Recently I have been playing around with Terminal Services 2008, mostly the application publishing side of it, as I have grown a great hatred for Citrix.  Though Citrix does run well when it is working, in my experience it breaks often and is a PITA to fix when it does, and also needs a large amount of massaging when initially installing.  I so far have found that Server 2008 application publishing can be a replacement for parts of Citrix application publishing.

This post is not going to be an analysis of what Citrix implementations could possibly be replaced with Server 2008, as I have not nearly completed my testing for that yet, but moreso just a post of a bit of a wall that I hit when rolling this out. 

Server 2008 application publishing has the ability to create tiny .msi files to be installed on client machines via group policy which will launch specific published applications when clicked on, and it is also possible to set these as default applications for file types.  The problem is that by default, whenever you would click on one of these installed apps, you would be prompted for a login to the server while the app is launching.  This definately would not do, so I found a site with a resolution.  I have a link to the site at the bottom, but I will post the whole process here as I had to read through some of the comments to complete the process for XP, which is what 98% of our clients are running right now. 

The process in the link at the bottom is intended for Windows Vista, so although Single-Sign-On will work with XP SP3 (nothing earlier) many of the options in the local policy are not available in XP SP3, and therefore have to be entered through the registry directly.  If you are using Windows Vista, you can follow the instructions at the top of the page in the link, and that should get the job done for you.

First, copy the below text into a text file and save it with a .reg extension.  Be sure to replace the <My Server> tags with your server name.  If you have a large number of terminal servers, and would like to enable Single-Sign-On for all of them, you can enter “TERMSERV/*.<yourdomain>”, and this will enable Single-Sign-On for all of them.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCredentialsDelegation]

“AllowDefaultCredentials”=dword:00000001

“ConcatenateDefaults_AllowDefault”=dword:00000001

“AllowDefCredentialsWhenNTLMOnly”=dword:00000001

“ConcatenateDefaults_AllowDefNTLMOnly”=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCredentialsDelegationAllowDefaultCredentials]

“1”=”TERMSRV/<My Server1>”

“2”=”TERMSRV/<My Server2>”

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCredentialsDelegationAllowDefCredentialsWhenNTLMOnly]

“1”=”TERMSRV/<My Server1>”

“2”=”TERMSRV/<My Server2>”

 

Import this registry file into the registry and then edit the below keys with the listed entries to finish the procedure:

 

HKLMSYSTEMCurrentControlSetControlSecurityProvidersSecurityProviders

APPEND, don’t replace: credssp.dll

HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages

APPEND, don’t replace: tspkg

AGAIN, you need to APPEND these values, not replace what’s there

 

http://blogs.msdn.com/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminal-server-connections.aspx