First published on CloudBlogs on Jul, 31 2007
Background Information
Windows Vista Credential Delegation policy does not allow a Vista RDP client to send saved credentials to a TS server when the TS server is not authenticated. By default Vista RDP clients use the Kerberos protocol for server authentication. Alternatively, they can use SSL server certificates, but these are not deployed to servers by default. There are three common scenarios where using the Kerberos protocol to authenticate the server is not possible, but using SSL server certificates is possible. Because SSL server certificates are not deployed by default, using saved credentials does not work in these scenarios.
Scenario 1:
Connecting from home to a TS server through a TS Gateway server
When you connect from home through a TS Gateway server to a TS server hosted behind a corporate firewall, the TS client has no direct connectivity to a key distribution center hosted on a domain controller behind the corporate firewall. As a result, server authentication using the Kerberos protocol fails.
Scenario 2:
Connecting to a stand-alone computer
When connecting to a stand-alone server the Kerberos protocol is not used.
Recommended Solution for Scenarios 1 & 2
For scenarios 1 and 2, to enable server authentication, use SSL certificates that are issued by a trusted Certificate Authority and have the server name in the subject field. Deploy them to all servers that you want to have server authentication. To set the SSL certificate for a connection:
1. At a command prompt, run tsconfig.msc. Note: tsconfig.msc is only available on servers.
2. Double-click the RDP-Tcp connection object.
3. On the
General
tab, click
Select
.
4. Select the certificate you want to assign to the connection, and then click
OK
.
Scenario 3:
C
onnecting to a terminal server farm
Kerberos authentication does not work in terminal server farm scenarios because farm names do not have accounts associated with them in Active Directory. Without these accounts, Kerberos-based server authentication is not possible.
Recommended Solution for Scenario 3
To enable server authentication in a server farm, use SSL certificates that are issued by a trusted Certificate Authority and that have the farm name in the subject field. Deploy them to all servers in your farm. The SSL certificate will provide server authentication for a TS server and therefore Credential Delegation policy will allow saved credentials to be used for remote desktop connections.
