Single sign-on is an authentication method that allows users with a domain account to log on once to a client computer by using a password, and then gain access to remote servers without being asked for their credentials again.
This topic only covers single sign-on authentication from the Remote Desktop Connection client to an RD Session Host server. In Windows Server 2008 R2, you can enable single sign-on between Remote Desktop Web Access (RD Web Access) and RD Session Host as well. For more information about single sign-on with RD Web Access, see
To implement single sign-on functionality in Remote Desktop Services, ensure that you meet the following requirements:
- You can only use single sign-on for remote connections from a computer running Windows 7, Windows Vista, or Windows XP with Service Pack 3 to an RD Session Host server running Windows Server 2008 R2 or Windows Server 2008. You can also use single sign-on for remote connections from one server running Windows Server 2008 R2 or Windows Server 2008 to another server running Windows Server 2008 R2 or Windows Server 2008.
- Ensure that the user accounts that are used for logging on have appropriate rights to log on to both the RD Session Host server and the client computer.
- Your client computer and RD Session Host server must be joined to a domain.
To configure the recommended settings for your RD Session Host server, complete the following steps:
- Configure authentication on the RD Session Host server.
- Configure the client computer to allow default credentials to be used for logging on to the specified RD Session Host servers.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
|To configure authentication on the RD Session Host server|
Open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
Under Connections, right-click the appropriate connection (for example, RDP-Tcp), and then click Properties.
In the Properties dialog box, on the General tab, verify that the Security Layer value is set to either Negotiate or SSL (TLS 1.0).
On the Log on Settings tab, ensure that the Always prompt for password check box is not selected, and then click OK.
After you configure authentication on the RD Session Host server, you must allow default credential usage on the RD Session Host server by using Group Policy. The Group Policy settings can be found in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security and can be configured by using either Local Group Policy Editor or the Group Policy Management Console (GPMC).
For more information about Group Policy settings for Remote Desktop Services, see the Remote Desktop Services Technical Reference (
For more information about security and Remote Desktop Services, see the Remote Desktop Services page on the Windows Server 2008 R2 TechCenter (