This week I was working with a retail customer that has plans to place HP Windows XP Embedded devices at their many retail stores. Applications will be served up either locally on the XPe device, through a remote desktop, or through Remote Applications.
There is a slight challenge with this setup because technically Microsoft supports this configuration, but doesn’t give you great tools to setup Single Sign On (SSO). When Vista was first introduced, Microsoft created a new credential manager that could handle SSO for Terminal Server as well as products such as HyperV. Fortunately, the product team also back-ported the credential manager (CredSSP) functionality to Windows XP. While Vista has an easy enough local Group Policy you can edit, Windows XP never got the same treatment. In order to get it to work in XP and XPe, you have to make a bunch or registry edits, which are also not provided in an easy to copy .REG format.
Well, as a service to the public, I have included a text copy of my .REG file below. The information below is provided as-is, no warranty, no support, please don’t cry to me. But, I have tested it pretty thoroughly and it seems to work.
A couple caveats:
Many thanks to Olga and Sergey on the product team as well as Kevin Martin from HP for their help this week.
Here is my .REG file, I hope to create an ADM file at some point that I can share. You can go ahead and cut/paste the rest of this blog entry into a text file and rename it to a .REG file.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\ 00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\ 6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74,\ 00,73,00,70,00,6b,00,67,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation] "AllowDefaultCredentials"=dword:00000001 "ConcatenateDefaults_AllowDefault"=dword:00000001 "AllowDefCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001 "AllowFreshCredentials"=dword:00000001 "ConcatenateDefaults_AllowFresh"=dword:00000000 "AllowFreshCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowFreshNTLMOnly"=dword:00000000 "AllowSavedCredentials"=dword:00000000 "ConcatenateDefaults_AllowSaved"=dword:00000000 "AllowSavedCredentialsWhenNTLMOnly"=dword:00000000 "ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000000 "DenyDefaultCredentials"=dword:00000000 "ConcatenateDefaults_DenyDefault"=dword:00000000 "DenyFreshCredentials"=dword:00000000 "ConcatenateDefaults_DenyFresh"=dword:00000000 "DenySavedCredentials"=dword:00000000 "ConcatenateDefaults_DenySaved"=dword:00000000
PingBack from http://www.netdeluxo.com/blog/blogs/marcus-hass-ms-blog-windows-xpxpe-and-remote-desktop/
Great article on enabling this RDS - SSO feature for Windows XP SP3.
I really appreciate it.
I was just wondering if you had a chance to produce the *.ADM group policy file for easier deployment throughout a large IT environment.
Thank you very much,