Today's topics for discussion are Frontside Authentication and Single Sign-On (SSO) in the Terminal Services space. So, let's get started ...
Frontside Authentication is a new connection process in the Remote Desktop Connection 6.x client where credentials are entered before the connection is made to a Windows Server 2008 Terminal Server. After you enter your credentials and initiate the connection to the Terminal Server, our credentials are automatically passed to the server for authentication. With this new behavior, you now enter your credentials in the RDC client as opposed to the Log on to Windows prompt that is presented by WINLOGON.EXE on the Terminal Server.
So what's the big deal, right? You still have to provide valid credentials to log on, so why did we make this change? The intent of Frontside Authentication in Terminal Services is to enhance usability and increase security by reducing the potential attack surface exposed to unauthorized users. A new Security Support Provider (SSP) in Windows Server 2008 provides a more secure method for transferring credentials over the network prior to establishing a new Windows session. In previous versions of Windows Server, numerous session-specific components, such as CSRSS.EXE, USERINIT.EXE and WINLOGON.EXE we active during the authentication process. This created the possibility of a pre-authentication attack surface for key operating system components.
The Frontside Authentication mechanism uses the new SSP in Windows Vista and Windows Server 2008, CredSSP, to initiate a secure channel between the client and server as the first stage in a Remote Desktop connection. The secure channel creation process forwards the credentials to the server for authentication. The actual remote session is only created if the secure channel is established. The establishment of the remote session itself means that the user was authenticated, thereby reducing the attack surface presented to an unauthorized user.
The functionality of Frontside Authentication is only available when using the RDC 6.x client. The user experience is dependent upon the client and server operating systems as outlined in the table below:
|Client OS with RDP 6.x||Target Terminal Server OS||Prompt for Credentials|
|Windows Vista / Windows Server 2008||Windows Server 2008 / Windows Vista||Always at TS Client Side|
|Windows XP, Windows Server 2003||Windows Server 2008 / Windows Vista||Always at TS Server Side|
|Windows Vista, Windows XP, Windows Server 2003, Windows Server 2008||Windows XP, Windows Server 2003, Windows 2000||Always at TS Server Side|
The key to remember is that the "authenticate before connecting" behavior is only valid when both the client and server are using the new CredSSP in Windows Vista and Windows Server 2008.
Let's turn our attention now to Single Sign-On (SSO). SSO is an authentication method that allows a user with a domain account to log on once, using a password or a smart card, and then gain access to remote servers without being prompted for credentials again. Terminal Services in Windows Server 2008 supports SSO for domain-joined servers to provide a better user experience by eliminating the need for users to enter credentials each time they initiate a remote session. To implement SSO functionality in Terminal Services, the following requirements must be met:
- You can only use SSO for remote connections from computers running Windows Vista or Windows Server 2008
- Ensure that the user accounts have the rights to log on to both the Terminal Server and the Windows Vista client
- Both the client machine and Terminal Server must be joined to a domain
Microsoft, WS2008, Windows Server 2008, Terminal Server, SEcurity, Architecture, Knowledgebase