Q. How can I enable single sign-on for my Remote Desktop connections?

A. It’s possible to configure your logon credentials to be sent to a target computer, so that you aren’t prompted for credentials to use. To do so, you have to configure delegation for your credentials to be used on specific servers. You wouldn’t want to enable this for any target as doing so would be an easy way for computers to harvest credentials.

You can configure this delegation by using either a local computer policy or Group Policy. Follow these configuration steps for Group Policy.

1. Open the Group Policy Object (GPO) you’ll enable the setting on.
2. Navigate to Computer Configuration/Administrative Templates/System/Credential Delegation.
3. Double-click Allow Delegating Default Credentials.
4. Select Enabled and click the Show button.
5. In the Add servers to the list text box, which the following screenshot shows, enter the server name in the form TERMSRV/server name (forward slash, not a backslash). You need an entry for each possible way you might type the server name; for example, you need an entry for both the fully qualified domain name (FQDN) and the NetBIOS name if you use both names. If you wanted to enable all Terminal Services servers in the domain, you can use *.domain—for example, *.savilltech.net. However, I don’t recommend doing so because of the point raised earlier regarding possible illegitimate servers harvesting credentials. Likewise, to allow connection to any Terminal Services server, simply enter TERMSRV/*. Click Add to add an entry and when done, click OK.

6. Click OK to return to the main policy.
7. Refresh the policy, and the change will take effect immediately.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.