6.2 Configuring Windows Login

Single sign-on supports both the classic Logon screen mode (left screen shot) and the Welcome screen mode (right screen shot). As long as a device is using one of these two modes, single sign-on works as soon it is activated in the policy and the policy is applied to the device. Windows 7 is used in the example screen shots below, but Windows Vista and Windows XP also provide the classic Logon screen and Welcome screen modes.

Single sign-on also supports Secure Logon (shown below) in both of these modes. However, as with the standard Windows login process, the user must press Ctrl+Alt+Delete to dismiss the Secure Logon screen before the single sign-on process can continue.

If single sign-on is failing on a device, we recommend that you set the device to use the classic Logon screen without Secure Logon. In addition, we recommend that you set the Do Not Display Last User Name option to Enabled so that the Logon screen is not automatically populated with the user name of the last person to successfully log in.

To configure these settings locally on a Windows XP device:

  1. Log on to the device as an administrator.

  2. Set classic Logon screen mode:

    1. Click the Start menu, click Run, type gpedit.msc, then click OK to open the Local Group Policy Editor.

    2. In the editor, expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

    3. Double-click Always Use Classic Logon.

    4. Select Enabled, then click OK.

  3. Disable Secure Logon:

    1. Click the Start menu, click Run, type control userpasswords2, then click OK to open the User Accounts dialog box.

    2. Click the Advanced tab.

    3. In the Secure logon section, deselect Require users to press Ctrl+Alt+Delete.

    4. Click OK.

  4. Enable the Do Not Display Last User Name setting:

    1. Click the Start menu, click Run, type secpol.msc, then click OK to open the Local Security Settings.

    2. Expand Local Policies > Security Options.

    3. Double-click Interactive logon: Do not display last user name.

    4. Select Enabled, then click OK.

To configure these settings locally on a Windows Vista or Windows 7 device:

  1. Log on to the device as an administrator.

  2. Set classic Logon screen mode:

    1. Click the Start menu, type gpedit.msc in the search box, then click OK to open the Local Group Policy Editor.

    2. In the editor, expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

    3. Double-click Always Use Classic Logon.

    4. Select Enabled, then click OK.

  3. Disable Secure Logon:

    1. Click the Start menu, type netplwiz in the search box, then click OK to open the User Accounts dialog box.

    2. Click the Advanced tab.

    3. In the Secure logon section, deselect Require users to press Ctrl+Alt+Delete.

    4. Click OK.

  4. Enable the Do Not Display Last User Name setting:

    1. Click the Start menu, click Run, type secpol.msc, then click OK to open the Local Security Settings.

    2. Expand Local Policies > Security Options.

    3. Double-click Interactive logon: Do not display last user name.

    4. Select Enabled, then click OK.