Is it possible to do true Kerberos SSO using RDP ?


  • Hi, 

    I have implemented NLA (Kerberos / CredSSP) functionality in rdesktop project with the assumption that this would give me
    SSO functionality, however it seems like this not is the case, i must provide a TSCredential packet after the SPNG negotiation
    and the pubkey validation to carry on with the logon process. I have spent a great amount of time on searching for information
    around this case and all information I stumble upon aims to my conclusion that CredSSP + Kerberos is only used for server
    authentication to protect against MITM and assure that it's safe to delegate credentials to the service.

    I have also verified that MSTSC RDP protocol traffic using wireshark  also sends the TSPasswordCreds to carry out the logon.

    So my questions are:

    Is it possible to do a true Kerberos SSO logon using RDP and if that is possible, what is the requirements to accomplish this ?
    and where do i find resources how to set up an environment were i can validate the SSO functionality using MSTSC ?

    Kind Regards,

    Henrik Andersson

    • Edited by hean01 Friday, October 12, 2012 11:10 AM
    Friday, October 12, 2012 11:09 AM


All replies