Windows XP SP3遠端連線錯誤[連線已終止,因未收到遠端電腦的意外伺服器憑證。請嘗試重新連線]

[問題描述]︰

Windows XP SP3 外部user 透過 Terminal Server Gateway 進行遠端連線,不定時出現 [連線已終止,因未收到遠端電腦的意外伺服器憑證。請嘗試重新連線]訊息,造成連線中斷。

[解決方法]︰

新增credSSP機碼與安裝kb953760以解決此問題。

[說明]:
 
CredSSP 是Windows XP SP3 中新的 Security Support Provider (SSP),預設未被啟用。CredSSP enables a program to use client-side SSP to delegate user credentials from the client computer to the target server.
kb953760 則是修正Windows XP Kerberos authentication 的已知問題。
 
[如何設定]:
 
變更credSSP機碼

1) Click Start, click Run, type regedit, and then press ENTER.

2) In the navigation pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

3) In the details pane, right-click Security Packages, and then click Modify. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.

image003
4) In the navigation pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

5) In the details pane, right-click SecurityProviders, and then click Modify. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.

image004
6) Exit Registry Editor and restart the computer.

 
 
2.       安裝Hotfix
 

When you enable SSO for a terminal server from a Windows XP SP3-based client computer,
you are still prompted for user credentials when you log on to the terminal server
https://support.microsoft.com/kb/953760

 
[參考資料]:

951608 Description of the Credential Security Service Provider (CredSSP) in Windows XP Service Pack 3
https://support.microsoft.com/default.aspx?scid=kb;EN-US;951608
說明:
CredSSP 是Windows XP SP3 中新的 Security Support Provider (SSP)
CredSSP enables a program to use client-side SSP to delegate user credentials from the client computer to the target server.

Technet Magazine:https://64.4.10.145/en-au/magazine/hh750380
說明:
Windows Server 2008 R2: Why Use Network Level Authentication?

When you connect to an RD Session Host server with an RDC 6.x or later client, you might have noticed you don’t connect directly to the RD Session Host server logon screen to provide your credentials. Instead, a local dialog box pops up to take your credentials on the client. This dialog box is the front end of CredSSP.
When you type your credentials into this dialog box, even if you don’t choose to save them, they go to CredSSP. This then passes the credentials to the RD Session Host server via a secure channel. The RD Session Host server will only begin building a user session once it accepts those credentials.

When you enable SSO for a terminal server from a Windows XP SP3-based client computer,
you are still prompted for user credentials when you log on to the terminal server
https://support.microsoft.com/kb/953760