Credential Security Service Provider and SSO for Terminal Services Logon
Updated: February 27, 2008
Authentication protocols are implemented in Windows by security service providers. Windows Vista introduces a new authentication package called the Credential Security Service Provider, or CredSSP, that provides a single sign-on (SSO) user experience when starting new Terminal Services sessions. CredSSP enables applications to delegate users' credentials from the client computer (by using the client-side security service provider) to the target server (through the server-side security service provider) based on client policies. CredSSP policies are configured via Group Policy, and delegation of credentials is turned off by default.
Like the Kerberos authentication protocol, CredSSP can delegate credentials from the client to the server, but it does so by using a completely different mechanism and with different usability and security characteristics. With CredSSP, when policy specifies that credentials should be delegated, users will be prompted for credentials—unlike Kerberos delegation—which means the user has some control over whether the delegation should occur and (more importantly) what credentials should be used. With Kerberos delegation, only the user's Active Directory® credentials can be delegated.
Unlike the experience in Windows Server® 2003 Terminal Server, the credential prompt is on the client computer and not the server. Most importantly, the client credential prompt is on the secure desktop. Therefore, not even the Terminal Services client can see the credentials, which is an important Common Criteria requirement. Furthermore, the credentials obtained from the prompt will not be delegated until the server identity is authenticated (subject to policy configuration). Finally, the terminal server will not establish a session for the user (which consumes a significant amount of memory and CPU processing time on the server) before authenticating the client, which decreases the chances of successful denial-of-service attacks on the server.
This feature requires the Terminal Services client to run on Windows Vista or Windows Server 2008 and for Terminal Services to be hosted on a server that runs Windows Server 2008.
CredSSP policies, and by extension the SSO functionality they provide to Terminal Services, are configured via Group Policy. Use the Local Group Policy Editor to navigate to Local Computer Policy\Computer Configuration\Administrative Templates\System\Credentials Delegation, and enable one or more of the policy options.
When credential delegation is enabled, the terminal server will receive the user credentials in plaintext form, which can introduce risk to the network environment if the servers are not well secured. An organization that wants to achieve this functionality should plan carefully for its deployment and ensure that an effective security program for the servers is in place beforehand.
In addition, a few of the policy settings might increase or decrease the risk. For example, the Allow Default Credentials with NTLM-only Server Authentication and Allow Fresh Credentials with NTLM-only Server Authentication policy settings remove the restriction to require the Kerberos authentication protocol for authentication between the client and server. If a computer requires NTLM and either of these settings is selected, then NTLM will be used and will allow communication to occur successfully but at a higher security risk. The Kerberos protocol provides significant additional security in this scenario because it provides mutual authentication—that is, positive authentication of the server to the client. This functionality is important because users should be protected from delegating their plaintext credentials to an attacker who might have taken control of a network session.
Before enabling the NTLM-only policies, network administrators should first ensure that NTLM authentication is necessary in the scenario that they need to support.