Thursday, August 16, 2007

Terminal Service client not using saved credentials

I had this problem for quite a while now, and it finally bothered me enough to go and search for a solution...

I use TS client to connect with smartcard from my home Vista machine to various machines at work through a Terminal Services Gateway.

When I'm connecting to Windows 2003 or Longhorn machines I am only required to input my smartcard pin and this is enough to authenticate me. However, when connecting to my alinc02 Vista machine, things are not that smooth. On this machine, TS asks my smartcard pin, after that it fails with the following message: "Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials."

'Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer' error message

Of course, after typing my domain user and password the connection succeeded, but why was this dialog necessary?

I've searched the net for the exact error message but I could not find a solution. So I ended up asking the experts...

It turned out that my issue was described in this article from Terminal Services Team Blog, under Scenario 1 (Problems using saved credentials with Vista RDP clients - Connecting from home to a TS server through a TS Gateway server). There was also a solution proposed, too. However, since I was connecting to a Vista machine, I could not use the recommended solution (tsconfig.msc is only available on servers and I could not get to work on my Vista machine the applet copied from a Longhorn machine).

Fortunately there is a solution by altering the TS settings on the client side (this solution is not as secure as using certificates on server for server authentication).
In Vista, the Credential Security Support Provider protocol (CredSSP) adds a couple of group policy settings that are described in detail in MSDN CredSSP group policy settings page.

What I needed to do was:

1. Log on to your local machine as an administrator.
2. Start Group Policy Editor - "gpedit.msc" and accept the UAC prompt.
3. Navigate to "Computer Configuration\Administrative Templates\System\Credentials Delegation".
4. Double-click the "Allow Saved Credentials with NTLM-only Server Authentication" policy.
5. Enable the policy and then click on the "Show" button to get to the server list.
6. Add "TERMSRV/" to the server list, in my case TERMSRV/alinc02.redmond.corp.microsoft.com. Using one wildcard (*) in a name is allowed. For example to enable the setting on all servers in "microsoft.com" domain you can type "TERMSRV/*.microsoft.com".
7. Confirm the changes by clicking on the "OK" button until you return back to the main Group Policy Object Editor dialog.
8. At a command prompt, run "gpupdate" to force the policy to be refreshed immediately on the local machine (although this changed for me after a while)

Modify the 'Allow Saved Credentials with NTLM-only Server Authentication' TS Client group policy

With this policy enabled, the login to my alinc02 machine now requires only the smartcard pin, same as the other machines.

(I was told that if I'm not an admin then I may need to set in the rdp file
enablecredsspsupport:i:0, but this was not necessary in my case - setting it just got rid of the error message and replaced it with a regular Vista logon prompt)

Since we're speaking of group policies, it worth mentioning another setting here, "Allow Delegating Default Credentials", which helps making TS connections to a remote server (in the same domain) without being prompted at all for credentials (current Windows user's credentials are used for the remote server). For more information on this see Mahadev Alladi's blog article which inspired the settings in my case, too.

28 comments:

Tony said...

DUDE. This just totally saved my bacon today.

Googling on the text of the error message led me to a forum where you posted a link to this blog entry, saying that no one understood the issue.

*You* understood, and this solution totally worked for me.

Note: To get it to work, I had to add three entries:

TERMSRV/*
TERMSRV/*.mycompany.com
TERMSRV/*.com

But then suddenly my logins stopped pestering me.

THANK YOU!!!

Anonymous said...

THANKS!!!!!!!!!

Anonymous said...

Thank you so much for this!!!

Anonymous said...

Great tip! Many thanks

Johnny said...

I just wanted to say thank you Alin for your most helpful blog-entry on resolving the "can not store credentials" issue on Vista.
It helped me resolve this issue.

Anonymous said...

THANK YOU!!

k|dFrY said...

It WORKED! Thanks for the info. I've been working on this problem all morning/afternoon. Your solution did the job! Many thanks once again!

Len said...

Excellent tip - thank you!

Anonymous said...

Thanks for actually knowing what you're talking about. This has saved me who even knows how much time!

><>

Mike said...

Thanks for the assist. I really appciate the info.

Julio C said...

I had the same problem with my Server 2008 R2 and Windows 7 workstations network. Thanks Alin. It was driving me insane!

Tinus Trotyl said...

And it works for Windows 7 too...

Jim said...

Yes, this is a real gem. I maintain many VMs up in a vCenter blade on a private virtual network switch that are accessible only through a firewall/proxy that runs on Linux. My desktop is now Windows 7 (love it) and this credential issue over Remote Desktop has been a frustration.

I'm able to use the workaround you outline (with TERMSRV/* setting) to get to a Win 2008 R2 server now for the first time. Assume other types of desktop-VM combinations will work also.

Thanks so much for writing this down!

Emanuel Gaspar said...

Thank you so so much! This has been an issue for about 2 weeks now, and being a productive freak, I always got frustrated by not having RDC "just work". You deserve a cold one today!

Anonymous said...

Multumesc. Am scapat de tastat. Merge super

Dave said...

Again, thanks from me.

Different behaviour when RDPing to W2k3 and W2k8 was a little tough to figure out, but this made sense and worked well for me.

Love it when someone eloquently solves a problem you're having.

Cheers!

niteskunk said...

WORKED!

Please note, people, this DOES sometimes take a little to kick in. Give it a few hours and try it.

Thanks, man. Big help.

Anonymous said...

Thanks so much, I've been wanting to solve this for months!

Anonymous said...

THANKS!!!!!!!!!

Anonymous said...

Thanks, great article, solved my problem

Anonymous said...

yes!

Anonymous said...

Awesome... after typing my password, or, worse, having to dig back and forth finding the correct service account password - finally, the fix. Thanks!

Anonymous said...

THANKS, MAN!

Misha said...

Thanks. It worked also for connection from 7 Ultimate to Server 2008 R2 Enterprise.

Djamel Abderrahim said...

Aline & Tony thank you both for the whole solution[Aline] + the tip of 3 entries[Tony].. this solution worked fine for me.. im using Windows 7 Pro and i was trying to save credential for win 2008 R2.... really guys you are the best

Andrew Dawson said...

Has anyone managed to get this to work using IP addresses rather than hostnames? I've got to the point where I can save my credentials to hostnames, but not to IP addresses, which seems like extremely weird behaviour indeed. Is there something I've missed?

Anonymous said...

Thanks very much! I found other tutorials about the gpedit navigation, but this one explained adding the server names to the list of approved servers.

Wally L

Pulakesh Mahanta said...

Same issue with me, but in may case solution is not working. My scenario is just like this

1. I'm using Remote Desktops Microsoft Corporation Version: 6.1.7601.17514 on my Windows 7 Machine
2. I need to access few of my desktop & server from my machine.
3. OS of desktop & server are Windows 7, Server 2008 & Server 2003.
4. I can save all the credential for 2003 server but not for 2008 server & windows 7.

5. I tried your solution for both machine on my system from where I need access & on client/server which access I need. but it does not work.

Any other solution please, it is irritating to put user name & password each time.