You can not do that. FirePOWER would only be able to learn about the last user who logged into the terminal server and implement the policy accordingly. As of now we don't support it. I have filed an enhancement request to add a different approach to it CSCuw60492.
thanks for this information. I will contact my Cisco accounts.
There is a new feature in 6.0.1 called "Captive Portal and Active Authentication"
In order to provide better visibility in mapping users to IP addresses and their associated network events, the Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when prompted through a browser window. The mapping also allows policies to be based on a user or group of users. This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address non-Windows environments, BYOD users, and guests.
I think this could be a way to get the user information even if they connected to a terminal server. The user have to authenticate each session, this is not convenient but it works.
What do you think?