+ Post New Thread
Results 1 to 10 of 10
Thin Client and Virtual Machines Thread, Client Auto Login with Remote Desktop Services? in Technical; Thanks in advace for any suggestions on a recommended way to solve this problem. I have a Remote Desktop Services ...
  1. #1
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    284
    Thank Post
    63
    Thanked 9 Times in 9 Posts
    Rep Power
    16

    Client Auto Login with Remote Desktop Services?

    Thanks in advace for any suggestions on a recommended way to solve this problem.

    I have a Remote Desktop Services server running. It is configured and works great when logging in with remote desktop connection. I now want to setup a student machine in one of the thick-client labs. I would like to configure the XP machine to be 100% passive, so the student has no idea they are using RDC. What would you recommend I use to solve this?


    Thanks again.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    I have recently done this, there is a group policy for it. I will send you the stuff when i get home. I cant remember where it is on top of my head. If i dont get back to you please PM me.

  3. #3
    TheScarfedOne's Avatar
    Join Date
    Apr 2007
    Location
    Plymouth, Devon
    Posts
    1,163
    Thank Post
    716
    Thanked 172 Times in 156 Posts
    Blog Entries
    78
    Rep Power
    86
    Likewise...done it here with Windows Thin PC. Will also go hunting for the setting - and that reminds me to go and update/add blog posts on the changes made to this from my original setup.

    See my blog for some background..

  4. #4

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    Quote Originally Posted by TheScarfedOne View Post
    Likewise...done it here with Windows Thin PC. Will also go hunting for the setting - and that reminds me to go and update/add blog posts on the changes made to this from my original setup.

    See my blog for some background..
    Sounds like you have a setup like the one i am trying to get sorted. The user logs into Thin PC and they are then connected through to an RDS session. I am currently stumped on the security prompt coming from MSTSC.

  5. #5

    Join Date
    Oct 2005
    Posts
    62
    Thank Post
    7
    Thanked 20 Times in 17 Posts
    Rep Power
    22
    What you want to do is possible but a bit fiddly to set up.

    Some prerequisites:


    • Windows XP SP3
    • Remote Desktop Client 6.1


    To start with, you need to enable CredSSP support. This is done in the registry as follows. Note that this only works on XP SP3! Make the following registry changes:

    HKLM\SYSTEM\CurrentControlSet\Control\Lsa

    Security Packages – APPEND tspkg

    HKLM\System\CurrentControlSet\Control\SecurityProv iders

    Security Providers – APPEND , credssp.dll (the comma is important)

    To veryify that this is working, open the remote desktop client mstsc.exe. Right-click in the title bar and choose About. It should say Network Level Authentication supported and Remote Desktop Protocol 6.1 supported.

    The next step is to enable delegation of credentials. This allows you to specify the RDS servers to which the client will delegate credentials. This can be done through group policy or alternatively, it can be done in the registry. You can find out more about credentials delegation here - Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3

    The group policy setting will work on XP SP3 clients but to edit it you will need to use the group policy management console on either Vista/7/2008

    Method 1 – Group Policy

    Computer Configuration | Administrative Templates | System | Credentials Delegation

    Allow Delegating Default Credentials – Enabled

    Add your RDS servers to the list like this:

    TERMSRV/my-rds-server-01
    TERMSRV/my-rds-server-02
    TERMSRV/my-rds-server-03
    etc...

    If you have more than one RDS server, you will need to add them all into the list above. Alternatively, you can use wildcards, so you can do something like *.mydomain.internal or to allow delegation to ANY RDS server in any domain, just use TERMSRV/*

    Concatenate OS defaults with list above – ticked

    If your RDS servers require NTLM authentication, you will need to enable Allow delegating default credentials with NTLM-only server authentication and configure it as above

    Method 2 – Registry

    The group policy settings above correspond to the following registry entries:

    Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation
    Name: ConcatenateDefaults_AllowDefault
    Type: REG_DWORD
    Data: 1

    Name: AllowDefaultCredentials
    Type: REG_DWORD
    Data: 1

    Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation\AllowDefaultCredentials
    Name: 1
    Type: REG_SZ
    Data: TERMSRV/my-rds-server-01

    This contains the list of your rds servers. If you have more than one you need to add them all or just use TERMSRV/*

    If your RDS servers require NTLM authentication, you will need to make the following registry settings as well:

    Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation\AllowDefCredentialsWhenNTLMOnly
    Name: 1
    Type: REG_SZ
    Data: TERMSRV/my-rds-srver-01

    Again, this contains the list of your rds servers. If you have more than one you need to add them all or just use TERMSRV/*

    There’s some more information here which might be helpful

  6. Thanks to PeterH from:

    jmair (1st December 2011)

  7. #6

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463

  8. Thanks to FN-GM from:

    jmair (1st December 2011)

  9. #7
    teky's Avatar
    Join Date
    Apr 2008
    Location
    South west
    Posts
    84
    Thank Post
    8
    Thanked 9 Times in 9 Posts
    Rep Power
    15
    Quote Originally Posted by FN-GM View Post
    Sounds like you have a setup like the one i am trying to get sorted. The user logs into Thin PC and they are then connected through to an RDS session. I am currently stumped on the security prompt coming from MSTSC.
    Is the security prompt saying that it does not know the RDS server? If it is then you will need to digitally sign the RDP file with the cert from the RDS server, then there is another GPO setting where you put the hash of the cert into the Thin PC's trust connection list so that it connects automatically without the "Are you sure?" prompt

  10. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,249
    Thank Post
    898
    Thanked 1,785 Times in 1,537 Posts
    Blog Entries
    12
    Rep Power
    463
    Quote Originally Posted by teky View Post
    Is the security prompt saying that it does not know the RDS server? If it is then you will need to digitally sign the RDP file with the cert from the RDS server, then there is another GPO setting where you put the hash of the cert into the Thin PC's trust connection list so that it connects automatically without the "Are you sure?" prompt
    Dont have any guides for this do you please?

  11. #9
    teky's Avatar
    Join Date
    Apr 2008
    Location
    South west
    Posts
    84
    Thank Post
    8
    Thanked 9 Times in 9 Posts
    Rep Power
    15
    Quote Originally Posted by FN-GM View Post
    Dont have any guides for this do you please?
    It's best if you have an internal certificate authority server setup else you will need to add the certificate to each thin client's certificate store.

    Here is how to sign the RDP file, you will find the hash thumbprint needed in the certificates properties: Rdpsign
    And here is the group policy location for forcing the clients to trust the connection: How do I remove the security warning on Remote App

    TheScarfedOne should have this along with other info in his blog when he updates it
    Last edited by teky; 1st December 2011 at 01:46 PM.

  12. #10
    jmair's Avatar
    Join Date
    Aug 2007
    Posts
    284
    Thank Post
    63
    Thanked 9 Times in 9 Posts
    Rep Power
    16
    Quote Originally Posted by FN-GM View Post
    Thanks a ton. I'll give this a shot!
    Thanks again!



SHARE:
+ Post New Thread

Similar Threads

  1. ThinStation 2.11 with Windows 2008 Remote Desktop Services
    By benIT in forum Thin Client and Virtual Machines
    Replies: 1
    Last Post: 12th January 2011, 12:50 PM
  2. Remote Desktop Services - SSO Problems
    By ginge in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 27th May 2010, 10:44 AM
  3. Remote Desktop Services - Mandatory Profiles
    By mmoseley in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 15th March 2010, 09:31 AM
  4. [Windows Software] Server 2008 R2 Remote Desktop Services
    By HMCTech in forum Licensing Questions
    Replies: 1
    Last Post: 4th November 2009, 11:49 AM
  5. Auto Login with a windows account
    By timbo343 in forum Windows
    Replies: 10
    Last Post: 7th November 2007, 04:44 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •