2011-06-10

Enabling Remote Desktop Connection client Single Sign On (SSO) for Remote Desktop Services

You probably came here for one of the following reasons:

a) having to login twice when connecting to terminal server in RD Connection Broker Farm
b) having to enter credentials for every Remote App even though you already are logged on with same credentials

To avoid (multiple) double logins you will need to enable Single Sign On functionality. For that you will make some changes on both - Server and Client.

1. Server

Connect to Remote Desktop Host Server
Start Server Manager
Expand Roles->Remote Desktop Services select RD Session Host Configuration
In the right pane in the Connections right click RDP-Tcp connection name and choose Properties
On the Log on Settings tab make sure "Alsways prompt for password" is unchecked.
On the General tab choose security layer: Negotiate or SSL (TLS 1.0)
Click OK.

2. Client

2.1
Windows Vista / Windows 7

Start Group Policy Editor (run: gpedit.msc)
Expand Computer Configuration->Administrative Templates->System->Credentials Delegation
Enable following settings: Allow Delegating Default Credentials and Allow Delegating Default Credentials with NTLM-only Server Authentication
Add following entries to each setting TERMSRV/server_name

server_name is the name of the RDSH server, you can use one wildcard there, for example: TERMSRV/myserver or TERMSRV/*.domain.com or TERMSRV/*

Do a "gpupdate /force" on your client and now you should be able to connect to your RDSH server without having to supply credentials. If you have saved credentials in your RDC client - delete them and you should see message "Your Windows logon credentials will be used to connect." indicating that SSO functionality is on.

2.2 Windows XP SP3

It is more tricky for windows XP as it does not have GPO setting to enable SSO, so you will need to do some registry changes.
Fortunately there is Microsoft Fix It tool which can do it for you - http://go.microsoft.com/?linkid=9758284

If you prefer to do it yourself read below:

Enable CredSSP

Under HKLM\SYSTEM\CurrentControlSet\Control\LsaEdit the REG_MULTI_SZ value named Security Packages and add tspkg to the list.

Under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
Edit the REG_SZ value named SecurityProviders and add ", credssp.dll" to the end (without quotation marks)

Also you will need to create the following registry entries:

Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegationName: ConcatenateDefaults_AllowDefaultType: REG_DWORDData: 1

Name: AllowDefaultCredentialsType: REG_DWORDData: 1
Name: AllowDefCredentialsWhenNTLMOnlyType: REG_DWORDData: 1
Name: ConcatenateDefaults_AllowDefNTLMOnlyType: REG_DWORDData: 1
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentialsName: 1Type: REG_SZData: TERMSRV/*
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnlyName: 1Type: REG_SZData: TERMSRV/*

note:
modify TERMSRV/* to your needs, if you need to specify more servers just create aditional entries with names "2" "3" and so on.
You might need to restart windows XP machine for registry changes to take effect.
In addition after all these changes you still might need a hotfix for Windows XP - http://support.microsoft.com/kb/953760

Links:
Paul Adams blogpost - http://blogs.technet.com/b/mrsnrub/archive/2010/12/16/xp-clients-credssp-sso-connection-broker-and-other-animals.aspx
Technet article - http://technet.microsoft.com/en-us/library/cc742808.aspx
Microsoft KB article - http://support.microsoft.com/kb/951608/

3 comments:

  1. Anonymous28.3.12

    Hi, thanks for your explanation, however is there a way to do this without modifying the client? In my case the clients can also be customer systems or internal systems, to which I don't have access. They are not in the same domain

    Thanks

    ReplyDelete
  2. Anonymous10.7.13

    Thanks!

    ReplyDelete
  3. Anonymous23.7.13

    Perfect, thanks :D

    ReplyDelete