View RSS Feed


Using SSO (Single Sign On) with Remote Desktop for Thin Clients

Rate this Entry
by , 4th April 2012 at 12:41 AM (30811 Views)
Those who follow my blogs will remember that last Summer, I set about building a single platform system - based around Windows 7/Server 2008 R2. This post deals with the final part of the jigsaw relating to the Thin Client section - powered by Windows Thin PC (aka Windows 7 lite... it runs NT6.1)

This post follows

So – if you are using Terminal Server, or to give it its new name – Remote Desktop Services (RDS) – you will want to know about Single Sign-On (SSO). This is an authentication method that allows users with a domain account to log on once – so take the scenario where your users logon to a Thin Client as themselves, but you then want it to automatically trigger an RDS session. To implement single sign-on functionality in Terminal Services, ensure that you meet (and for production systems – exceed) the minimum requirements.

The basic requirements needed to implement SSO are:
  • You can only use single sign-on for remote connections from a computer running Windows Vista (or later) or Windows Server 2008 (or later) to a Windows Server 2008 (or later)Terminal Server.
    You must ensure that the user accounts that are used for logging on to the Terminal Server have appropriate rights to log on to both the Terminal Server and the Windows Vista/2008 (or later) client computer (ie. Add them to the Remote Desktop Users group via Group Policy or manually via Local Policy)
    Your client computer and Terminal Server must be joined to a domain.

Understanding what the basic requirements are, more specific requirements for setting up SSO, is as follows:
  • Windows Server 2008 (or later) Terminal Server with TS/RDS Server Role and TS/RDS Licensing Server Role enabled
    Windows Server 2008 (or later) Domain Controller (Active Directory)
    Proper Hardware Requirements

Although you can make a DC a Terminal Server, it is recommended that you split the roles and use separate servers based on the load that is expected. Obviously, whenever implementing a production system, you will want to make sure that you know what your application/traffic flows are and what load your users and the application puts on your network as well as the individual servers connected to it.
  • Windows Vista (or Windows Server 2008 used as a client system)
    Remote Desktop Client (RDC) with Network Level Authentication (NLA) Support. NLA support is only available with RDC 6.0 and with Vista or 2008 (or later).
    Proper Hardware Requirements (exceed as needed)

To configure the recommended settings for your Terminal Server, complete the following steps:
  • Configure authentication on the Terminal Server, this can be done with AD, or locally on the server you want access to.
    Configure the computer running Windows Vista to allow default credentials to be used for logging on to the specified Terminal Server(s) on your network.
    You need administrative privileges on the Terminal Server you are configuring.

Now that you know what you need, let us begin configuring SSO with Terminal Services.

Configure Authentication on a Terminal Server
First, verify you have a working Terminal Server. Check the Server Manager for the roles being installed and operational. Remember, you will need to have (at minimum), the Terminal Services Role and the Licensing Server Role installed and ready to configure SSO.
Next, we will configure Single Sign-On (SSO) on the Terminal Server by opening Terminal Services Configuration. Go to Start => Administrative Tools => Terminal Services, and then click Terminal Services Configuration.
Once you open the Terminal Services Configuration console, find the Connections pane. You should, at minimum, have the default connection in place which should be RDP-Tcp. To configure this (or any other connection) right-click the appropriate connection and then click Properties.
Once you open the Properties dialog box, on the General tab 4, you can verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0). Negotiation will allow the system to ‘negotiate’ with a client what type of Security Layer is needed.
On the Log on Settings tab, ensure that the Always prompt for password check box is not selected or checked, and then click OK to close the RDP-Tcp Properties dialog box.
Now, you have configured authentication, next we will configure the default credential usage to be used with SSO.

Allow Default Credential Usage for Single Sign-On (SSO)
Now that we have authentication configured, we need to finish the process. To do this, you need to go to the client system (Vista, or 2008) and configure the Local Group Policy Editor. On your client computer open the Local Group Policy Editor. To open Local Group Policy Editor, go to Start, and in the Start Search box, type gpedit.msc and then press ENTER. In the Editor, look in the left pane and expand Computer Configuration => Administrative Templates => System => and then click Credentials Delegation. Double-click the Delegating Default Credentials setting to open it.
Next, in the Properties dialog box on the Setting tab, select Enabled, and then select Show. In the Show Contents dialog box, click Add to add servers to the list. In the Add Item dialog box, type the prefix termsrv/ followed by the name of the Terminal Server you will be connecting too. Once you have added the server name, click OK to close the Add Item dialog box. Click OK a few times until you are back in the Local Group Policy Editor and close the MMC.
Now you should be all ready to use SSO with Windows Server 2008 and 2008 Terminal Services.



Total Trackbacks 0
Trackback URL: