Welcome to Day Twenty-One. We're three weeks into our series and there are only six days left. Today's topics for discussion are Frontside Authentication and Single Sign-On (SSO) in the Terminal Services space. So, let's get started ...

Frontside Authentication is a new connection process in the Remote Desktop Connection 6.x client where credentials are entered before the connection is made to a Windows Server 2008 Terminal Server. After you enter your credentials and initiate the connection to the Terminal Server, our credentials are automatically passed to the server for authentication. With this new behavior, you now enter your credentials in the RDC client as opposed to the Log on to Windows prompt that is presented by WINLOGON.EXE on the Terminal Server.

So what's the big deal, right? You still have to provide valid credentials to log on, so why did we make this change? The intent of Frontside Authentication in Terminal Services is to enhance usability and increase security by reducing the potential attack surface exposed to unauthorized users. A new Security Support Provider (SSP) in Windows Server 2008 provides a more secure method for transferring credentials over the network prior to establishing a new Windows session. In previous versions of Windows Server, numerous session-specific components, such as CSRSS.EXE, USERINIT.EXE and WINLOGON.EXE we active during the authentication process. This created the possibility of a pre-authentication attack surface for key operating system components.