When you install the SPE (Secure Password Extension) onto a terminal server or with Remote Desktop (RDP), when you launch an application you are prompted to enter you network credential once again even though you have already done this on the Windows PC
This is by Microsoft's design, which impacts all 3rd Party Secure Password Extensions.
Please see this Microsoft blog that describes this in more detail:
http://blogs.msdn.com/b/winsdk/archive/2009/07/14/rdc-and-custom-credential-providers.aspx#comment
Issue:
A custom credential provider (CP) is installed for multifactor authentication (such as Biometric, password, Smartcard).
A remote desktop connection (RDC) is used to connect to a Windows machine where the client machine has installed this custom CP. The issue is that the user will have to login twice for a Remote session.
In a summary, a user will get double logon when authenticating via RDP and using custom credential provider. This behavior is by design. The user will not get double logon when using the Microsoft built-in credential providers, i.e. password and smartcard.
Reason:
Terminal Services does not support remote authentication with arbitrary credential types. Only username/password or smart card credentials from the built-in Microsoft credential providers can be authenticated.
Before Microsoft introduced Network Level Authentication (NLA), any malicious user could attempt multiple connections to a terminal server, and each connection attempt would use up lots of resources on the server. This attack may potentially make server run out of resources. In such case users would not connect anymore. With NLA; it requires you to authenticate before big resources are used on the terminal server. Also NLA can’t handle third party CPs, thus if NLA is enabled then custom CPs cannot be used with NLA, this is again intended.
If the user connected with a non-Microsoft credential provider, then you will be prompted on the terminal server to enter credentials again (twice).
WORKAROUND
None
STATUS
The terminal Services does not support remote authentication with arbitrary credential types. Only username/password or smart card credentials from the built-in Microsoft credential providers can be authenticated.Before Microsoft introduced Network Level Authentication (NLA), any malicious user could attempt multiple connections to a terminal server, and each connection attempt would use up lots of resources on the server. This attack may potentially make server run out of resources. In such case users would not connect anymore. With NLA; it requires you to authenticate before big resources are used on the terminal server. Also NLA can’t handle third party CPs, thus if NLA is enabled then custom CPs cannot be used with NLA, this is again intended.
If the user connected with a non-Microsoft credential provider, then you will be prompted on the terminal server to enter credentials again (twice). If NLA is not enabled, then despite entering using an unsupported credential provider on the client prior to the connection, the user will still be connected. You will be left at the logon screen, where you can use any credential provider that is supported for local authentication. There’s no way to avoid the two authentications when using unsupported credential providers.
If you have your own credential providers and you try to do a remote desktop connection (having this Credential provider) then you would need to log-in twice. This is an expected behavior and it is by design and there is no legitimate way to avoid it.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center