KeyShield SSO can only work with Terminal Server if each session has unique IP address. This is allowed under Windows 2008 R2:

In Windows Server 2008, Terminal Server has a single IP address, which is shared among all TS users. This makes the Terminal Server experience different from that of regular desktops and introduces some application compatibility problems. In Windows Server 2008 R2, Remote Desktop Session Host server, formerly known as Terminal Server, supports per-session and per-program Remote Desktop IP Virtualization for Winsock applications. This essentially means assigning individual IP addresses to user sessions to avoid application incompatibility issues by simulating a single user desktop.