Hi,
In the sector I work, I see a very common "legacy" use case - an autologin client / Thin PC has a locked down desktop and stores no persistent user data locally, but it is used in conjunction with an ESSO authenticator client which manages
AD login via smart card, prox card, biometrics etc. This provides a secondary login layer separate to Winlogon, a bit like the old Novell Client.
When an enterprise SSO user authenticates at this "second layer", it effectively creates a secure password vault locally for the new user, so that when they load up locally installed apps, even non-Windows integrated apps, enterprise SSO can log them in automatically.
In healthcare this typically means that a consultant can go to any machine and, at the tap of a prox card, swipe of a fingerprint, even a glance at a web camera, whatever - as long as the enterprise SSO solution supports it - he/she has access to his/her
existing applications WITHOUT ANY MORE PROMPTING AND WITHOUT ANY UNDUE DELAY. With VDI of course this is even quicker; the secondary layer simply connects and disconnects to an RDP session.
And all he/she needs to do to secure their virtual desktop is take a smart card away, swipe the fingerprint reader again, or even in the web camera example just walk out of camera shot. The entire point of this exercise (which I've been seeing gaining traction for the past 8 years) is to keep the remote session as secure as possible without imposing any "faff" or login delay on the client end.
VMWare View Client, Citrix ICA Client, Quest VWorkspace, other third party RDP clients, and even very old versions of Terminal Services Client, are all aware of this use case and they all provide the enterprise SSO solution with the means to assert "disconnect any other VDI session that's running as someone else, then connect to this VDI session as this user".
How can we do this with RDP and RDS2012 + VDI?
I've tried in vain to get RDS2012 RDP to work as silently as any of the above alternatives but the only way I've been able to do it is by downloading some stress testing RDP client stuff from MSDN which allows you to submit credentials to it via script! The actual client we NEED to use for this, doesn't seem to allow that kind of automation.
I should add, at this point I'm working at a location where Microsoft themselves are championing the roaming desktop and I'm stuck in the odd position of having the sales people demonstrate the whole thing working seamlessly without any delays effectively by logging several users into the same PC in advance of a demo, then repeatedly connecting and disconnecting and invoking "switch users". It looks great right up to the point where the customer says"Great! Now let's see how long it takes Mr I'm Not Already logged Into This PC to get to his virtual desktop".
At which point we then end up demonstrating a >20 second full logon process that achieves nothing except a long wait for the user to then have to click on a button, OK some popups, click "sign in as another user"...WHAT A FAFF.