Your network contains an Active Directory domain named adatum.com. You publish a RemoteApp
named WebApp5. The Remote Desktop Connection (.rdp) file for WebApp5 is unsigned. When a user
named User5 runs WebApp5 from the Remote Desktop Web Access (RD Web Access) website, Users
is prompted for credentials. You need to prevent users from being prompted for credentials when
they run WebApp5. What should you do?

A.
Enable form-based authentication for the Remote Desktop Web Access Website.

B.
Enable the Assign a default domain for logon Group Policy setting.

C.
Modify the Authentication Settings for the RDWeb virtual directory.

D.
Enable the Allow Delegating Default credentials Group Policy setting.

E.
Configure the SSL Settings for the RDWeb virtual directory.

Explanation:
When applied to Terminal Services, Single Sign-On means using the credentials of the currently
logged on user (also called default credentials) to log on to a remote computer. If you use the same
user name and password logging on to your local computer and connecting to a Terminal Server,
enabling Single Sign-On will allow you to do it seamlessly, without having to type in your password
again. Locally logged on credentials are used for connecting to TS Web Access, however, they cannot
be shared across TS Web Access and TS or TS Gateway. Thus you will need to enable the Group
Policy settings described below in order to use locally logged on credentials for TS or TS Gateway
connections. How to enable Single Sign-On?
Single sign-On can be enabled using domain or local group policy.
1. Log on to your local machine as an administrator.
2. Start Group Policy Editor – “gpedit.msc”.
3. Navigate to “Computer Configuration\Administrative Templates\System\Credentials Delegation”.

4. Double-click the “Allow Delegating Default Credentials” policy.
5. Enable the policy and then click on the “Show” button to get to the server list.

6. Add “TERMSRV/<Your server name>” to the server list. You can add one or more server names.
Using one wildcard (*) in a name is allowed. For example to enable Single Sign-On to all servers in

“MyDomain.com” you can type “TERMSRV/*.MyDomain.com”. (Notice the “Concatenate OS defaults
with input above” checkbox on the picture above. When this checkbox is selected your servers are
added to the list of servers enabled by OS by default. For Single Sign-On this default list is empty, so
the checkbox has no effect.)

7. Confirm the changes by clicking on the “OK” button until you return back to the main Group Policy
Object Editor dialog.
8. At a command prompt, run “gpupdate” to force the policy to be refreshed immediately on the
local machine.
9. Once the policy is enabled you will not be asked for credentials when connecting to the specified
servers.
http://blogs.msdn.com/b/rds/archive/2007/04/19/how-to-enable-single-sign-on-for-my-terminalserverconnections.aspx