How to enable Single Sign-On for my Terminal Server connections

Single-Sign-ON

Rickard Wendel [Terminal Services] — Tue, 24 Apr 2007 21:50:49 GMT

Nu finns det en guide för hur man konfigurerar SSO mellan en VISTA/Longhorn klient till en VISTA/Longhorn...

re: How to enable Single Sign-On for my Terminal Server connections

jay — Wed, 25 Apr 2007 05:41:25 GMT

Is it possible to provide SSO for Terminal Services in Win2k3 Server and XP/Win2k3 as clients?

re: How to enable Single Sign-On for my Terminal Server connections

Sergey Kuzin — Wed, 25 Apr 2007 19:57:29 GMT

Unfortunately it's not possible, because SSO requires using a special Security Support Provider currently available only in Vista.

re: How to enable Single Sign-On for my Terminal Server connections

Olivier Blaise — Mon, 23 Jul 2007 11:22:32 GMT

If I understood the explanation correctly, you use also a username and password to authenticate from Vista to Longhorn. The difference is that the username and password are cached and sent without user intervention.

No way to rely on kerberos authentication and constrained delegation ?

Single Sign On (SSO) aux connexions Terminal Services

Sup'Astuces — Wed, 17 Oct 2007 14:23:47 GMT

Dans un domaine windows, on est authentifi&#xE9; pour quasiment tous les services via Kerberos sans

How to enable Single Sign-On for my Terminal Server connections

MarkG — Fri, 19 Oct 2007 20:13:59 GMT

I've just foudn out that SSO will be available on XP SP3. Dev. has ported CredSSP back to XP SP3.

re: How to enable Single Sign-On for my Terminal Server connections

MarkG — Fri, 19 Oct 2007 22:05:47 GMT

Someone from MS Dev. need to confirm that SSO will work with WinXP SP3.

re: How to enable Single Sign-On for my Terminal Server connections

Sergey Kuzin — Mon, 22 Oct 2007 21:16:49 GMT

Mark,

Unfortunately, SSO will not be supported on XP SP3.

I'm sorry for the confusion.

Sergey.

re: How to enable Single Sign-On for my Terminal Server connections

Greg — Wed, 28 Nov 2007 22:01:38 GMT

I was just in the Webcast today on Security in Terminal Servers and the presenter had XP SP3 in the list as supported for SSO.

Was that old information?

re: How to enable Single Sign-On for my Terminal Server connections

Greg — Wed, 28 Nov 2007 22:53:24 GMT

BTW, it does work in XP SP3 RC1; however, the group policy templates don't provide for a means to make the change.

Make the change on a vista box and export the registry key and it will work on XP. Tried with SP2/RDP 6.1 client, that's a no-go, SP3 *IS* required.

re: How to enable Single Sign-On for my Terminal Server connections

Paul — Wed, 23 Jan 2008 20:16:20 GMT

Can anyone else confirm SSO works in XP Sp3?

re: How to enable Single Sign-On for my Terminal Server connections

JDS — Tue, 29 Jan 2008 18:05:59 GMT

Can someone post the registry changes required for the SSO to function on an XP machine?

re: How to enable Single Sign-On for my Terminal Server connections

Sergey Kuzin — Fri, 01 Feb 2008 21:14:10 GMT

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]

"AllowDefaultCredentials"=dword:00000001

"ConcatenateDefaults_AllowDefault"=dword:00000001

"AllowDefCredentialsWhenNTLMOnly"=dword:00000001

"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]

"1"="TERMSRV/<My Server1>"

"2"="TERMSRV/<My Server2>"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]

"1"="TERMSRV/<My Server1>"

"2"="TERMSRV/<My Server2>"

Replace "<My Server1>", "<My Server2>", etc. with the real server names.

Do not use AllowDefCredentialsWhenNTLMOnly unless it is absolutely necessary. It is to enable SSO when Kerberos or SSL server authentication is not possible, and it is not very secure (you may end up sending your password to a wrong server).

re: How to enable Single Sign-On for my Terminal Server connections

JDS — Fri, 01 Feb 2008 23:24:18 GMT

Thanks! Hopefully I can get it to work.

re: How to enable Single Sign-On for my Terminal Server connections

Alastair — Mon, 14 Apr 2008 18:00:54 GMT

I suppose this could be pushed out using GPO to XPSP3 PCs. Has anyone done it?

re: How to enable Single Sign-On for my Terminal Server connections

Greg — Thu, 17 Apr 2008 00:46:17 GMT

With build 3244, the reg hacks as described above work.

However, with build 3282, they don't seem to.

Considering the ones in build 3244 match the ones from Vista SP1, I'm worried that they removed this feature. We will be pissed if that is the case.

We want single-sign on, but do NOT want to be forced to move to Vista for that, especially if we know it worked on one of the release candidates but was disabled from the final.

Greg

re: How to enable Single Sign-On for my Terminal Server connections

Paul — Tue, 29 Apr 2008 15:10:53 GMT

I've tried the released version of SP3 and can confirm the single-sign on functionality has been removed from the final.

I CAN'T move my desktops to Vista due to incompatibilities with certain software we use. Come on Microsoft, how about a standalone RDC 6.1 complete with single-sign on?

re: How to enable Single Sign-On for my Terminal Server connections

Paul — Tue, 29 Apr 2008 16:38:00 GMT

Interestingly, I've been trying additional things to make this work and a desktop with SP2 on, upgraded to build 3244 then upgraded to SP3 final appears to retain the SSO functionality, whereas SP2 straight to SP3 appears not to!

re: How to enable Single Sign-On for my Terminal Server connections

Paul — Wed, 30 Apr 2008 12:09:01 GMT

OK, I've managed to achieve the functionality. Here's what to do:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

APPEND, don't replace: credssp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

APPEND, don't replace: tspkg

AGAIN, you need to APPEND these values, not replace what's there

Problems using default credentials with Vista RDP clients with Single Sign-on Enabled

Terminal Services Team Blog — Wed, 30 Apr 2008 23:57:43 GMT

With Single Sign-on enabled , the current user’s credentials, also known as “default credentials”, are

re: How to enable Single Sign-On for my Terminal Server connections

Chris Wallace — Sat, 17 May 2008 01:52:50 GMT

I used the info from the postings above and specifically from KB951608, scenario 2 on a windows xp sp3 machine and am still prompted for credentials. Has anyone had any luck getting SSO to work with XP SP3 (RTM SP3, that is) clients?

re: How to enable Single Sign-On for my Terminal Server connections

Chris Wallace — Sat, 17 May 2008 02:00:59 GMT

I spoke too soon... MANY thanks, Paul, the registry entries from the KB and your post did the trick (credssp.dll, tspkg). If you could share your source, I'd be very greatful... thanks in any event!

re: How to enable Single Sign-On for my Terminal Server connections

Dean Houben — Wed, 21 May 2008 13:24:48 GMT

Got a question about SSO with Windows XP SP3.

If i connect to a TS RemoteApp on hostname of a server there is no problem at all. App starts with no problems at all. Now i configured 2 TS 2008 servers in a Farm.

I have put into DNS the Farm with the two ip's that are configured for it (Forward lookup zone)

In TS RemoteApp Manager i configure the dns name for the farm i created.

If i connect to the same TS RemoteApp with the farm-name i have to put in my credentials again, anyone have seen this problem before?

re: How to enable Single Sign-On for my Terminal Server connections

Dean Houben — Tue, 27 May 2008 11:13:46 GMT

Got it working now on Farm name.

On XP it's impossible to get it to work with Ts Farm, so i used a Windows Vista machine. Now i got no problems anymore, can connect to the farm i configured!

re: How to enable Single Sign-On for my Terminal Server connections

Frank — Mon, 02 Jun 2008 20:39:48 GMT

I can confirm that SSO is not working with XP SP3 when connecting to a TS farm (using session broker). I have no issues when I connect to a standalone terminal server (following Paul's suggestions). If anyone has any ideas on how to make SSO work when connecting to a session brokered TS farm (besides upgrading to Vista), I'd love to hear them!

re: How to enable Single Sign-On for my Terminal Server connections

Osama Sajid [MSFT] — Thu, 03 Jul 2008 16:06:07 GMT

http://blogs.msdn.com/ts/archive/2008/04/30/problems-using-default-credentials-with-vista-rdp-clients-with-single-sign-on-enabled.aspx

To enable server authentication in a server farm, use SSL certificates that are issued by a trusted Certificate Authority and that have the farm name in the subject field. Deploy them to all servers in your farm. The SSL certificate will provide server authentication for a TS server and therefore Credential Delegation policy will allow saved credentials to be used for remote desktop connections.

re: How to enable Single Sign-On for my Terminal Server connections

Admin — Sat, 16 Aug 2008 00:15:08 GMT

This is a test to see if comment works on your blog or not.

I'm sure this will work if comment is long enough because otherwise it will be considered as spam by blog algorithm. So shorter the length of comment , greater the chances of considering it as a spam by blog algorithm and you will end up seeing in blog home page instead of comment.

re: How to enable Single Sign-On for my Terminal Server connections

RDP rocks! — Wed, 20 Aug 2008 00:20:18 GMT

How I can use SSO from Windows XP x64?

re: How to enable Single Sign-On for my Terminal Server connections

Olga — Wed, 20 Aug 2008 00:48:16 GMT

Additional information for SSO for TS farms from XP SP3 clients:

There is a QFE availbe for SSO to TS farms from XP SP3 - please see kb article located here: "http://support.microsoft.com/kb/953760"

Also, please make sure you have CredSSP enabled on your XP SP3 client - please see kb article located here: "http://support.microsoft.com/kb/951608"

re: How to enable Single Sign-On for my Terminal Server connections

Daryl — Fri, 10 Oct 2008 02:56:01 GMT

Does this work with the standalone version of RDC6.1 for XPSP2 or is XPSP3 required?

re: How to enable Single Sign-On for my Terminal Server connections

Olga Ivanova — Fri, 10 Oct 2008 04:13:04 GMT

XP SP3 is required since CredSSP was ported to XP SP3 (not SP2). You will need to enable credssp on it (see KB article # 951608 for more info).

re: How to enable Single Sign-On for my Terminal Server connections

GregM — Thu, 06 Nov 2008 17:34:47 GMT

Can this be used to connect from XP SP3 to XP SP3, or does the server still need to be 2008?

re: How to enable Single Sign-On for my Terminal Server connections

Olga Ivanova — Fri, 07 Nov 2008 02:04:46 GMT

Unfortunately, no - XP SP3 can only be used as the client so no XP SP3 to XP SP3. Server has to be 2008 or Vista.

re: How to enable Single Sign-On for my Terminal Server connections

sai — Thu, 11 Dec 2008 10:04:40 GMT

Hi Paul,

I am trying to setup SSO with xp SP3.

your previous post says APPEND,i am really unable to get what to APPEND ? please help me.

Setup

=====

Server

windows 2008 server

configured the RDP accordingly

client

Windows XP professional with xp sp3.

Earlier you said

"OK, I've managed to achieve the functionality. Here's what to do:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

APPEND, don't replace: credssp.dll

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

APPEND, don't replace: tspkg

AGAIN, you need to APPEND these values, not replace what's there "

i am not sure what do you mean by append

please suggest

re: How to enable Single Sign-On for my Terminal Server connections

sainath — Thu, 11 Dec 2008 10:17:44 GMT

Hi ,

I got it , we have to add these values to the registry .

and enable credssp on windows xp professional clients

re: How to enable Single Sign-On for my Terminal Server connections

Roman Golev — Thu, 26 Feb 2009 07:46:12 GMT

How to modify "Security Packages" with Domain Group Policy?

re: How to enable Single Sign-On for my Terminal Server connections

Jeef — Wed, 02 Sep 2009 13:26:00 GMT

The article states that it's not possible to USE SSO in combination with smart cards. Is there any known work around for this?!

re: How to enable Single Sign-On for my Terminal Server connections

Jason — Thu, 03 Sep 2009 21:40:06 GMT

SSO is working, but TS Remote Apps functionality is severely degraded due to differnet lock out time periods. Often remote app progrmas are idle while attending to other programs and then you come back to remote apps and have to log back in. Any suggestions? Domain lockout is 20mins and can't be changed.

re: How to enable Single Sign-On for my Terminal Server connections

Olga — Thu, 03 Sep 2009 21:47:53 GMT

RE SSO with Smart cards: unfortunately you cannot get SSO with smart cards today unless you deploy something like ISA/UAG server.

RE: lockout/timeout - thanks for your feedback. Domain lockout of 20 mins also applies to the TS where your Remote apps are hosted?

re: How to enable Single Sign-On for my Terminal Server connections

Jason — Thu, 03 Sep 2009 23:35:19 GMT

Lockout is based on AD Policy. I would have to create a seperate OU and drag the remote apps server into that OU and set No Timeout. This would probably work, but would not fly with our Security team. Any other suggestions or thoughts?

re: How to enable Single Sign-On for my Terminal Server connections

Jason — Thu, 03 Sep 2009 23:38:15 GMT

The only thing stopping me from a full roleout of Remote Apps and 2K8 Server are users can't stand having to relog on to the application every 20 minutes of inactivity. SSO works great for the initial launch, but after 20 minutes, SSO benefits are moot and users have to type in creds to unlock the session.

re: How to enable Single Sign-On for my Terminal Server connections

Jason — Thu, 03 Sep 2009 23:40:08 GMT

If the Remote Apps could share the same incativity timer as the host machine, it would be a beautiful thing.

re: How to enable Single Sign-On for my Terminal Server connections

David — Fri, 16 Oct 2009 11:06:03 GMT

Does these setting provide SSO to the TS Web Access portal ? i.e, I launch IE, navigate to my TS web access page, it auto logs on and my apps are presented. If so, it does not seem to work for me, I am using Windows 7 RDP 7.1. When I use mstsc and connect to my farm, SSO does work. Can someone clarify please :-) thanks

re: How to enable Single Sign-On for my Terminal Server connections

termserv — Fri, 16 Oct 2009 16:07:05 GMT

@David:

For Web SSO, see http://blogs.msdn.com/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

Rob [MSFT]

re: How to enable Single Sign-On for my Terminal Server connections

Dan — Wed, 28 Oct 2009 00:03:02 GMT

The error message in the Remote Desktop Connection app (mstsc) should be more detailed.

My scenario:

- domain-joined Win 7 machine at work

- connecting to non-domain-joined Win 7 machine at home

- saved credentials would not pass and I would get the following message:

"Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer my.domain.com because its identity is not fully verified. Please enter new credentials."

Enabling the "Allow Delegating Saved Credentials with NTLM-only Server Authentication" of course fixed the problem.

In retrospect, the message now makes sense, but before I thought it was getting the wrong username/password. It seemed to me that the remote machine was rejecting it.

I suggest some changes to make this clearer:

1) Change the title of the error to something like "Saved credentials could not be sent". The way it is now, sounds like they were sent and rejected by the remote machine.

2) Alter the error message to include some hint that this is the result of the Local Computer Policy so that the user knows where to look.

3) When opting to save credentials, a policy check should occur and the user should be informed that the policy is not going to allow it.

4) A help button and page that includes information on connecting from a domain-joined PC to a non-domain-joined PC.

Thanks for considering it. :)

re: How to enable Single Sign-On for my Terminal Server connections

Naresh Negi — Thu, 26 Nov 2009 19:57:07 GMT

Can we get SSO on a thin client with windows XP SP3 embedded?

I have a Session broker with NLB and I keep getting double prompts and on remote apps although I have setup credssp I am still being asked for a prompt. Is there something different I need to do for getting SSO on remote apps? I am doing all this on XP SP3 (standard) and later.

TS and SSB are windows 2008 R2.

TIA.