Solved

Remote Desktop Web Access

Posted on 2010-08-19
5
3,259 Views
Last Modified: 2013-11-21
Hi Everyone,

I am running Remote Desktop Services on Window Server 2008 using Web Acces and RemoteApp. Once the users sign on and get there Remote Applications, when they launch the programs they are then prompted to sign on again. Is there a way to disable this second logon?
0
Comment
Question by:DMayo
5 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 250 total points
ID: 33478332
Single Sign on is an option with Windows 2008 R2 which is detailed here: http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx

This is not available in non-R2 Windows 2008
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 250 total points
ID: 33478625
Even on 2008 R2 note this does NOT work out of the box.
You must use policies to make sure the certificate thumbprints is set on all machines connection otherwise SSO will fail.
The requirements for that are:
- Windows XP Service Pack 3.
- .NET Framework 3.5 SP1. http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988efdaa79a8ac3d/dotnetfx35.exe
- Remote Desktop Connection 7.0 Client Update. http://support.microsoft.com/kb/969084
- Single Sign-on Hotfix for Windows XP SP3 clients. http://support.microsoft.com/kb/953760/en-us
- The registry files SSO.reg, Thumbprints.reg and CredSSP.reg. These are mandatory in order to guarantee the Single Sign-on (SSO) functionality.

Examples:
CredSSP.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
  00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
  6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\
  00,73,00,70,00,6b,00,67,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

SSO.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowDefaultCredentials"=dword:00000001
"ConcatenateDefaults_AllowDefault"=dword:00000001
"AllowDefCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"

Thumbprints.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"TrustedCertThumbprints"="0c6533a40d901c15d1951ec25058acc632507123"

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 1

Expert Comment

by:alireza1023
ID: 33478756
do you have domain
you should deploy SSO or Single Sign on
it's the ability in 2008 & 2008 R2

What is single sign-on for Terminal Services?
Single sign-on is an authentication method that allows a user with a domain account to log on once by using a password, and then gain access to remote servers without being asked for their credentials again.

Key scenarios for single sign-on
The key scenarios for single sign-on are:

Line-of-business (LOB) applications deployment


Centralized application deployment


Due to lower maintenance costs, many companies prefer to install their LOB applications on a terminal server and make these applications available through RemoteApps or Remote Desktop. Single sign-on makes it possible to give users a better experience by eliminating the need for users to enter credentials every time they initiate a remote session.

Prerequisites for deploying single sign-on
To implement single sign-on functionality in Terminal Services, ensure that you meet the following requirements:

You can only use single sign-on for remote connections from a Windows Vista®-based computer to a Windows Server® 2008-based terminal server. You can also use single sign-on for remote connections from a Windows Server 2008-based server to a Windows Server 2008-based server.


Make sure that the user accounts that are used for logging on have appropriate rights to log on to both the terminal server and the Windows Vista client.


Your client computer and terminal server must be joined to a domain.


You must use password-based authentication. Smart cards are not supported.


Recommended configuration of a terminal server when using single sign-on
To configure the recommended settings for your terminal server, complete the following steps:

Configure authentication on the terminal server.


Configure the Windows Vista-based computer to allow default credentials to be used for logging on to the specified terminal servers.


To configure authentication on the server
1.Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, click Run, type tsconfig.msc and then click OK.

2.Under Connections, right-click RDP-Tcp, and then click Properties.

3.In the Properties dialog box, on the General tab, verify that the Security Layer value is either Negotiate or SSL (TLS 1.0), and then click OK.

To allow default credential usage for single sign-on
1.On the Windows Vista-based computer, open the Local Group Policy Editor. To open Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and then press ENTER.

2.In the left pane, expand the following: Computer Configuration, Administrative Templates, System, and then click Credentials Delegation.

3.Double-click Allow Delegating Default Credentials.

4.In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.

5.In the Show Contents dialog box, click Add to add servers to the list.

6.In the Add Item dialog box, in the Enter the item to be added box, type the prefix termsrv/ followed by the name of the terminal server; for example, termsrv/Server1, and then click OK.


fore more info go to:
http://blogs.msdn.com/b/rds/archive/2009/08/11/introducing-web-single-sign-on-for-remoteapp-and-desktop-connections.aspx
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx
0
 

Author Closing Comment

by:DMayo
ID: 33496668
Thank you very much.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2008 R2 File Share 8 51
Remote Desktop Session Host Configuration 2 74
RDS licensing 2008 to 2016 9 80
Smart Start CD for HP proliant ML110 G6 3 53
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question