11.2.  Single Sign-On

11.2.1.  Information

ThinLinc provides Single Sign-On functionality into the Windows Remote Desktop Server using either password or smart card authentication. It is required that your ThinLinc servers are integrated with your Windows infrastructure so that user authentication shares the same source on both Windows and ThinLinc.

If requirements mentioned above are met, Single Sign-On works out of the box with one exception regarding smart card and CredSSP which is documented in the following section.

11.2.2.  Smart card

If your Windows Remote Desktop Server is configured to explicitly only allow CredSSP authentication level, ThinLinc needs to know a provide name for your smart card Crypto Service Provider (CSP). The provider name is configured per application server group and is added to rdesktop_args configuration value like the example below. See Section 14.2.4, “ Parameters in /appservergroups/ ” for more information.

rdesktop_args=-o sc-csp-name="CSP Provider Name",

To obtain the provider name of your Crypto Service Provider (CSP) make sure that your smart card driver are installed on your Windows server. Open regedit and find the following registry key, HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider. In this container you will find a list of CSP providers registered with the system, find the matching provider for your smartcard and use the key name as the CSP Provider Name.