When you connect to a Windows terminal server, you are asked to provide your credentials twice.


This behavior is caused by the way RDS load balancing works. The crucial point to understand is that the terminal server does not communicate with the session broker directly.

Instead, the scenario is the following:

  1. The client connects to terminal server 1 and authenticates with terminal server 1. This is the first time the user is asked for their credentials.
  2. Since we have a load balancing setup, terminal server 1 will talk to the session broker and ask if the client can use terminal server 1 or if it should be redirected to a different terminal server.
  3. If redirection occurs, the client will also have to authenticate with the terminal server the client was redirected to (terminal server 2 in the figure below). This is the second time the user is asked for their credentials.



The issue can be resolved by activating Kerberos/Active Directory authentication. For further information, see Active Directory/Kerberos.