Single credential prompt for TS Gateway Server and Terminal Server

re: Single credential prompt for TS Gateway Server and Terminal Server

Bernd Eckenfels — Sun, 08 Jul 2007 02:31:41 GMT

Will the RDP 6.1 be available for XPSP2, also? The 6.0 does not have those special logon settings for the RPC-HTTPS proxy.

re: Single credential prompt for TS Gateway Server and Terminal Server

Mahadev Alladi — Sun, 29 Jul 2007 22:27:08 GMT

Yes, RDP 6.1 will be available XPSP2.

re: Single credential prompt for TS Gateway Server and Terminal Server

Robert — Wed, 08 Aug 2007 22:48:56 GMT

I've installed Windows 2008 and turned on the TS Gateway, installed a digital certificate, but I'm getting "This computer can't conenct to the remove comptuer because the Terminal; Services Gateway server is temporaily unavailable."

Are there any trouble shooting tips to figure out how to get it working?

re: Single credential prompt for TS Gateway Server and Terminal Server

Will — Thu, 10 Jan 2008 23:04:16 GMT

So how do you allow users to use a TS gateway from untrusted non-domain PCs (home computers, public computers at places like a library, trade show, guest PC at a customer/partner office, etc.) while at the same time protecting against a user (for whatever reason) saving their credentials locally where they can be used by whoever happens to start up RDC next on that machine, or walking away from the machine and having the connection through the gateway maintained indefinitely? With regular terminal services you can set policies to always prompt for credentials on the client computer, and you can set idle session disconnect timeouts. But neither of those seem possible with TS gateway?

It seems like the security mindset around TS gateway is that the client machines coming into the gateway are domain/trusted machines, whereas one of the most logical uses of a gateway would be for users to be able to connect to their XP desktop at the office from a non-domain/untrusted home PC.

re: Single credential prompt for TS Gateway Server and Terminal Server

Sergey Kuzin — Sat, 12 Jan 2008 01:16:57 GMT

There is no protection against a user walking away and giving control over the TS session to some other guy. It does not matter if the client machine is trusted, domain-joined or not. You’ll have to trust your users to be careful about this.

As for preventing a user from saving credentials: you can configure the server not to allow connections with saved credentials. But again, this is not a foolproof protection, because it implies that TS Client supports this feature (i.e. it’s a genuine MS TS Client v6.1). If TS Client is replaced it may not honor this policy.

re: Single credential prompt for TS Gateway Server and Terminal Server

Ross — Mon, 02 Mar 2009 17:29:47 GMT

One of the things that is annoying is the double-login for TSWebInterface and TSGateway. Its great that the gateway and TS server can use the same credentials but you're forced to login before you even get the website within the Web Interface part. Would it possible to make this more like the Citrix approach? (i.e. 'web interface' > then login > then see published apps > then select, without need for new credential).

Thanks,

Ross

re: Single credential prompt for TS Gateway Server and Terminal Server

Sergey Kuzin — Wed, 04 Mar 2009 01:06:19 GMT

Single Sign-On for TS Web Access scenarios is one of the new features we are adding to the next Windows version.

Thx,

sergey.