SecureLogin installed on both workstation and terminal server
Single Sign On is desired for Citrix published applications
Single Sign On is desired for web app and Windows apps launched from workstation
SecureLogin logs user in when mstsc.exe is launched
User wants to NOT have SecureLogin attempt to log in to the Remote Desktop
Workaround is to break the virtual channel by removing or renaming one of the virtual channel pieces from the registry or file system. This can be done on either the server side or the workstation side. For a diagram of the virtual channel see tid 3149664 at
By removing one of the virtual channel pieces passthrough authentication will fail.
following examples will break the virtual channel:
On a Citrix Server:
break the gina chain to sl_tsgina by changing the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CtxGinaDLL from sl_tsgina to msgina.
remove the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ProtocomPassthroughDll
On a plain Terminal Server:
break the gina chain to sl_tsgina by changing the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL from sl_tsgina to msgina.
On the workstation
remove HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\AddIns\tsslsso
rename vdslsson.dll found in citrix installation directory
Alternatively, if breaking the virtual channel pass-through support as described above is not desirable, an administrator who wishes to connect to a terminal session from a user's workstation can temporarily disable SecureLogin through the system tray icon menu prior to making the connection. This will prevent the administrator's credentials from being written back into the user's data store. Remember to re-enable SecureLogin after the connection.
SecureLogin needs to be installed on the terminal server in order to have single sign on for Citrix Published applications.
SecureLogin needs to be installed on the workstations in order to have single sign on for Windows apps and web apps launched from the
When installed on both workstation and server, passthrough authentication happens by default.
Steps to duplicate:
- open "manage logins" on a workstation, verify that there is not credential
set for the domain or citrix server listed under logins.
- launch mstsc.exe and connect to a citrix server
- a securelogin dialog will flash briefly
- look in manage logins again. A login will be created for the domain or
citrix server that contains the credentials entered.
Use case: administrators establish an rdp connection to a citrix
server from another user's workstation. Administrator's credentials for the Citrix server will be written to the other
user's credential store.