When SSO fails for a few on a windows RDS-Farm

On my workplace we have a small RDS-farm with a few RemoteApps and the nice thing about a strong windows environment is that is you can make use of Single sign-on (SSO), but for some reason this didn’t work for a handful of people. They always received a pop-up where they needed to enter their windows credential before getting access to the app. Not a big issue but finding the root cause took a while and I wasn’t able to find a solution on the internet. Fortunately after finding the root cause, the solution was really easy.

You see, for the majority of the topics on the net, the root cause is simply related to the wrong settings or configuration. For e.g. not allowing the delegation of default credentials. Thinks you can solve by RTFM.

Allowing the delegation of default credentials using a GPO

But in these kind of cases, most of the time the complete user base is affected and unfortunately for our situation, only a few people had the issue. To make it even more stranger, it looked machine client related. Moving the user to a different computer solved the issue in some cases.

Eventually after allot of trail-and-error double checking the settings and the deployed GPO’s, I was able to find some strange event in the windows event log mentioning something about the Remote application not been able to use the stored credentials. Strange considering we were using SSO and not really any stored credential.

No stored credentials are used for single sign-on?

Eventual I looked inside the Credential Manager of the windows client and found some stored credentials referring to the RDS-Farm. After removing the credential the issue was solved. Adding it again reproduced the issue. Root cause and solution found!

Delete the TERMSRV/… credentials to solve all your problems.

How the credentials have ended up in the credential manager is still a mystery, but at least we had a solution for our issue. In our case only 3 people had the issue, but imagine you had allot of users, you could manipulate there credential manager using the commands cmdkey /list and cmdkey /delete. Below you can find a PowerShell example I found, but please be careful and do the required testing first. In our case we would only needed to replace the "target" with the name of the credentials we no longer wanted.

$targets = (cmdkey /list | Select-String -Pattern "target") -split "Target: "
foreach($t in $targets){ 
           & cmdkey.exe /delete:$t 
}

Source of the PowerShell Script

I’m happy to solve the issue as we had already opened a case with Microsoft without any working solution. Hopefully this information is useful to some other sysadmin or system engineer.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.