Windows Server 2008 Terminal Services: Single Sign On and Windows XP clients

  • Article

image

Single Sign On for Windows XP Clients
image

Single Sign On (SSO) to Windows Server 2008 (W2K8) Terminal Services uses the Credential Security Service Provider (CredSSP).  CredSSP delegates credentials to defined target servers and is native to Windows Vista.  Windows XP SP3 includes CredSSP but it is not enabled by default.  Windows XP SP2 clients can still connect to W2K8 Terminal Services but users will be prompted for credentials upon establishing the first session.  Having to enter your username and password ruins the RemoteAPP experience.  So what do you need to get your Windows XP client seamlessly connecting to a W2K8 Terminal Server?

  • Windows XP SP3
  • Remote Desktop Connection (RDC) 6.1 (Part of SP3)

KB951608 explains the CredSSP for Windows XP SP3 in detail.

Once you have SP3 installed you need to make the following changes:

Client side:

  • Enable CredSSP
  • Configure Single Sign On for credential delegation
  • Define target servers

Server side:

  • Modify RDP protocol settings

Enable CredSSP

The CredSSP settings have to be APPENDED to the existing parameters.  See KB951608.  Appending to existing keys could prove time consuming if you have a lot of clients.  Here is a script written in VBS that may make automating the task a little easier.

Disclaimer: Do not blindly run these scripts without testing first. Make sure you take a backup of the registry!

Const HKEY_LOCAL_MACHINE = &H80000002

 

strComputer = "."

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")

strKeyPath = "SYSTEM\CurrentControlSet\Control\Lsa"

strValueName = "Security Packages"

oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages

For Each strValue In arrSecurityPackages

if lcase(strValue) = "tspkg" then intTSPKG = 1 ‘ Set a flag to say that value already exists

Next

if intTSPKG <> 1 then ‘Value doesn’t exist so lets create it

intNewArraySize = Ubound(arrSecurityPackages) + 1

reDim Preserve arrSecurityPackages(intNewArraySize) ‘Resize the array for new value and keep existing values

arrSecurityPackages(intNewArraySize) = "tspkg" ‘ Add the new value

oReg.SetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages

End if

strKeyPath = "SYSTEM\CurrentControlSet\Control\SecurityProviders"

strValueName = "SecurityProviders"

oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

intResult = InStr(strValue, "credssp.dll") ‘Will return position found in string

if intResult = 0 then ‘Position of 0 means string not found

strValue=strValue & ",credssp.dll"

oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue

End if

 

Configure Single Sign On and define target servers

The following registry changes enable CredSSP for the default credentials.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]

"AllowDefaultCredentials"=dword:00000001

"ConcatenateDefaults_AllowDefault"=dword:00000001

The following registry changes define the target servers.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"

You can explicitly name your terminal servers e.g. :

  • TERMSRV/myserver.mydomain.com : A specific server
  • TERMSRV/*.mydomain.com : All servers in mydomain.com
  • TERMSRV/* : All servers

RDP Protocol changes

You have to make some changes to the default RDP protocol settings on your server in order to allow Windows XP SP3 clients connect.

Open Terminal Server Configuration snap-in and modify the RDP connection properties as follows:

image

Note that the tick has been removed from the "Allow connections only from computers running Remote Desktop with Network Level Authentication".  I have the Encryption level set of Client Compatible but there is no reason why you cannot use High.

image

Make sure that the Use client-provided log on information radial button is selected.

You should now be in a position to make use of the SSO functionality from your Windows XP clients.  However, there is a KB titled When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server which comes with a patch.  During my testing I did not come across this problem ... but I figured it was worth noting.