RDP Frontside Authentication
One of the more visible changes in the Remote Desktop Client version 6.x is the frontside authentication mechanism. When I say “frontside authentication mechanism”, I am talking about the part where you are prompted for credentials prior to making a connection to a Windows server. This is new behavior in the RDP 6.x client. Prior to the RDP 6.x client, you were prompted for credentials after establishing a connection to the Windows server. So, why did Microsoft make this change? Why is it better to obtain credentials at the client level rather than the server level? As it turns out, there are two main reasons for the - security and single sign on. These reasons are eloquently explained in an article published on the Microsoft “Ask the Performance Team” blog.
First, let us look at the security aspect. “The intent of Frontside Authentication in Terminal Services is to enhance usability and increase security by reducing the potential attack surface exposed to unauthorized users… In previous versions of Windows Server, numerous session-specific components, such as CSRSS.EXE, USERINIT.EXE and WINLOGON.EXE we active during the authentication process. This created the possibility of a pre-authentication attack surface for key operating system components.” So, by obtaining credentials at the client level fixes this - right? Well, almost. As it turns out you need the RDP 6.x and Windows Server 2008. Check out this table from the Microsoft article:
| Client OS with RDP 6.x | Target Terminal Server OS | Prompt for Credentials |
| Windows Vista / Windows Server 2008 | Windows Server 2008 / Windows Vista | Always at TS Client Side |
| Windows XP, Windows Server 2003 | Windows Server 2008 / Windows Vista | Always at TS Server Side |
| Windows Vista, Windows XP, Windows Server 2003, Windows Server 2008 | Windows XP, Windows Server 2003, Windows 2000 | Always at TS Server Side |
The key to remember is that the “authenticate before connecting” behavior is only valid when both the client and server are using the new CredSSP in Windows Vista and Windows Server 2008.
The second part of the article deals with Single Sign On (SSO). Windows Server 2008 Terminal Services “supports SSO for domain-joined servers to provide a better user experience by eliminating the need for users to enter credentials each time they initiate a remote session.” A couple of key things to note is that for SSO to work, the client must be part of the same domain as the server. So, in the case of TS Web Access, this may not be the case and users will be prompted for credentials multiple times. Also there are some additional steps necessary to configure SSO (which the article steps you through).
Technorati : Authentication, RDC, RDP, SSO, Single Sign On, Terminal Services
Del.icio.us : Authentication, RDC, RDP, SSO, Single Sign On, Terminal Services
Ice Rocket : Authentication, RDC, RDP, SSO, Single Sign On, Terminal Services
Jason Conger Blog » Blog Archive » Load Balancing and Session Broker in Windows Server 2008 Terminal Services Says:
March 16th, 2008 at 11:09 pm
[…] To learn more about CredSSP, check out how RDP Frontside Authentication works. […]
Robert Says:
May 14th, 2008 at 8:12 am
So, tell me then, what happens if you fat finger the server ip address? And who hasn’t accidentally messed up a single octet of the ip? Doesnt this then present your credentials to a machine that should not have them? And can’t that machine record those credentials?