Error message when you try to connect to a terminal server using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled: "The logon attempt failed"

You are using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled. When you try to connect to a terminal server that has Windows Vista Remote Desktop Protocol (RDP) clients that use the default credentials, you experience one of the following symptoms.

Symptom 1

When you try to connect to a terminal server that is hosted behind a corporate firewall by using a Terminal Services (TS) Gateway server, the terminal server client does not have direct connectivity to the key distribution center that is hosted on a domain controller behind the corporate firewall. Therefore, the server authentication that uses the Kerberos protocol fails. Additionally, you receive the following error message:
Symptom 2

When you try to connect to a stand-alone computer, you receive the following error message:
Symptom 3

When you try to connect to a terminal server farm, you notice that the farm names do not have accounts in Active Directory. Therefore, the Kerberos-based server authentication fails. Additionally, you receive the following error message:

This problem occurs because the Windows Vista Credential Delegation policy does not allow the Windows Vista RDP client to send default credentials to a terminal server when the terminal server is not authenticated. By default, the Windows Vista RDP clients use the Kerberos protocol for server authentication. They do not use SSL server certificates. By default, the default credentials do not work if the SSL server certificates are not deployed.

Resolution for Symptom 1 and Symptom 2

To resolve the problems that are explained in Symptom 1 and Symptom 2, follow these steps:

1. Use SSL certificates that are issued by a trusted certification authority, and put the server name in the subject field. This is required to enable server authentication.
2. Install the SSL certificates to all the servers that require server authentication.

Resolution for Symptom 3

To resolve the problem that is explained in Symptom 3, follow these steps:

1. Use SSL certificates that are issued by a trusted certification authority, and put the farm name in the subject field. This is required to enable server authentication in a server farm.
2. Install the SSL certificates on all the servers that are available in the farm.

To set the SSL certificate for a connection, follow these steps:

1. Click Start, click Run, type tsconfig.msc, and then click OK.
2. Double-click the RDP-Tcp connection object.
3. On the General tab, click Select.
4. Select the certificate that you want to assign to the connection, and then click OK.