Thanks in advace for any suggestions on a recommended way to solve this problem.
I have a Remote Desktop Services server running. It is configured and works great when logging in with remote desktop connection. I now want to setup a student machine in one of the thick-client labs. I would like to configure the XP machine to be 100% passive, so the student has no idea they are using RDC. What would you recommend I use to solve this?
Thanks again.
I have recently done this, there is a group policy for it. I will send you the stuff when i get home. I cant remember where it is on top of my head. If i dont get back to you please PM me.
Likewise...done it here with Windows Thin PC. Will also go hunting for the setting - and that reminds me to go and update/add blog posts on the changes made to this from my original setup.
See my blog for some background..
Sounds like you have a setup like the one i am trying to get sorted. The user logs into Thin PC and they are then connected through to an RDS session. I am currently stumped on the security prompt coming from MSTSC.Originally Posted by TheScarfedOne
What you want to do is possible but a bit fiddly to set up.
Some prerequisites:
- Windows XP SP3
- Remote Desktop Client 6.1
To start with, you need to enable CredSSP support. This is done in the registry as follows. Note that this only works on XP SP3! Make the following registry changes:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Security Packages APPEND tspkg
HKLM\System\CurrentControlSet\Control\SecurityProv iders
Security Providers APPEND , credssp.dll (the comma is important)
To veryify that this is working, open the remote desktop client mstsc.exe. Right-click in the title bar and choose About. It should say Network Level Authentication supported and Remote Desktop Protocol 6.1 supported.
The next step is to enable delegation of credentials. This allows you to specify the RDS servers to which the client will delegate credentials. This can be done through group policy or alternatively, it can be done in the registry. You can find out more about credentials delegation here - Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3
The group policy setting will work on XP SP3 clients but to edit it you will need to use the group policy management console on either Vista/7/2008
Method 1 Group Policy
Computer Configuration | Administrative Templates | System | Credentials Delegation
Allow Delegating Default Credentials Enabled
Add your RDS servers to the list like this:
TERMSRV/my-rds-server-01
TERMSRV/my-rds-server-02
TERMSRV/my-rds-server-03
etc...
If you have more than one RDS server, you will need to add them all into the list above. Alternatively, you can use wildcards, so you can do something like *.mydomain.internal or to allow delegation to ANY RDS server in any domain, just use TERMSRV/*
Concatenate OS defaults with list above ticked
If your RDS servers require NTLM authentication, you will need to enable Allow delegating default credentials with NTLM-only server authentication and configure it as above
Method 2 Registry
The group policy settings above correspond to the following registry entries:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation
Name: ConcatenateDefaults_AllowDefault
Type: REG_DWORD
Data: 1
Name: AllowDefaultCredentials
Type: REG_DWORD
Data: 1
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation\AllowDefaultCredentials
Name: 1
Type: REG_SZ
Data: TERMSRV/my-rds-server-01
This contains the list of your rds servers. If you have more than one you need to add them all or just use TERMSRV/*
If your RDS servers require NTLM authentication, you will need to make the following registry settings as well:
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows\Credentia lsDelegation\AllowDefCredentialsWhenNTLMOnly
Name: 1
Type: REG_SZ
Data: TERMSRV/my-rds-srver-01
Again, this contains the list of your rds servers. If you have more than one you need to add them all or just use TERMSRV/*
Theres some more information here which might be helpful
jmair (1st December 2011)
This will do it. Nice quick and easy. No need to edit any registry settings.
How to enable Single Sign-On for my Terminal Server connections - Remote Desktop Services (Terminal Services) Team Blog - Site Home - MSDN Blogs
jmair (1st December 2011)
Is the security prompt saying that it does not know the RDS server? If it is then you will need to digitally sign the RDP file with the cert from the RDS server, then there is another GPO setting where you put the hash of the cert into the Thin PC's trust connection list so that it connects automatically without the "Are you sure?" prompt
Dont have any guides for this do you please?
It's best if you have an internal certificate authority server setup else you will need to add the certificate to each thin client's certificate store.
Here is how to sign the RDP file, you will find the hash thumbprint needed in the certificates properties: Rdpsign
And here is the group policy location for forcing the clients to trust the connection: How do I remove the security warning on Remote App
TheScarfedOne should have this along with other info in his blog when he updates it
Last edited by teky; 1st December 2011 at 01:46 PM.
Thanks a ton. I'll give this a shot!
Thanks again!
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote