Windows XP/XPe and Remote Desktop Services Single Sign On
This week I was working with a retail customer that has plans to place HP Windows XP Embedded devices at their many retail stores. Applications will be served up either locally on the XPe device, through a remote desktop, or through Remote Applications.
There is a slight challenge with this setup because technically Microsoft supports this configuration, but doesn’t give you great tools to setup Single Sign On (SSO). When Vista was first introduced, Microsoft created a new credential manager that could handle SSO for Terminal Server as well as products such as HyperV. Fortunately, the product team also back-ported the credential manager (CredSSP) functionality to Windows XP. While Vista has an easy enough local Group Policy you can edit, Windows XP never got the same treatment. In order to get it to work in XP and XPe, you have to make a bunch or registry edits, which are also not provided in an easy to copy .REG format.
Well, as a service to the public, I have included a text copy of my .REG file below. The information below is provided as-is, no warranty, no support, please don’t cry to me. But, I have tested it pretty thoroughly and it seems to work.
A couple caveats:
- If you use a smartcard to authenticate to Windows, no matter how hard you try you won’t be able to get an RDP session to honor your Windows credentials, you will always be prompted for credentials when running MSTSC or a .RDP file. This is counter-intuitive as you would think 2 factor authentication would be more trusted than simple username/password, but it is a known limitation in Windows XP. Citrix does provide their own credential manager that can add functionality here.
- One of the registry entries is in hex so you can’t see what it is. It is one of two entries that require you to APPEND the necessary settings for CredSSP to work. If you have other entries for GINA’s or other credential providers, please be careful as this will overwrite them with the default+CredSSP entries
Many thanks to Olga and Sergey on the product team as well as Kevin Martin from HP for their help this week.
References:
https://support.microsoft.com/default.aspx/kb/951608
Here is my .REG file, I hope to create an ADM file at some point that I can share. You can go ahead and cut/paste the rest of this blog entry into a text file and rename it to a .REG file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\
00,73,00,70,00,6b,00,67,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowDefaultCredentials"=dword:00000001
"ConcatenateDefaults_AllowDefault"=dword:00000001
"AllowDefCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001
"AllowFreshCredentials"=dword:00000001
"ConcatenateDefaults_AllowFresh"=dword:00000000
"AllowFreshCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowFreshNTLMOnly"=dword:00000000
"AllowSavedCredentials"=dword:00000000
"ConcatenateDefaults_AllowSaved"=dword:00000000
"AllowSavedCredentialsWhenNTLMOnly"=dword:00000000
"ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000000
"DenyDefaultCredentials"=dword:00000000
"ConcatenateDefaults_DenyDefault"=dword:00000000
"DenyFreshCredentials"=dword:00000000
"ConcatenateDefaults_DenyFresh"=dword:00000000
"DenySavedCredentials"=dword:00000000
"ConcatenateDefaults_DenySaved"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentials]
"1"="TERMSRV/*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowFreshCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\DenyDefaultCredentials]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\DenyFreshCredentials]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\DenySavedCredentials]
Comments
Anonymous
January 01, 2003
PingBack from http://www.netdeluxo.com/blog/blogs/marcus-hass-ms-blog-windows-xpxpe-and-remote-desktop/Anonymous
October 18, 2010
Hi Marcus, Great article on enabling this RDS - SSO feature for Windows XP SP3. I really appreciate it. I was just wondering if you had a chance to produce the *.ADM group policy file for easier deployment throughout a large IT environment. Thank you very much, Bao Tran