Is it possible to do true Kerberos SSO using RDP ? RRS feed

  • Question

  • Hi, 

    I have implemented NLA (Kerberos / CredSSP) functionality in rdesktop project with the assumption that this would give me
    SSO functionality, however it seems like this not is the case, i must provide a TSCredential packet after the SPNG negotiation
    and the pubkey validation to carry on with the logon process. I have spent a great amount of time on searching for information
    around this case and all information I stumble upon aims to my conclusion that CredSSP + Kerberos is only used for server
    authentication to protect against MITM and assure that it's safe to delegate credentials to the service.

    I have also verified that MSTSC RDP protocol traffic using wireshark  also sends the TSPasswordCreds to carry out the logon.

    So my questions are:

    Is it possible to do a true Kerberos SSO logon using RDP and if that is possible, what is the requirements to accomplish this ?
    and where do i find resources how to set up an environment were i can validate the SSO functionality using MSTSC ?

    Kind Regards,

    Henrik Andersson

    • Edited by hean01 Friday, October 12, 2012 11:10 AM
    Friday, October 12, 2012 11:09 AM


All replies

  • Hi hean01,

    Thank you for your question.  A colleague will follow up with you to investigate this question.


    Mark Miller | Escalation Engineer | Protocol Documentation Team

    Friday, October 12, 2012 2:55 PM
  • Hi Mark,

    Thanks for the fast coordination, i'm looking forward to get some insight on this matter.


    Henrik Andersson

    Monday, October 15, 2012 11:41 AM
  • Henrik,

    Windows RDP client’s SSO is based on passing the actual username/password credentials to the server.

    The answer to your question for the Kerberos ticket SSO is “no, that is not supported”.

    These references provide information on how to setup SSO:

    Single Sign-On for Terminal Services

    How to enable Single Sign-On for my Terminal Server connections

    Enable RDC Client Single Sign-On for Remote Desktop Services



    Monday, October 15, 2012 4:19 PM
  • The answer to your question for the Kerberos ticket SSO is “no, that is not supported”.

    What are the limitations when using Single Sign-on?

    • Single Sign-On works only when connecting from an XP SP3, Vista or a Windows Server 2008 machine to a Vista or Windows Server 2008 machine. Please see this KB article about enabling CredSSP on XP SP3 which is required for Single Sign-On.
    • If the server you are connecting to cannot be authenticated via Kerberos or SSL certificate, Single Sign-On will not work. You can circumvent this restriction by enabling "Allow Default Credentials with NTLM-only Server Authentication" policy, which is less secure. (NTLM-only Server Authentication is less secure compared to using Certificates or Kerberos.)

    or what was meant?

    Monday, January 20, 2014 8:30 AM
  • Anahaym,

    I am reviewing your comments and will follow-up soon.



    Monday, January 20, 2014 10:14 PM
  • Anahaym,

    In the previous response, the intent was that “true Kerberos SSO” referred to logon with Kerberos ticket from the client. So the answer was “No”.

    Windows RDP client’s SSO is based on passing the same user name and password credentials – that is logged onto the local computer – to the remote desktop server.

    This is explained in more details in the references provided earlier on RDP SSO setup.



    Wednesday, January 22, 2014 5:42 AM
  • Has there been any progress on this issue since?

    It is extremely disappointing that Windows RDP still actually requires presentation of the password to the RDP server, even though Kerberos authentication is possible. It is a horrific security risk to pass user passwords widely around like this as credentials. The whole point of Kerberos was such that the local client can instantly delete the user password from memory within milliseconds after receiving the time-limited Kerberos TGT, and from then on, the user can access all services conveniently with just the Kerberos ticket, without any device keeping the password in memory.

    This has worked fabulously in the Unix world for nearly 30 years. Why does Microsoft still enforce the unsafe practice of passing the user password around to other machines with RDP? If the RDP server was compromised, the attacker can now get away with the user password, a precious long-term secret (as opposed to with just a Kerberos ticket that is only valid for that machine or realm and only valid for a couple of hours).

    Monday, July 31, 2017 11:43 AM
  • Hi Markus,

    Thank you for the feedback. We are reviewing this and will respond soon.



    Monday, July 31, 2017 6:53 PM
  • Hi Markus,

    When establishing a conventional RDP session, the user credentials are encrypted, in fact double encrypted (TLS + SSPI) when sent to the server. There is also a binding check between the TLS session and the SSPI session.

    Windows 10 v1607 introduced a security enhancement which addresses the scenario of a compromised RDP server. That is Windows 10 v1607 can protect remote desktop credentials with Remote Credential Guard by redirecting the authentication requests back to the client’s device that is requesting the connection. It also enables single-sign-on experience for the RDP session.  

    Remote Credential Guard is available in Windows 10 v1607 and Windows server 2016.

    In [MS-CSSP], TSCredentials can now have a TSRemoteGuardCreds credential type.


    Protect Remote Desktop credentials with Remote Credential Guard


    [MS-RDPEAR]: Remote Desktop Protocol Authentication Redirection Virtual Channel




    Monday, July 31, 2017 7:52 PM