RDP/TS Single-sign-on with credentails delegation
I am currently investigating the "delegate default credentials" policy for
TS connection (TS SSO) from a domain user.
The behaviour is, that the user generates itself a kerberos ticket for
TERMSRV/tsserver.domain.local. Here its ok.
But what is the actuall essence of the following TS login? Will the client
pass down the ticket to the terminal server OR will it then use cleartext
login and password (say after this first place pre-authentication by using
Previous TS servers were able to accept only cleartext login and password
(inside the RDP/SSL tunnel certainly). So did this change?