apps > then select, without need for new credential).
Single Sign-On for TS Web Access scenarios is one of the new features we are adding to the next Windows version.
I'm still having double credential prompts when using rdp 7. It does not help even after i enable CredSSP. Any advise?