Unable to SSO to TS

Discussion in 'Server Security' started by McDavid, Jun 12, 2009.

  1. McDavid

    McDavid Guest

    I am unable to use SSO to connect to any of my Terminal Servers. I am always
    prompted to logon to the server even though the RDP client says "your windows
    logon credentials will be used to connect".

    - Terminal Server
    - Win2k8x64 SP2
    - Credentials Delegation (any service) using kerberos enabled through AD
    - TS Security Layer = Negotiate
    - TS Encryption Level = Client compatible
    - TS set to "Use client-provided log on information"
    - Kerberos logging enabled
    - kerberos debug logging enabled
    - Client (Vista or Win2k8 server... both produce the same results)
    - Default and Fresh credentials set for delegation to TS for both kerberos
    and NTLM-only.
    - kerberos logging enabled
    - kerberos debug logging enabled

    When I attempt the connection, I get the Win2k8 logon screen. The TS logs
    an error - Security-Kerberos Event ID 3, 0xd KDC_ERR_BADOPTION, 0xc00000bb
    KLIN(0). The client doesn't log anything. I show an appropriate TERMSRV
    ticket on the client. Neither the TS or the client are logging anything in
    the LSASS.log file even though debug logging is enabled through the registry
    (LogToFile = 1, KerbDebugLevel = 0xc0000043).
    McDavid, Jun 12, 2009
    1. Advertisements

  2. Hi McDavid

    What functional levels are the domains and the forest running? Can you run
    the following cmd line { w32tm /stripchart
    /computer:EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN /period:5 } on the TS box/boxes
    and check the time againt each of the DC's that are serving the TSBoxes
    domain in the TS Boxes site, substitute the
    "EACH-DC-IN-SITE-IN-TSBOXES-DOMAIN" with DCSAMPLE1 till all the DC's in site
    have been verified to be in sync ( not over 5 minutes out). Also, are you
    running the TS box/s in a load balance, if so are you using TS Session
    Broker, and also, what are the SPN's for the Load Balance Name and which
    objects are they configured on.
    Maybe this article will be of use:





    I am trying to replicate the same condition in my LAB, will take +- 2 hours,
    I will advise if I found anything

    Garry Starck
    MCITP, MCTS AD, MCSE 2003 Messaging, MCDBA
    Garry Starck - MCITP, Jun 14, 2009
    1. Advertisements

  3. Hi Again

    Under the section during the TS installation, called "Specify Authentication
    Method for Terminal Server", did you select "require network level auth", or
    "do not require network level auth"
    Garry Starck - MCITP, Jun 14, 2009
  4. Hi McDavid

    I have tried SSO with both the options: Under the section during the TS
    installation, called "Specify Authentication
    Method for Terminal Server", did you select "require network level auth", or
    "do not require network level auth"

    I chose the "require network level auth" first and worked fine on SSO
    Then I tried the "do not require network level auth" and SSO gave me the
    same errors as you mentioned

    I will still try other scenario's
    Garry Starck - MCITP, Jun 14, 2009
  5. Sorry Sir

    Ignore my last blurt out, I had changed my test user password from ADUC
    before I tried the logon like an idiot. Interesting though, I just configured
    Broker and I get the issue on the one TS box, not the other.

    Sorry once again
    Garry Starck - MCITP, Jun 14, 2009
  6. McDavid

    McDavid Guest

    Delay against most DCs are showing less than 1s and offsets also less than 1s.

    Getting error 0x800705b4 against one DC?

    Getting less than 1s delay against one DC but -47s offset?

    Although two DCs had unfavorable results, SSO still does not function when I
    authenticate against one of the DCs that had favorable delay/offset values.

    Am not using any sort of load balancing. Am just trying to RDP straight to
    the TS. SPNs are registered under the TS computer account objects.
    McDavid, Jun 14, 2009
  7. McDavid

    McDavid Guest

    Forgot to mention that Domain Functional Level is Windows Server 2003.

    Even though I am getting strange time queries against two of the DCs,
    kerberos and passthrough seem to be functioning overall throughout our domain
    (IIS, CIFS, etc...) with the exepction of these Terminal Servers.
    McDavid, Jun 14, 2009
  8. McDavid

    McDavid Guest

    Did not specify anything during the install. Used a scripted Win2k8 install
    that automatically installed the TS Role. So, I'm guessing my install used
    the default value (what would that be?). Regardless, shouldn't that value be
    configurable under the RDP listener properties? I currently have "allow
    connections only from computers running Remote Desktop with Network Level
    Authentication" disabled.
    McDavid, Jun 14, 2009
  9. Hi Again

    If you open Terminal Services Configuration through server manager, go to
    the properties of the RDP connection and under the general tab, if the
    Security Layer is set to "DRP Security Layer", no auto logon occurs, set it
    to either "negotiate" or "ssl". I noticed on I was getting Kerberos errors on
    the DC's logging the same / similar problem. I hope that's the problem, as I
    have tried duplicating almost every misconfig I can think of
    Garry Starck - MCITP, Jun 14, 2009
  10. McDavid

    McDavid Guest

    It is set to negotiate. However, I have tried the other two settings as well
    with no luck.
    McDavid, Jun 14, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.