Windows Server 2008 R2 logon screen with both smart card and username/password options

Question

I have a farm of Server 2008 R2 RD hosts that our staff connects to using HP ThinPro clients. Currently, we are using ThinPro 4.2. We would like to update to ThinPro 5.0, but we have run into a snag.

Currently, when a user connects to the RD host, ThinPro passes a username with no password to the host. The user is then presented with three options, login with the username (must supply password), select "Other User" to enter a different username/password, and "Insert Smart Card". This works well for us as different users use different thin clients all day long.

The problem with updating to ThinPro 5.0 is that when SingleSignOn is disabled (which removes an extraneous log in window with no editable fields), the username is not being passed on to Server 2008. This brings up the logon screen prompting for a username and password. Users have to click the "Switch User" button to get the smart card option. I have changed several settings in ThinPro, but no success.

Now I know how to use local security policies in Server 2008 R2 to enforce a "smart card only" logon option, but I have yet to figure out if I can get Server 2008 R2 to give me the logon screen with all options as a default. Has anyone else tried to do this and had any success?

Answer 1

Found a work-around. ThinPro 5.0 uses freeRDP. In the command registry, you can enter freeRDP command line arguments under the connection itself as follows:

1. Open X-Terminal.
2. Type regeditor and press enter.
3. Under the registry tab, click to expand the ConnectionType folder.
4. Click to expand the freerdp folder.
5. Click to expand the connections folder.
6. Click to expand the connection UUID you wish to modify.
7. Click on ExtraArgs.
8. Enter the freeRDP commands "-d:domain name -u:username" and press the Save button.

Now, when you open that connection, freeRDP will pass the domain name and username over to Server 2008 R2, but no password. So, you get the login screen with all three options available.

We use a dummy username to trigger the screen, but if one user uses that terminal frequently enough, you can place that user's username in the argument instead. That way all they need is their password.

This works well enough as you can clone the ThinPro settings and update all of the TCs with it. It is a pain to change the username, though, and I hope HP can find a way to make it easier to get that argument inserted.