Enable or Disable Credential Sharing for Connections Through TS Gateway
Applies To: Windows Server 2008
For users to connect to internal network resources (computers) through TS Gateway, two levels of authentication are required. The first level of authentication must occur successfully for users to connect to the TS Gateway server. The second level of authentication must occur successfully for users to connect to remote computers (internal network computers). For each level of authentication, users are prompted for credentials, unless one or more of the following credentials are available to the users:
Locally-logged on credentials
Credential sharing is available with the Remote Desktop Connection (RDC) 6.1 client. RDC 6.1 supports Remote Desktop Protocol version 6.1.
When credential sharing is enabled, users can enter the same set of credentials for authenticating to both the TS Gateway server and the remote computer. In this case, the user is prompted to provide credentials only once.
By default, credential sharing is enabled for TS Gateway, but you can disable credential sharing if the security policies of your organization require that you do so. You can enable or disable credential sharing in either of the following two ways:
Editing connection settings on the Terminal Services client (Remote Desktop Connection). On the client, the credential sharing setting is configured by selecting or clearing the Use my TS Gateway credentials for the remote computer check box, as described later in this topic.
Editing RDP file settings. In the RDP file, the credential sharing setting is configured by adding or modifying the PromptCredentialOnce:i line, as described later in this topic.
If credential sharing is enabled, when users attempt to connect to a computer through TS Gateway, a Windows Security dialog box appears that prompts users once for credentials and informs them that the credentials that they provide will be used to connect to both the TS Gateway server and the remote computer (the internal network computer). The names of both computers are noted in the Windows Security dialog box.
The Windows Security dialog box also includes the Remember my credentials check box. If users select this check box after they supply their credentials, their credentials will be saved both for the TS Gateway server and the remote computer. The same credentials will be used in subsequent connections to the same TS Gateway server and remote computer.
The Remember my credentials setting is ignored in either of the following cases: if users have already saved their credentials, or if the Group Policy setting to allow users to specify their locally logged-on credentials for TS Gateway is enabled.
When users have saved their credentials, during their next connection attempt to the same TS Gateway server and remote computer, a message will appear in the TS Gateway Server Settings dialog box on the client stating that the saved credentials will be used to connect to the TS Gateway server. Users can edit or delete these credentials. (To open the TS Gateway Server Settings dialog box, on the client computer, in the Remote Desktop Connection dialog box, click Options, and then on the Advanced tab, in the Connect from anywhere area, click Settings.)
If you have enabled the Group Policy setting to allow users to specify their locally-logged on credentials for TS Gateway, when the user attempts the connection, a message will appear in the TS Gateway Server Settings dialog box that states that the credentials of the currently logged on user will be used to connect to the TS Gateway server. For information about how to enable the Group Policy setting to allow the use of locally-logged on credentials for TS Gateway, see Set the TS Gateway Server Authentication Method.
Membership in the local Administrators group, or equivalent, on the TS Gateway server that you plan to configure, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To edit client settings to enable or disable credential sharing
Open the Remote Desktop Connection client. To open the Remote Desktop Connection client, click Start, point to All Programs, point to Accessories, and then click Remote Desktop Connection.
In the Remote Desktop Connection dialog box, click Options to expand the dialog box and view settings.
On the Advanced tab, in the Connect from anywhere area, click Settings.
In the TS Gateway Server Settings dialog box, in the Logon settings area, select the Use my TS Gateway credentials for the remote computer check box.
Verify and configure additional client connection settings for TS Gateway as needed, and then click OK to close the dialog box. For information about how to configure additional client settings, see Configure Remote Desktop Connection Settings for TS Gateway.
Do one of the following:
To save the settings and close the Remote Desktop Connection dialog box, on the General tab, click Save, and then click Cancel. The settings will be saved as an RDP file to a default location (by default, the file is saved to Drive:\<Username>\Documents).
To save the RDP file to a specified location (you can customize and distribute the file later to multiple clients as needed), click Save As. In the Save As dialog box, in the File name box, specify the file name and location, and then click Save.
To proceed with a connection to an internal network resource, on the General tab, configure the settings under Logon settings as needed, click Save, click Connect, and then enter your credentials when prompted.
Alternatively, as mentioned, you can edit settings directly in the RDP file.
To edit an RDP file to enable or disable credential sharing
Open the RDP file that you want to edit by using a text editor, such as Notepad.
Do one of the following:
To disable credential sharing, add the following line (or ensure that any existing PromptCredentialOnce:i line appears as follows): PromptCredentialOnce:i:0
To re-enable credential sharing, edit the PromptCredentialOnce:i line so that it appears as follows: PromptCredentialOnce:i:1
Save and then close the file.