Windows Server 2008 Terminal Services: Single Sign On and Windows XP clients


image


Single Sign On for Windows XP Clients
image

Single Sign On (SSO) to Windows Server 2008 (W2K8) Terminal Services uses the Credential Security Service Provider (CredSSP).  CredSSP delegates credentials to defined target servers and is native to Windows Vista.  Windows XP SP3 includes CredSSP but it is not enabled by default.  Windows XP SP2 clients can still connect to W2K8 Terminal Services but users will be prompted for credentials upon establishing the first session.  Having to enter your username and password ruins the RemoteAPP experience.  So what do you need to get your Windows XP client seamlessly connecting to a W2K8 Terminal Server?



  • Windows XP SP3

  • Remote Desktop Connection (RDC) 6.1 (Part of SP3)

KB951608 explains the CredSSP for Windows XP SP3 in detail.


Once you have SP3 installed you need to make the following changes:


Client side:



  • Enable CredSSP

  • Configure Single Sign On for credential delegation

  • Define target servers

Server side:



  • Modify RDP protocol settings

Enable CredSSP


The CredSSP settings have to be APPENDED to the existing parameters.  See KB951608.  Appending to existing keys could prove time consuming if you have a lot of clients.  Here is a script written in VBS that may make automating the task a little easier.


Disclaimer: Do not blindly run these scripts without testing first.  Make sure you take a backup of the registry!


Const HKEY_LOCAL_MACHINE = &H80000002


 


strComputer = "."



Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")



strKeyPath = "SYSTEM\CurrentControlSet\Control\Lsa"


strValueName = "Security Packages"


oReg.GetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages



For Each strValue In arrSecurityPackages


if lcase(strValue) = "tspkg" then intTSPKG = 1 ‘ Set a flag to say that value already exists


Next



if intTSPKG <> 1 then ‘Value doesn’t exist so lets create it


intNewArraySize = Ubound(arrSecurityPackages) + 1


reDim Preserve arrSecurityPackages(intNewArraySize) ‘Resize the array for new value and keep existing values


arrSecurityPackages(intNewArraySize) = "tspkg" ‘ Add the new value


oReg.SetMultiStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,arrSecurityPackages


End if


strKeyPath = "SYSTEM\CurrentControlSet\Control\SecurityProviders"


strValueName = "SecurityProviders"


oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue



intResult = InStr(strValue, "credssp.dll") ‘Will return position found in string



if intResult = 0 then ‘Position of 0 means string not found


strValue=strValue & ",credssp.dll"


oReg.SetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue


End if


 


Configure Single Sign On and define target servers


The following registry changes enable CredSSP for the default credentials.


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]


"AllowDefaultCredentials"=dword:00000001


"ConcatenateDefaults_AllowDefault"=dword:00000001


The following registry changes define the target servers.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"


You can explicitly name your terminal servers e.g. :



  • TERMSRV/myserver.mydomain.com : A specific server

  • TERMSRV/*.mydomain.com : All servers in mydomain.com

  • TERMSRV/* : All servers


RDP Protocol changes


You have to make some changes to the default RDP protocol settings on your server in order to allow Windows XP SP3 clients connect.


Open Terminal Server Configuration snap-in and modify the RDP connection properties as follows:


image


Note that the tick has been removed from the "Allow connections only from computers running Remote Desktop with Network Level Authentication".  I have the Encryption level set of Client Compatible but there is no reason why you cannot use High.


image


Make sure that the Use client-provided log on information radial button is selected.


You should now be in a position to make use of the SSO functionality from your Windows XP clients.  However, there is a KB titled When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server which comes with a patch.  During my testing I did not come across this problem ... but I figured it was worth noting.

Comments (1)

Skip to main content