RDS prompting for credential even tho GPO says not to

11 views
Skip to first unread message

Mike Leone

unread,
Sep 12, 2025, 11:28:02 AMSep 12
to NTSysAdmin
I am trying to set up SSO for RDS to make the lives of my users a bit easier. I am following this:


For starters, I am still being prompted as to what to do with the .rdp file:

image.png

Then getting prompted to keep it:
image.png
And then I am prompted for credentials AGAIN:

image.png

So I have "Prompt for credentials on the client computer" to DISABLED in Computer Conifg/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection Client.

I've done this:
  1. Enable the policy Allow delegation defaults credential under Computer Configuration -> Administrative Templates -> System -> Credential Delegation
And listed my sites:
Computer Policy - RemoteDesktop Services Configuration

And done this:

Next, you need to enable the Logon options policy under User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. Select ‘Automatic logon with current username and password’ from the dropdown list.

Did that, and added the servers to the zone.

So what then am I missing? The only aspect I've been able to resolve is to trust the .rdp publisher (by specifying the thumbprints of the cert on the RD Web; that part at least worked).

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

Mike Leone

unread,
Sep 12, 2025, 12:12:01 PMSep 12
to NTSysAdmin
Some progress ... I was able to remove the first login prompt by editing the site files:


C:\Windows\Web\RDWeb\Pages Edit: Web.config Remove comment marks and add comment marks Before <!-- <authentication mode="Windows"/> --> <authentication mode="Forms"> <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" /> </authentication> After <authentication mode="Windows"/> <!-- <authentication mode="Forms"> <forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" /> </authentication> --> Before <system.webServer> <handlers> <add name="PagesWebFeedHandler" path="WebFeed.aspx" verb="*" type="Microsoft.TerminalServices.Publishing.Portal.PagesWebFeedHandler" preCondition="integratedMode"/> </handlers> <modules runAllManagedModulesForAllRequests="true"> <remove name="FormsAuthentication" /> <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> </modules> <security> <authentication> <windowsAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> </authentication> </security> <httpRedirect enabled="false" /> </system.webServer> After <system.webServer> <handlers> <add name="PagesWebFeedHandler" path="WebFeed.aspx" verb="*" type="Microsoft.TerminalServices.Publishing.Portal.PagesWebFeedHandler" preCondition="integratedMode"/> </handlers> <!-- <modules runAllManagedModulesForAllRequests="true"> <remove name="FormsAuthentication" /> <add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" /> </modules> <security> <authentication> <windowsAuthentication enabled="false" /> <anonymousAuthentication enabled="true" /> </authentication> </security> --> <httpRedirect enabled="false" /> </system.webServer> C:\Windows\Web\RDWeb\Pages\en-US\ Edit: Default.aspx Before public bool bShowPublicCheckBox = false, bPrivateMode = false, bRTL = false; After public bool bShowPublicCheckBox = false, bPrivateMode = true, bRTL = false;

Still getting prompted to login when the .rdp is opened. But this is something, I suppose ...

Philip Elder

unread,
Sep 12, 2025, 1:40:18 PMSep 12
to ntsys...@googlegroups.com

 

TERMSERV/SessionHost1.FQDN

TERMSERV/SessionHost2.FQDN

TERMSERV/SessionHost3.FQDN

TERMSERV/SessionHost1

TERMSERV/SessionHost2

TERMSERV/SessionHost3

TERMSERV/Broker-Gateway-Web.FQDN

TERMSERV/ Broker-Gateway-Web

 

That’s how that needs to be set up.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, September 12, 2025 09:28
To: NTSysAdmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] RDS prompting for credential even tho GPO says not to

 

I am trying to set up SSO for RDS to make the lives of my users a bit easier. I am following this:

 

 

For starters, I am still being prompted as to what to do with the .rdp file:

 

 

Then getting prompted to keep it:

And then I am prompted for credentials AGAIN:

 

 

So I have "Prompt for credentials on the client computer" to DISABLED in Computer Conifg/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection Client.

 

I've done this:

  1. Enable the policy Allow delegation defaults credential under Computer Configuration -> Administrative Templates -> System -> Credential Delegation

And listed my sites:

Computer Policy - RemoteDesktop Services Configuration

 

And done this:

 

Next, you need to enable the Logon options policy under User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. Select ‘Automatic logon with current username and password’ from the dropdown list.

 

Did that, and added the servers to the zone.

 

So what then am I missing? The only aspect I've been able to resolve is to trust the .rdp publisher (by specifying the thumbprints of the cert on the RD Web; that part at least worked).

 

--


Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg3R2bHX%3D-LqAfXFmWweTx1eprszKaYMVu7jy7Bo8iTAw%40mail.gmail.com.

Philip Elder

unread,
Sep 12, 2025, 1:45:19 PMSep 12
to ntsys...@googlegroups.com

This is going way out of scope. We’ve done a lot of RD Farms and never have we needed to muck about with this.

 

SSO involves setting up the GPO(s) for allow the credentials to get flung about between user source, broker/gateway/web, and the intended session host via BGW.

 

The publishing certificate, so the one use for the top two certificates against the Collection, need the SHA thumbprint set in that same Group Policy Object.

 

https://techcommunity.microsoft.com/blog/microsoft-security-blog/how-to-enable-single-sign-on-for-my-terminal-server-connections/246523

 

https://vcloudnine.de/single-sign-on-sso-with-remoteapps-on-windows-server-2012-r2/

^^^

These are the two reference sites we used back in the day to set up SSO. Nothing has changed other than our using a 5 or 6 year self-issued for SSO/Publishing to get rid of the annual PITA of updating the GPO SHA thumbprint among other things.

 

Philip Elder MCTS

Senior Technical Architect

Microsoft High Availability MVP

MPECS Inc.

E-mail: Phili...@mpecsinc.ca

Phone: +1 (780) 458-2028

Web: www.mpecsinc.com

Blog: blog.mpecsinc.com

Twitter: Twitter.com/MPECSInc

Teams: Phili...@MPECSInc.Cloud

 

Please note: Although we may sometimes respond to email, text and phone calls instantly at all hours of the day, our regular business hours are 8:00 AM - 5:00 PM, Monday thru Friday.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone


Sent: Friday, September 12, 2025 10:12
To: NTSysAdmin <ntsys...@googlegroups.com>

 

Then getting prompted to keep it:

And then I am prompted for credentials AGAIN:

 

 

So I have "Prompt for credentials on the client computer" to DISABLED in Computer Conifg/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Connection Client.

 

I've done this:

  1. Enable the policy Allow delegation defaults credential under Computer Configuration -> Administrative Templates -> System -> Credential Delegation

And listed my sites:

Computer Policy - RemoteDesktop Services Configuration

 

And done this:

 

Next, you need to enable the Logon options policy under User/Computer Configuration -> Administrative Tools -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security -> Trusted Sites Zone. Select ‘Automatic logon with current username and password’ from the dropdown list.

 

Did that, and added the servers to the zone.

 

So what then am I missing? The only aspect I've been able to resolve is to trust the .rdp publisher (by specifying the thumbprints of the cert on the RD Web; that part at least worked).

 

--


Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>


 

--


Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

Mike Leone

unread,
Sep 12, 2025, 2:18:44 PMSep 12
to ntsys...@googlegroups.com
On Fri, Sep 12, 2025 at 1:40 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

 

TERMSERV/SessionHost1.FQDN

TERMSERV/SessionHost2.FQDN

TERMSERV/SessionHost3.FQDN

TERMSERV/SessionHost1

TERMSERV/SessionHost2

TERMSERV/SessionHost3

TERMSERV/Broker-Gateway-Web.FQDN

TERMSERV/ Broker-Gateway-Web

 

That’s how that needs to be set up.


Yeah, I had missing entries in there. On top of that, the policy with these settings wasn't being applied to the actual RDS servers themselves, just to my client testing machines.

But I'm still being prompted ...

Mike Leone

unread,
Sep 12, 2025, 2:44:09 PMSep 12
to ntsys...@googlegroups.com
On Fri, Sep 12, 2025 at 1:45 PM Philip Elder <Phili...@mpecsinc.ca> wrote:

This is going way out of scope. We’ve done a lot of RD Farms and never have we needed to muck about with this.

 

SSO involves setting up the GPO(s) for allow the credentials to get flung about between user source, broker/gateway/web, and the intended session host via BGW.

 

The publishing certificate, so the one use for the top two certificates against the Collection, need the SHA thumbprint set in that same Group Policy Object.

 

https://techcommunity.microsoft.com/blog/microsoft-security-blog/how-to-enable-single-sign-on-for-my-terminal-server-connections/246523

 

https://vcloudnine.de/single-sign-on-sso-with-remoteapps-on-windows-server-2012-r2/

^^^


Did all that (well, except for "User Configuration > Policies >Administrative Templates > Windows Components > Remote Desktop Services > RemoteAppe and Desktop Connections > Specify default connection URL")
 

These are the two reference sites we used back in the day to set up SSO. Nothing has changed other than our using a 5 or 6 year self-issued for SSO/Publishing to get rid of the annual PITA of updating the GPO SHA thumbprint among other things.


Still getting prompted. 


Reply all
Reply to author
Forward
0 new messages