Enable Single Sign-On for Terminal Services

Applies To: Windows Server 2008

Single sign-on (SSO) is an authentication method that allows users with a domain account to log on once, by using a password or smart card, and then gain access to remote servers without being asked for their credentials again.

To implement single sign-on functionality in Terminal Services, ensure that you meet the following requirements:

  • You can only use single sign-on for remote connections from a computer running Windows Vista to a terminal server running Windows Server 2008. You can also use single sign-on for remote connections from one server running Windows Server 2008 to another server running Windows Server 2008.

  • The user accounts that are used for logging on have appropriate rights to log on to both the terminal server and the Windows Vista client computer.

  • Your client computer and terminal server must be joined to a domain.

To configure the recommended settings for your terminal server, complete the following steps:

  • Configure authentication on the terminal server.

  • Configure the computer running Windows Vista to allow default credentials to be used for logging on to the specified terminal servers.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To configure authentication on the terminal server

  1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

  2. Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and then click Properties.

  3. In the Properties dialog box, on the General tab, verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0).

  4. On the Log on Settings tab, ensure that the Always prompt for password check box is not selected, and then click OK.

To allow default credential usage for single sign-on

  1. On the Windows Vista-based computer, open the Local Group Policy Editor. To open the Local Group Policy Editor, click Start, and in the Start Search box, type gpedit.msc and then press ENTER.

  2. In the left pane, expand the following: Computer Configuration, Administrative Templates, System, and then click Credentials Delegation.

  3. Double-click Allow Delegating Default Credentials.

  4. In the Properties dialog box, on the Setting tab, click Enabled, and then click Show.

  5. In the Show Contents dialog box, click Add to add servers to the list.

  6. In the Add Item dialog box, in the Enter the item to be added box, type the prefix termsrv/ followed by the name of the terminal server; for example, **termsrv/**Server1, and then click OK.

  7. Click OK to close the Properties dialog box.

For more information about security and Terminal Services, see the Terminal Services page on the Windows Server 2008 TechCenter (http://go.microsoft.com/fwlink/?LinkID=73931).