Share via

RDS FARM onWindows Server 2025

Cloudy 306 Reputation points
2026-05-05T14:18:05.8966667+00:00

Hi all !

Anybody here managed to make SSO on RDS works ? Device guard credential disabled, following GPO (wk19/22 method) applied :

User's image

But user prompted for credential when using RD GATEWAY...:(

Is it possible to have RDS/SSO working with Windows Server 2025 ? no documentation on how to enable it exists...

Thanks a lot for help !

User's image

Windows for business | Windows Server | Directory services | Other
0 comments

Answer accepted by question author

VPHAN 34,150 Reputation points Independent Advisor
2026-05-05T15:18:22.9066667+00:00

Hi Cloudy,

The Windows Security prompt in your second screenshot reveals the reason your Single Sign-On is failing. The authentication dialogue shows the domain as your local client machine name rather than your actual Active Directory environment. This indicates your system is attempting to pass a local machine account token instead of a valid domain credential to the remote server. For Remote Desktop Single Sign-On to function properly via Kerberos, the Local Security Authority on your client must obtain a Ticket Granting Ticket from your domain controller during your initial Windows login. You need to ensure you are logged into your physical client desktop using your domain credentials so the system can seamlessly delegate that specific token to your RDS environment.

Your Group Policy configuration for delegating default credentials under the Computer Configuration, Administrative Templates, System, and Credentials Delegation path is perfectly configured for your target servers. Furthermore, you were correct to disable Remote Credential Guard, as this feature explicitly blocks the type of credential delegation required when brokering connections through an RD Gateway. Since your policies are already in place, simply joining this client to the domain if it is not already and authenticating your initial desktop session against your Active Directory will allow the Kerberos handoff to succeed without prompting you for a password when launching RemoteApps on Windows Server 2025.

Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.

VPHAN

Was this answer helpful?

1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 34,150 Reputation points Independent Advisor
    2026-05-05T16:38:20.3333333+00:00

    Cloudy

    your third image isolates the root cause of the ongoing issue. Despite your earlier configuration attempts to disable it, the prompt explicitly states that Windows Defender Credential Guard is still actively running on your client machine. Starting with recent Windows 11 builds, this feature is enabled by default and utilizes virtualization-based security to intentionally block the CredSSP delegation required for your Single Sign-On to function, regardless of your other Group Policy settings.

    To resolve this and allow your domain credentials to pass through the RD Gateway, you must ensure Credential Guard is completely disabled at the system level on the client machine connecting to the RDS environment. You can enforce this by navigating to the local Group Policy Editor under Computer Configuration, Administrative Templates, System, and Device Guard. Locate the Turn on Virtualization Based Security policy and ensure the Credential Guard Configuration drop-down is set to Disabled. Alternatively, you can open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, creating or modifying the DWORD value named LsaCfgFlags and setting its value data to 0. Because Credential Guard initializes before the operating system kernel loads, you must perform a full reboot of the client machine for these changes to take effect and for the SSO token delegation to succeed.

    VPHAN

    Was this answer helpful?

  2. AI answer

    2026-05-05T14:18:31.0433333+00:00

    RDS single sign-on continues to work on Windows Server 2025, but only in the configurations that are explicitly supported. For Web SSO through RD Gateway, the supported configuration is unchanged from earlier versions and must be followed exactly.

    For Web SSO with the built-in Remote Desktop Connection client on Windows:

    1. Connect to RD Web using Internet Explorer Mode in Microsoft Edge.
    2. On the server side, ensure all of the following are configured (no other combinations are supported):
      • RD Web is configured for form-based authentication (default).
      • RD Gateway is configured for password authentication (default).
      • In the RDS deployment properties for the RD Gateway, Use RD Gateway credentials for remote computers is enabled (default).

    If any of these are changed (for example, non-password auth on the gateway, or different RD Web auth), SSO is not supported and users will be prompted for credentials when going through RD Gateway.

    Remote Credential Guard and Credential Guard introduce additional limitations:

    • Remote Credential Guard is not supported for connections that use RD Connection Broker or RD Gateway; it is only supported for direct RDP connections. Using it with a brokered or gateway connection can cause authentication failures or additional prompts.
    • Credential Guard affects only direct connections and is not supported with RD Connection Broker or RD Gateway in the RDS context.

    Therefore, for an RDS farm behind RD Gateway on Windows Server 2025:

    • Use the supported Web SSO configuration above.
    • Do not rely on Remote Credential Guard for brokered/gateway connections.
    • If Credential Guard is enabled and causing SSO issues for network services that use password-based protocols, either move to more secure delegation methods (such as Kerberos constrained delegation where applicable) or disable Credential Guard, understanding the security trade-off.

    There is currently no additional or different SSO configuration documented specifically for Windows Server 2025; the existing RDS Web SSO requirements remain the only supported path.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.