Remote Desktop Services (Terminal Services) Team Blog

Nu finns det en guide för hur man konfigurerar SSO mellan en VISTA/Longhorn klient till en VISTA/Longhorn...

Unfortunately it's not possible, because SSO requires using a special Security Support Provider currently available only in Vista.

Dans un domaine windows, on est authentifié pour quasiment tous les services via Kerberos sans

Someone from MS Dev. need to confirm that SSO will work with WinXP SP3.

I was just in the Webcast today on Security in Terminal Servers and the presenter had XP SP3 in the list as supported for SSO.

Was that old information?

Can anyone else confirm SSO works in XP Sp3?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]

"AllowDefaultCredentials"=dword:00000001

"ConcatenateDefaults_AllowDefault"=dword:00000001

"AllowDefCredentialsWhenNTLMOnly"=dword:00000001

"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]

"1"="TERMSRV/<My Server1>"

"2"="TERMSRV/<My Server2>"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]

"1"="TERMSRV/<My Server1>"

"2"="TERMSRV/<My Server2>"

Replace "<My Server1>", "<My Server2>", etc. with the real server names.

Do not use AllowDefCredentialsWhenNTLMOnly unless it is absolutely necessary. It is to enable SSO when Kerberos or SSL server authentication is not possible, and it is not very secure (you may end up sending your password to a wrong server).

I suppose this could be pushed out using GPO to XPSP3 PCs. Has anyone done it?

I've tried the released version of SP3 and can confirm the single-sign on functionality has been removed from the final.

I CAN'T move my desktops to Vista due to incompatibilities with certain software we use.  Come on Microsoft, how about a standalone RDC 6.1 complete with single-sign on?

OK, I've managed to achieve the functionality.  Here's what to do:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

APPEND, don't replace: credssp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

APPEND, don't replace: tspkg

AGAIN, you need to APPEND these values, not replace what's there

I used the info from the postings above and specifically from KB951608, scenario 2 on a windows xp sp3 machine and am still prompted for credentials. Has anyone had any luck getting SSO to work with XP SP3 (RTM SP3, that is) clients?

Got a question about SSO with Windows XP SP3.

If i connect to a TS RemoteApp on hostname of a server there is no problem at all. App starts with no problems at all. Now i configured 2 TS 2008 servers in a Farm.

I have put into DNS the Farm with the two ip's that are configured for it (Forward lookup zone)

In TS RemoteApp Manager i configure the dns name for the farm i created.

If i connect to the same TS RemoteApp with the farm-name i have to put in my credentials again, anyone have seen this problem before?

I can confirm that SSO is not working with XP SP3 when connecting to a TS farm (using session broker). I have no issues when I connect to a standalone terminal server (following Paul's suggestions). If anyone has any ideas on how to make SSO work when connecting to a session brokered TS farm (besides upgrading to Vista), I'd love to hear them!

This is a test to see if comment works on your blog or not.

I'm sure this will work if comment is long enough because otherwise it will be considered as spam by blog algorithm. So shorter the length of comment , greater the chances of considering it as a spam by blog algorithm and you will end up seeing in blog home page instead of comment.

Additional information for SSO for TS farms from XP SP3 clients:

There is a QFE availbe for SSO to TS farms from XP SP3 - please see kb article located here: "http://support.microsoft.com/kb/953760"

Also, please make sure you have CredSSP enabled on your XP SP3 client -  please see kb article located here: "http://support.microsoft.com/kb/951608"

XP SP3 is required since CredSSP was ported to XP SP3 (not SP2). You will need to enable credssp on it (see KB article # 951608 for more info).

Unfortunately, no - XP SP3 can only be used as the client so no XP SP3 to XP SP3. Server has to be 2008 or Vista.

Hi ,

I got it , we have to add these values to the registry .

and enable credssp on windows xp professional clients

The article states that it's not possible to USE SSO in combination with smart cards. Is there any known work around for this?!

RE SSO with Smart cards: unfortunately you cannot get SSO with smart cards today unless you deploy something like ISA/UAG server.

RE: lockout/timeout - thanks for your feedback. Domain lockout of 20 mins also applies to the TS where your Remote apps are hosted?

The only thing stopping me from a full roleout of Remote Apps and 2K8 Server are users can't stand having to relog on to the application every 20 minutes of inactivity.  SSO works great for the initial launch, but after 20 minutes, SSO benefits are moot and users have to type in creds to unlock the session.

Does these setting provide SSO to the TS Web Access portal ? i.e, I launch IE, navigate to my TS web access page, it auto logs on and my apps are presented.    If so, it does not seem to work for me, I am using Windows 7 RDP 7.1.  When I use mstsc and connect to my farm, SSO does work.  Can someone clarify please :-) thanks

The error message in the Remote Desktop Connection app (mstsc) should be more detailed.

My scenario:

- domain-joined Win 7 machine at work

- connecting to non-domain-joined Win 7 machine at home

- saved credentials would not pass and I would get the following message:

"Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer my.domain.com because its identity is not fully verified. Please enter new credentials."

Enabling the "Allow Delegating Saved Credentials with NTLM-only Server Authentication" of course fixed the problem.

In retrospect, the message now makes sense, but before I thought it was getting the wrong username/password. It seemed to me that the remote machine was rejecting it.

I suggest some changes to make this clearer:

1) Change the title of the error to something like "Saved credentials could not be sent". The way it is now, sounds like they were sent and rejected by the remote machine.

2) Alter the error message to include some hint that this is the result of the Local Computer Policy so that the user knows where to look.

3) When opting to save credentials, a policy check should occur and the user should be informed that the policy is not going to allow it.

4) A help button and page that includes information on connecting from a domain-joined PC to a non-domain-joined PC.

Thanks for considering it. :)