Dec
21

Terminal Service Remote App single sign on

Posted by support  in Default, Technical

With the Release of Windows Server 2008, it is also possible to publish applications from a Microsoft Terminal Server.

With RES PowerFuse it is possible to offer applications, which are delivered by multiple mechanisms. RES PowerFuse is also able to offer Microsoft Remote Applications in the users Start Menu. By default Microsoft does not allow Single Sign On with RDP sessions. Thus, also not with the Remote Apps. technology, because this technology uses RDP sessions.

In this blog we will describe: how Microsoft Remote Applications can be published, and how we can enable “single sign on” on.

Publish a Microsoft Remote App in RES PowerFuse
Global settings for Microsoft Remote Applications can be enabled in the console via RES PowerFuse Setup – Integration – Microsoft TS RemoteApp.

  • An application can be enabled as a MS RemoteApp via the configuration node of the application.
  • Go to the tab Publishing, choose Microsoft TS RemoteApp and mark the checkbox Enable Microsoft TS Remote App Publishing.
  • Then choose the servers or server groups where the application should be published.

Now the application will appear in the configured users start menu. However, if you start the application, Windows will still ask for credentials of the user:

This is annoying (since we were already logged on and given access to the application by RES PowerFuse!) and single sign on can be configured. Requirements are: Windows XP SP3 with RDP client 6.1 or Windows Vista and Windows 7.

Enable Single Sign on for Windows Vista and Windows 7
Single sign on is by default supported for Windows Vista and Windows 7. Therefore, we can use group policy objects to configure the right settings.

  • Set the following Policy: Computer Configuration – Policies – Administrative Templates – System – Credentials Delegation – Allow Delegating Default Credentials
  • Enable the Policy and add the Terminal Servers by clicking the Show button. Make sure every Terminal server is included and that the prefix TERMSRV/ is entered for every server. Also take FQDN names into account! If you use both netbios name and fqdn, you should include them both in the server list!!! 
  • Set the policy Computer or User Configuration – Administrative Templates – Windows Components – Terminal Services – Remote Desktop Connection Client – Allow .rdp files from unknown publishers to Enabled. (Of course, you can also load the terminalserver.admx and configure this policy from global PowerLaunch, which is the preferred way if you want to configure it from user configuration)
  • This policy will enable the possibility of launching unsigned .rdp files. However, if unsigned .rdp files are used, you will not be able to get rid of the following messagebox (at least, I did not find a way yet, so, if you did, please let me know):

Enable Single Sign on for Windows XP SP3
Technet: http://support.microsoft.com/default.aspx/kb/951608

With Windows Vista a new Credential Manager (CredSSP) was introduced and this one was backported to XP SP3. But, no tools are provided to configure this. Since the policies do not work for Windows XP, we have to configure the following registry keys for the Windows XP clients. To turn on CredSSP edit the following registry keys:

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa and edit the Value Security Packages and add tspkg to the list
  • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders and edit the Value Security Providers and add credssp.dll to the list. (don’t forget to use a comma as seperator)

Now we have to enable the group policies to allow single sign on for Windows XP SP3. But since there is no Group Policy Object to support these setting for XP, we have to configure the policies in the registry:

  • HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation and create the following REG_DWORD values:
    AllowDefaultCredentials with value 1
    ConcatenateDefaults_AllowDefault     with value 1
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation and create a new subkey AllowDefaultCredentials.
  • In this new subkey create a REG_SZ value for every server where SSO should be allowed (Each value is a serial number, starting with 1):
    1 with value TERMSRV/vm1-win2008
    2     with value TERMSRV/vm2-win2008
  • It is also possible to use a wild card, the create REG_SZ value 1 with value TERMSRV/*

Note: Of course, creating a module in RES Wisdom is ideal for setting these registry settings on all of your Windows XP Clients!


A special thanks my friend Eddie van Ravesteijn for writing this blog item.

COMMENTS: 2
Anonymous Jan 29, 2010

Hi There,I think this article will help you to solve your problem with the RDP-launch-warning:http://social.technet.microsoft.com/forums/en-US/winserverTS/thread/330caf39-c40d-4b79-9db9-4578909f3841/

Anonymous Dec 21, 2009

In order to be able to use SSO with Windows XP SP3 in combination with a TERMSRV DNS entry (TS Farm), you'll also need to install the specified hotfix @ http://support.microsoft.com/kb/953760

Leave a Comment
The latest insights, news and industry trends from RES experts
RES Software product tips, support and best practices
 
CATEGORIES:
ARCHIVES: