XP clients using RDC 7.0 & RD Gateway = no SSO

I have summarized in a previous blog the requirements for getting SSO to work on XP clients, but there is something to be aware of which many people miss, regarding Single Sign-On (SSO) and Windows XP clients connecting through an RD Gateway to an RD Session Host.
If using Remote Desktop Client 7.0, you will get prompted twice - at the gateway, and again at the target server.

This doesn’t occur with RDC 6.1 (built into SP3 for XP), but with code changes in RDC 7.0, SSO will only work from XP clients if they are domain joined and default credential delegation is enabled.

So XP clients not domain joined, using RDC 7.0, will not get SSO to work through RD Gateway.
Windows Vista and 7 clients do not have this problem.

The KB article describing the RDC 7.0 package and providing the download links does actually state this as a known issue:
Description of the Remote Desktop Connection 7.0 client update for Remote Desktop Services (RDS) for Windows XP SP3, Windows Vista SP1, and Windows Vista SP2

Known issues affecting Windows XP package

The Single Sign-On (SSO) between RD Gateway and the RD Session host will not work. If you need SSO across TS roles, use workspaces SSO. This requires Windows server 2008 R2 running RD Web Access. Additionally, you can use default credentials for SSO. To learn more about how to use default credentials on terminal services, visit the following Microsoft Web site: https://technet.microsoft.com/en-us/library/cc772108(WS.10).aspx

So if you find yourself trying to tackle multiple authentication prompts when connecting with Remote Desktop Client on XP machines, through an RD Gateway or to a farm controlled by an RD Connection Broker, the first thing to check is whether the problem affects Vista and 7 clients using the same version of Remote Desktop Client.

If so, you have a server-side configuration setting to check.
If not, then you might have hit a limitation of legacy Windows.