XP Clients, CredSSP, SSO, Connection Broker and other animals

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Aurimas N — Fri, 10 Jun 2011 10:35:55 GMT

Finally I was able to figure this out. All I had to do was change the Security Layer value to Negotiate in Remote Desktop Session Host Configuration -> Connection -> Properties as described here:

technet.microsoft.com/.../cc742808.aspx

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Paul Adams MSFT — Thu, 09 Jun 2011 06:26:14 GMT

Network and session load balancing introduce issues of their own, typically around names, SPNs and certificates, so things to check:

- how different names used by the client to access the farm behave

(NetBIOS, IP address, FQDN, specific session host, etc.)

- registered TERMSRV/xxx SPNs on the computer objects in Active Directory for the machines involved

- certificates:

> Common Name (CN) matches the name used to access the server or farm as appropriate

> Certificate Authority (CA) must be trusted by the client

> Certificate Revocation List (CRL) must be reachable if defined

The tools of choice for checking out Kerberos ticket requests would be either Network Monitor (NetMon) or Wireshark.

Either tool is too much to go into in detail in a blog, but using a display filter after capturing data on the client and all session hosts you should be able to see the requests & responses from the KDC.

(Kerberos traffic is only UDP or TCP port 88, and the packet details should be able to show you the SPN for which a ticket is being requested.)

I'm not aware of any quick-start guides for using NetMon or Wireshark, I'm not sure there is a better way of getting to know each one other than simply using it and reading the online help.

Kerberos itself is not my area of expertise, so if there is a GPO affecting Kerberos ticket behaviour, for example, I wouldn't know where to check for that - but it sometimes helps to move computer objects into an OU with all GPOs blocked for testing.

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Aurimas N — Wed, 08 Jun 2011 12:54:56 GMT

I have tried to connect to another computer remotely which is not in Remote Connection Broker and SSO worked fine, but I have little knowledge where to go from here and how to track the problem source, I have no experience in network tracing, would you suggest some article for starters?

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Paul Adams MSFT — Wed, 08 Jun 2011 06:43:20 GMT

Once the delegation is enabled for the specified SPNs, it should be good to go.

I would recommend starting with a more basic configuration - take a node out of the Connection Broker farm and try connecting to it by its unique name instead of the NLB name.

If that works, you know you need to check out the configuration of the DNS, SPNs, certificates and so on.

Sometimes taking a network trace from the client & RD Session Host you can see what authentication requests & Kerberos ticket requests are travelling around, and that can be a clue where to start.

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Aurimas N — Wed, 08 Jun 2011 06:32:53 GMT

So in Windows7 you would only need to enable "Allow Delegating Default Credentials with NTML only Server Authentication" and "Allow Delegating Default Credentials" in GPO and it should work?

I enabled these settings with TERMSRV/* however the result I get is credentials being asked on server.

In RDC I see "Your Windows logon credentials will be used to connect" before connecting, but credentials are not delegated as I get empty username and password fields on the server.

I am logged in with domain user.

Servers are 2008R2 with Remote Desktop Connection Broker and NLB, do I need to change any additional settings?

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Paul Adams MSFT — Wed, 08 Jun 2011 06:23:27 GMT

There's nothing else to do - the Remote Desktop Client automatically leverages the CredSSP component if it's enabled.

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Aurimas N — Wed, 08 Jun 2011 06:19:44 GMT

Hi, so how do you enable SSO exactly? Do you need to enable SSO as a separate setting or does it work after you enable Credential Delegation + CredSSP?

re: XP Clients, CredSSP, SSO, Connection Broker and other animals

Pronichkin — Thu, 28 Apr 2011 21:10:41 GMT

Here's another uncommon reason why «Securing remote connection…» phase hangs for two minutes. In my recent case it happened because the Remote Desktop Connection machine didn't have Kerberos (TCP/88) access to Active Directory Domain Controller for the domain of the target machine (i.e. Remote Desktop Session Host).