Even if it’s a bit off-topic, here’s some experience I’d like to share. (Mostly because I spend a lot of time finding out myself)
The new Windows Server 2008 Terminal Services provides us with many new feature and server roles, which I will not cover here. But working with them also adds new questions to the game.
I have been working on publishing a Terminal Service Gateway (TSGW) & Terminal Service Web Access (TSWA) with Microsoft ISA Server 2006.
If we just put aside the ISA server for a moment. When publishing TSWA using TSGW, the users are prompted for login twice. Once for the web access page, which provides users with a list of published applications, and secondly when they connect to an application, for login to the terminal server.
So I wanted to provide this service to the users using single sign-on (SSO) with ISA servers SSO features, using form based authentication (also provided by ISA). So when users access the URL of the TSWA, they are authenticated through a HTML form, rather than a Windows login dialog box, and only asked to supply login credentials once, having the ISA SSO pass the login credentials to TSWA page and the Terminal Server
Let me put it short; this is not possible!
It works fine when it comes to the TSWA page. Logging on at the HTML login form (form based authentication (FBA)) provides access to the list of published applications. But accessing any application on the terminal server will fail, by users being prompted for credentials over and over again.
The reason being that ISA server is not capable of providing SSO data for the TSGW and the Terminal Server, where the application is. ISA server SSO is mostly for web page login, and not for Terminal Service. If SSO is enabled on the ISA server, the system is not able to let you authenticate directly (ISA server intercepts the login request) and therefore users cannot logon to the application.
Knowing this, I would like to see some SSO features in Windows Server 2008 Terminal Services, or maybe it belongs to the ISA Server. But SSO for the new TS architecture is greatly missed.
Please don’t hesitate to post updates if you have found a way around this, or if the above is unclear in any way.