Unable to SSO to TS

I am unable to use SSO to connect to any of my Terminal Servers. I am always
prompted to logon to the server even though the RDP client says "your windows
logon credentials will be used to connect".

- Terminal Server
- Win2k8x64 SP2
- Credentials Delegation (any service) using kerberos enabled through AD
- TS Security Layer = Negotiate
- TS Encryption Level = Client compatible
- TS set to "Use client-provided log on information"
- Kerberos logging enabled
- kerberos debug logging enabled
- Client (Vista or Win2k8 server... both produce the same results)
- Default and Fresh credentials set for delegation to TS for both kerberos
and NTLM-only.
- kerberos logging enabled
- kerberos debug logging enabled

When I attempt the connection, I get the Win2k8 logon screen. The TS logs
an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
ticket on the client. Neither the TS or the client are logging anything in
the LSASS.log file even though debug logging is enabled through the registry
(LogToFile = 1, KerbDebugLevel = 0xc0000043).

Hi McDavid

What functional levels are the domains and the forest running? Can you run
the following cmd line { w32tm /stripchart
/computer:EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN /period:5 } on the TS box/boxes
and check the time againt each of the DC's that are serving the TSBoxes
domain in the TS Boxes site, substitute the
"EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN" with DCSAMPLE1 till all the DC's in site
have been verified to be in sync ( not over 5 minutes out). Also, are you
running the TS box/s in a load balance, if so are you using TS Session
Broker, and also, what are the SPN's for the Load Balance Name and which
objects are they configured on.
--
Maybe this article will be of use:
http://www.servernewsgroups.net/grou...opic21064.aspx

or

http://www.eventid.net/display.asp?e...rberos&phase=1

or

http://support.microsoft.com/?id=262177

I am trying to replicate the same condition in my LAB, will take +- 2 hours,
I will advise if I found anything

Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"McDavid" wrote:

> I am unable to use SSO to connect to any of my Terminal Servers. I am always
> prompted to logon to the server even though the RDP client says "your windows
> logon credentials will be used to connect".
>
> - Terminal Server
> - Win2k8x64 SP2
> - Credentials Delegation (any service) using kerberos enabled through AD
> - TS Security Layer = Negotiate
> - TS Encryption Level = Client compatible
> - TS set to "Use client-provided log on information"
> - Kerberos logging enabled
> - kerberos debug logging enabled
> - Client (Vista or Win2k8 server... both produce the same results)
> - Default and Fresh credentials set for delegation to TS for both kerberos
> and NTLM-only.
> - kerberos logging enabled
> - kerberos debug logging enabled
>
> When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> ticket on the client. Neither the TS or the client are logging anything in
> the LSASS.log file even though debug logging is enabled through the registry
> (LogToFile = 1, KerbDebugLevel = 0xc0000043).
>

Hi Again

Under the section during the TS installation, called "Specify Authentication
Method for Terminal Server", did you select "require network level auth", or
"do not require network level auth"
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"McDavid" wrote:

> I am unable to use SSO to connect to any of my Terminal Servers. I am always
> prompted to logon to the server even though the RDP client says "your windows
> logon credentials will be used to connect".
>
> - Terminal Server
> - Win2k8x64 SP2
> - Credentials Delegation (any service) using kerberos enabled through AD
> - TS Security Layer = Negotiate
> - TS Encryption Level = Client compatible
> - TS set to "Use client-provided log on information"
> - Kerberos logging enabled
> - kerberos debug logging enabled
> - Client (Vista or Win2k8 server... both produce the same results)
> - Default and Fresh credentials set for delegation to TS for both kerberos
> and NTLM-only.
> - kerberos logging enabled
> - kerberos debug logging enabled
>
> When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> ticket on the client. Neither the TS or the client are logging anything in
> the LSASS.log file even though debug logging is enabled through the registry
> (LogToFile = 1, KerbDebugLevel = 0xc0000043).
>

Hi McDavid

I have tried SSO with both the options: Under the section during the TS
installation, called "Specify Authentication
Method for Terminal Server", did you select "require network level auth", or
"do not require network level auth"

I chose the "require network level auth" first and worked fine on SSO
Then I tried the "do not require network level auth" and SSO gave me the
same errors as you mentioned

I will still try other scenario's

--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"McDavid" wrote:

> I am unable to use SSO to connect to any of my Terminal Servers. I am always
> prompted to logon to the server even though the RDP client says "your windows
> logon credentials will be used to connect".
>
> - Terminal Server
> - Win2k8x64 SP2
> - Credentials Delegation (any service) using kerberos enabled through AD
> - TS Security Layer = Negotiate
> - TS Encryption Level = Client compatible
> - TS set to "Use client-provided log on information"
> - Kerberos logging enabled
> - kerberos debug logging enabled
> - Client (Vista or Win2k8 server... both produce the same results)
> - Default and Fresh credentials set for delegation to TS for both kerberos
> and NTLM-only.
> - kerberos logging enabled
> - kerberos debug logging enabled
>
> When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> ticket on the client. Neither the TS or the client are logging anything in
> the LSASS.log file even though debug logging is enabled through the registry
> (LogToFile = 1, KerbDebugLevel = 0xc0000043).
>

Sorry Sir

Ignore my last blurt out, I had changed my test user password from ADUC
before I tried the logon like an idiot. Interesting though, I just configured
Broker and I get the issue on the one TS box, not the other.

Sorry once again
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"McDavid" wrote:

> I am unable to use SSO to connect to any of my Terminal Servers. I am always
> prompted to logon to the server even though the RDP client says "your windows
> logon credentials will be used to connect".
>
> - Terminal Server
> - Win2k8x64 SP2
> - Credentials Delegation (any service) using kerberos enabled through AD
> - TS Security Layer = Negotiate
> - TS Encryption Level = Client compatible
> - TS set to "Use client-provided log on information"
> - Kerberos logging enabled
> - kerberos debug logging enabled
> - Client (Vista or Win2k8 server... both produce the same results)
> - Default and Fresh credentials set for delegation to TS for both kerberos
> and NTLM-only.
> - kerberos logging enabled
> - kerberos debug logging enabled
>
> When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> ticket on the client. Neither the TS or the client are logging anything in
> the LSASS.log file even though debug logging is enabled through the registry
> (LogToFile = 1, KerbDebugLevel = 0xc0000043).
>

Delay against most DCs are showing less than 1s and offsets also less than 1s.

Getting error 0x800705b4 against one DC?

Getting less than 1s delay against one DC but -47s offset?

Although two DCs had unfavorable results, SSO still does not function when I
authenticate against one of the DCs that had favorable delay/offset values.

Am not using any sort of load balancing. Am just trying to RDP straight to
the TS. SPNs are registered under the TS computer account objects.

"Garry Starck - MCITP" wrote:

> Hi McDavid
>
> What functional levels are the domains and the forest running? Can you run
> the following cmd line { w32tm /stripchart
> /computer:EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN /period:5 } on the TS box/boxes
> and check the time againt each of the DC's that are serving the TSBoxes
> domain in the TS Boxes site, substitute the
> "EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN" with DCSAMPLE1 till all the DC's in site
> have been verified to be in sync ( not over 5 minutes out). Also, are you
> running the TS box/s in a load balance, if so are you using TS Session
> Broker, and also, what are the SPN's for the Load Balance Name and which
> objects are they configured on.
> --
> Maybe this article will be of use:
> http://www.servernewsgroups.net/grou...opic21064.aspx
>
> or
>
> http://www.eventid.net/display.asp?e...rberos&phase=1
>
> or
>
> http://support.microsoft.com/?id=262177
>
> I am trying to replicate the same condition in my LAB, will take +- 2 hours,
> I will advise if I found anything
>
> Garry Starck
> MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "McDavid" wrote:
>
> > I am unable to use SSO to connect to any of my Terminal Servers. I am always
> > prompted to logon to the server even though the RDP client says "your windows
> > logon credentials will be used to connect".
> >
> > - Terminal Server
> > - Win2k8x64 SP2
> > - Credentials Delegation (any service) using kerberos enabled through AD
> > - TS Security Layer = Negotiate
> > - TS Encryption Level = Client compatible
> > - TS set to "Use client-provided log on information"
> > - Kerberos logging enabled
> > - kerberos debug logging enabled
> > - Client (Vista or Win2k8 server... both produce the same results)
> > - Default and Fresh credentials set for delegation to TS for both kerberos
> > and NTLM-only.
> > - kerberos logging enabled
> > - kerberos debug logging enabled
> >
> > When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> > an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> > KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> > ticket on the client. Neither the TS or the client are logging anything in
> > the LSASS.log file even though debug logging is enabled through the registry
> > (LogToFile = 1, KerbDebugLevel = 0xc0000043).
> >

Forgot to mention that Domain Functional Level is Windows Server 2003.

Even though I am getting strange time queries against two of the DCs,
kerberos and passthrough seem to be functioning overall throughout our domain
(IIS, CIFS, etc...) with the exepction of these Terminal Servers.

"McDavid" wrote:

> Delay against most DCs are showing less than 1s and offsets also less than 1s.
>
> Getting error 0x800705b4 against one DC?
>
> Getting less than 1s delay against one DC but -47s offset?
>
> Although two DCs had unfavorable results, SSO still does not function when I
> authenticate against one of the DCs that had favorable delay/offset values.
>
> Am not using any sort of load balancing. Am just trying to RDP straight to
> the TS. SPNs are registered under the TS computer account objects.
>
> "Garry Starck - MCITP" wrote:
>
> > Hi McDavid
> >
> > What functional levels are the domains and the forest running? Can you run
> > the following cmd line { w32tm /stripchart
> > /computer:EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN /period:5 } on the TS box/boxes
> > and check the time againt each of the DC's that are serving the TSBoxes
> > domain in the TS Boxes site, substitute the
> > "EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN" with DCSAMPLE1 till all the DC's in site
> > have been verified to be in sync ( not over 5 minutes out). Also, are you
> > running the TS box/s in a load balance, if so are you using TS Session
> > Broker, and also, what are the SPN's for the Load Balance Name and which
> > objects are they configured on.
> > --
> > Maybe this article will be of use:
> > http://www.servernewsgroups.net/grou...opic21064.aspx
> >
> > or
> >
> > http://www.eventid.net/display.asp?e...rberos&phase=1
> >
> > or
> >
> > http://support.microsoft.com/?id=262177
> >
> > I am trying to replicate the same condition in my LAB, will take +- 2 hours,
> > I will advise if I found anything
> >
> > Garry Starck
> > MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
> >
> >
> > "McDavid" wrote:
> >
> > > I am unable to use SSO to connect to any of my Terminal Servers. I am always
> > > prompted to logon to the server even though the RDP client says "your windows
> > > logon credentials will be used to connect".
> > >
> > > - Terminal Server
> > > - Win2k8x64 SP2
> > > - Credentials Delegation (any service) using kerberos enabled through AD
> > > - TS Security Layer = Negotiate
> > > - TS Encryption Level = Client compatible
> > > - TS set to "Use client-provided log on information"
> > > - Kerberos logging enabled
> > > - kerberos debug logging enabled
> > > - Client (Vista or Win2k8 server... both produce the same results)
> > > - Default and Fresh credentials set for delegation to TS for both kerberos
> > > and NTLM-only.
> > > - kerberos logging enabled
> > > - kerberos debug logging enabled
> > >
> > > When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> > > an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> > > KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> > > ticket on the client. Neither the TS or the client are logging anything in
> > > the LSASS.log file even though debug logging is enabled through the registry
> > > (LogToFile = 1, KerbDebugLevel = 0xc0000043).
> > >

Did not specify anything during the install. Used a scripted Win2k8 install
that automatically installed the TS Role. So, I'm guessing my install used
the default value (what would that be?). Regardless, shouldn't that value be
configurable under the RDP listener properties? I currently have "allow
connections only from computers running Remote Desktop with Network Level
Authentication" disabled.

"Garry Starck - MCITP" wrote:

> Hi Again
>
> Under the section during the TS installation, called "Specify Authentication
> Method for Terminal Server", did you select "require network level auth", or
> "do not require network level auth"
> --
> Garry Starck
> MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "McDavid" wrote:
>
> > I am unable to use SSO to connect to any of my Terminal Servers. I am always
> > prompted to logon to the server even though the RDP client says "your windows
> > logon credentials will be used to connect".
> >
> > - Terminal Server
> > - Win2k8x64 SP2
> > - Credentials Delegation (any service) using kerberos enabled through AD
> > - TS Security Layer = Negotiate
> > - TS Encryption Level = Client compatible
> > - TS set to "Use client-provided log on information"
> > - Kerberos logging enabled
> > - kerberos debug logging enabled
> > - Client (Vista or Win2k8 server... both produce the same results)
> > - Default and Fresh credentials set for delegation to TS for both kerberos
> > and NTLM-only.
> > - kerberos logging enabled
> > - kerberos debug logging enabled
> >
> > When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> > an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> > KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> > ticket on the client. Neither the TS or the client are logging anything in
> > the LSASS.log file even though debug logging is enabled through the registry
> > (LogToFile = 1, KerbDebugLevel = 0xc0000043).
> >

Hi Again

If you open Terminal Services Configuration through server manager, go to
the properties of the RDP connection and under the general tab, if the
Security Layer is set to "DRP Security Layer", no auto logon occurs, set it
to either "negotiate" or "ssl". I noticed on I was getting Kerberos errors on
the DC's logging the same / similar problem. I hope that's the problem, as I
have tried duplicating almost every misconfig I can think of
--
Garry Starck
MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA


"McDavid" wrote:

> Did not specify anything during the install. Used a scripted Win2k8 install
> that automatically installed the TS Role. So, I'm guessing my install used
> the default value (what would that be?). Regardless, shouldn't that value be
> configurable under the RDP listener properties? I currently have "allow
> connections only from computers running Remote Desktop with Network Level
> Authentication" disabled.
>
> "Garry Starck - MCITP" wrote:
>
> > Hi Again
> >
> > Under the section during the TS installation, called "Specify Authentication
> > Method for Terminal Server", did you select "require network level auth", or
> > "do not require network level auth"
> > --
> > Garry Starck
> > MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
> >
> >
> > "McDavid" wrote:
> >
> > > I am unable to use SSO to connect to any of my Terminal Servers. I am always
> > > prompted to logon to the server even though the RDP client says "your windows
> > > logon credentials will be used to connect".
> > >
> > > - Terminal Server
> > > - Win2k8x64 SP2
> > > - Credentials Delegation (any service) using kerberos enabled through AD
> > > - TS Security Layer = Negotiate
> > > - TS Encryption Level = Client compatible
> > > - TS set to "Use client-provided log on information"
> > > - Kerberos logging enabled
> > > - kerberos debug logging enabled
> > > - Client (Vista or Win2k8 server... both produce the same results)
> > > - Default and Fresh credentials set for delegation to TS for both kerberos
> > > and NTLM-only.
> > > - kerberos logging enabled
> > > - kerberos debug logging enabled
> > >
> > > When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> > > an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> > > KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> > > ticket on the client. Neither the TS or the client are logging anything in
> > > the LSASS.log file even though debug logging is enabled through the registry
> > > (LogToFile = 1, KerbDebugLevel = 0xc0000043).
> > >

It is set to negotiate. However, I have tried the other two settings as well
with no luck.

"Garry Starck - MCITP" wrote:

> Hi Again
>
> If you open Terminal Services Configuration through server manager, go to
> the properties of the RDP connection and under the general tab, if the
> Security Layer is set to "DRP Security Layer", no auto logon occurs, set it
> to either "negotiate" or "ssl". I noticed on I was getting Kerberos errors on
> the DC's logging the same / similar problem. I hope that's the problem, as I
> have tried duplicating almost every misconfig I can think of
> --
> Garry Starck
> MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
>
>
> "McDavid" wrote:
>
> > Did not specify anything during the install. Used a scripted Win2k8 install
> > that automatically installed the TS Role. So, I'm guessing my install used
> > the default value (what would that be?). Regardless, shouldn't that value be
> > configurable under the RDP listener properties? I currently have "allow
> > connections only from computers running Remote Desktop with Network Level
> > Authentication" disabled.
> >
> > "Garry Starck - MCITP" wrote:
> >
> > > Hi Again
> > >
> > > Under the section during the TS installation, called "Specify Authentication
> > > Method for Terminal Server", did you select "require network level auth", or
> > > "do not require network level auth"
> > > --
> > > Garry Starck
> > > MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
> > >
> > >
> > > "McDavid" wrote:
> > >
> > > > I am unable to use SSO to connect to any of my Terminal Servers. I am always
> > > > prompted to logon to the server even though the RDP client says "your windows
> > > > logon credentials will be used to connect".
> > > >
> > > > - Terminal Server
> > > > - Win2k8x64 SP2
> > > > - Credentials Delegation (any service) using kerberos enabled through AD
> > > > - TS Security Layer = Negotiate
> > > > - TS Encryption Level = Client compatible
> > > > - TS set to "Use client-provided log on information"
> > > > - Kerberos logging enabled
> > > > - kerberos debug logging enabled
> > > > - Client (Vista or Win2k8 server... both produce the same results)
> > > > - Default and Fresh credentials set for delegation to TS for both kerberos
> > > > and NTLM-only.
> > > > - kerberos logging enabled
> > > > - kerberos debug logging enabled
> > > >
> > > > When I attempt the connection, I get the Win2k8 logon screen. The TS logs
> > > > an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
> > > > KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
> > > > ticket on the client. Neither the TS or the client are logging anything in
> > > > the LSASS.log file even though debug logging is enabled through the registry
> > > > (LogToFile = 1, KerbDebugLevel = 0xc0000043).
> > > >