Problems using saved credentials with Vista RDP clients and above

Jason Conger Blog » Blog Archive » Problems using saved credentials with Vista RDP clients and above

Tue, 31 Jul 2007 21:52:23 GMT

PingBack from http://blogs.msterminalservices.org/conger/2007/07/31/problems-using-saved-credentials-with-vista-rdp-clients-and-above/

re: Problems using saved credentials with Vista RDP clients and above

Olivier Blaise — Thu, 02 Aug 2007 10:02:54 GMT

You speak about kerberos for server authentication with saved credentials.

But does the RDP client support plain kerberos authentication for authenticating the server to the RDP client but also for authenticating the user to the TS ?

re: Problems using saved credentials with Vista RDP clients and above

Sergey Kuzin — Fri, 03 Aug 2007 21:06:49 GMT

Yes, RDP client supports Kerberos user authentication.

However, it never uses plain Kerberos protocol. It uses CredSSP instead: http://msdn2.microsoft.com/en-us/library/bb204772.aspx

re: Problems using saved credentials with Vista RDP clients and above

Cedric Briscoe — Thu, 23 Aug 2007 23:36:15 GMT

I currently use a Certificate for the TS Gateway. But always wondered what to do then teh Session Broker "Farm" serves up TS1 or TS2.

In addition to the FARM I've pretty much added many computers to the TS RAP. Does each machine need to have it's own Certificate or should they all have a common Certificate?

If I set up AutoEnrollment on an Enterprise CA (2008) for all domain joined computers and I am remotely connecting to these domain joined computers, should I having the Enterprise Root Certificate installed on my ..... I think I'm answering my own question... that might not be good; what about others logining in....

How about this: How can I access ALL the domain joined computers using a Cert. (some type of a common Cert) and still allow individuals to access a specific servers by issuing a Cert. for just that Server/Machine?

I'm still getting aquainted with rolling out a CA, in general.

Thanks

Cedric Briscoe

Treetop Publishing, Inc.

re: Problems using saved credentials with Vista RDP clients and above

Sergey Kuzin — Fri, 24 Aug 2007 21:12:19 GMT

As a general rule sertificate's subject name must match the name used to connect to this server. So, certificates on computers joined to a farm should have the farm name, while certificates for stand-alone TS servers should have computer name.

You can use a common certificate for a farm, but you need a separate cert for each stand-alone server.

re: Problems using saved credentials with Vista RDP clients and above

北京翻译公司 — Wed, 05 Sep 2007 07:02:36 GMT

Vista will be the biggest failure in Microsoft's history.

re: Problems using saved credentials with Vista RDP clients and above

Steph Jones — Wed, 21 Nov 2007 19:00:13 GMT

It would be nice if they could support existing customers and fix problems with 6.0 - such as the fact that many organisations rely heavily on the domain:s: parameter in RDP files because of being a multi-domain, multi-terminal server site with trusts.

Such issue was reported back in late 2006!

re: Problems using saved credentials with Vista RDP clients and above

Sergey Kuzin — Wed, 21 Nov 2007 22:58:43 GMT

Steph,

With 6.1 client you can use "username" parameter in RDP file for the same purpose. If you only need to specify domain name you can set it like this:

username:s:<your domain name>\

This will not work with 6.0 client, though.

With 6.0 client you can acheive the same result by modifying “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\UsernameHint” registry key.

Thanks,

Sergey.

re: Problems using saved credentials with Vista RDP clients and above

Shadow — Sun, 24 Feb 2008 20:02:31 GMT

Regarding with Scenario3: I think the issue is the SPN. It is impossible to registering the same SPN to multiple servers. However it is possible to registering the SPN to the user account too. So if the services are running under a Service Account, you can registering the SPN to this Service Account.

Is there anyway available to configure the Terminal Server service is running under the specified Service Account. Is it tested? Is it supported?

re: Problems using saved credentials with Vista RDP clients and above

Sergey Kuzin — Mon, 25 Feb 2008 21:38:35 GMT

Unfortunately, it is not possible today to configure TS to run under an account other than NETWORK SERVICE (or SYSTEM). Other services and drivers rely on TS to run under this account. We are working on solving this problem (Kerberos authentication in TS farm scenarios) in the next OS release.

Problems using default credentials with Vista RDP clients with Single Sign-on Enabled

Terminal Services Team Blog — Wed, 30 Apr 2008 23:57:47 GMT

With Single Sign-on enabled , the current user’s credentials, also known as “default credentials”, are

re: Problems using saved credentials with Vista RDP clients and above

Shan McArthur — Mon, 28 Jul 2008 20:17:26 GMT

There needs to be another scenario - connecting to a Windows 2008 server. It seems as though he default security settings in Windows 2008 do not allow a Vista client to connect with saved credentials. This is behavior that has changed from Windows 2003 Server, but it is not documented, nor is the solution commonly known. This blog would benefit from the additional information.

re: Problems using saved credentials with Vista RDP clients and above

Olga — Mon, 28 Jul 2008 20:32:57 GMT

Hi Shan,

Thanks for your feedback. The scenarios in the blog post above assumes that you are connecting to Windows 2008 Server. There could be several reasons why you are not able to connect with saved credentials - do you have SSL certs deployed on the WS08 or do both client and server have access to KDC to do Kerberos Authentication?

You should check what your GP for set credentials are set to under Computer Configuration -> Administrative Templates -> System -> Credentials Delegation. You can also refer to the similar post on default credentials for more information: http://blogs.msdn.com/ts/archive/2008/04/30/problems-using-default-credentials-with-vista-rdp-clients-with-single-sign-on-enabled.aspx

How to implement SSO with a SmartCard and use RDP

Nomade — Thu, 31 Jul 2008 21:48:22 GMT

We want to implement a SSO solution based on a Smardcard that contents the information for the authentification. But we want also allow RDP session to this Desktop from a SSL VPN solutions using a End Point that will not have the Smartcard drive. How to have the compatibility of the SSO infrastructure with the RDP Session through SSL VPN Session

re: Problems using saved credentials with Vista RDP clients and above

DeeperThinker — Mon, 04 Aug 2008 06:39:36 GMT

Are you using the remote computer name or the computer IP to connect using RDP? I have a Vista client that would connect with saved credentials to one TS but not another. The only difference was computer name vs. computer IP. I changed the problem RDP to the computer name and was able to connect with saved credentials.

re: How to implement SSO with a SmartCard and use RDP

Olga — Tue, 05 Aug 2008 20:28:56 GMT

Hi Nomade,

SSO is only supported with username and password (domain credentials). SSO it is not possible with smart cards unfortunately.

re: Problems using saved credentials with Vista RDP clients and above

Olga — Tue, 05 Aug 2008 20:37:50 GMT

Hi DeepThinker,

In the example above (and ususally), we use the FQDN of the server to connect (I would imagine it's also easier for the client to type in server name than an IP address). Although connection using IP address should work as well - do you think your DNS may be misconfigured (e.g. have multiple PTR records so reverse lookup is returning different host names?).