When using KeyShield SSO on a Windows Terminal Server, the required configuration depends on whether IP-based authentication is used.
Scenario 1: IP-Based Authentication
If authentication is based on the client IP address, each Terminal Server session must have a unique IP address.
This requires server-side IP virtualization, which is supported on Windows Server 2008 R2 and later.
On Windows Terminal Server:
- Enable per-session IP virtualization on the Terminal Server (see: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/internet-protocol-virtualization )
- Ensure the virtual IP addresses are routable and visible to server-side components
KeyShield SSO Client:
- In this case the client runs in default IP mode (ipMode = 0 )
- No additional client-side settings required.
Scenario 2: Non-IP-Based Authentication
When deploying the KeyShield SSO client on a Windows Terminal Server in a mode without IP authentication, special configuration is required to prevent the error message “IP virtualization is not enabled” from appearing.
This issue arises because multiple user sessions may appear to originate from the same IP address (due to NAT or session-based networking). To ensure proper functionality, follow these steps:
KeyShield SSO Client Configuration (kshield.cfg file)
- On the Terminal Server, edit the local configuration file of the KeyShield client and set:
ipMode = 1
This setting forces the client to report a non-unique IP address to the server. It is necessary for environments where multiple sessions share a single IP address (e.g., via NAT or virtualized networking).
KeyShield SSO Server Configuration – Client interfaces
On the server side, in the configuration of the client interface used by Terminal Server clients:
- Set the option:
“Non-unique IPs (e.g. NAT)” to Allow
This allows the server to accept connections from clients that report non-unique IP addresses.
For optimal reliability and security use a dedicated client interface for Terminal Server connections.