Impossible love

Dedicated to the endless frustrations of trying to make these damn machines do what we want them to do...

Dedicated to the endless frustrations of trying to make these damn machines do what we want them to do...

Daniel Stolt's Blog

Let him who is without sin DirectCast the first Object.

February 3 2009, 17:30

How To Enable Use of Saved Credentials with Remote Desktop to Almost Fully Authenticated Machines

Categories: English | Windows   Tags: | | |

Permalink
Email this post

I use Remote Desktop a lot, and being able to save Remote Desktop shortcuts to specific machines as well as save the credentials to connect with is a very handy feature that saves a lot of time. However, sometimes when trying to connect to a remote machine with saved credentials, the following message would appear (username obscured for obscure reasons):

Windows Security Dialog

Just to make sure this ends up in the indexes out there, the full message is:

Your credentials did not work

Your system administrator does not allow the use of saved credentials to log on to the remote computer [computer name] because its identity is not fully verified. Please enter new credentials.

This happens whenever Kerberos cannot be used as the authentication protocol, which include (but may not be limited to) the following situations:

  • Connecting to a machine in another domain and the appropriate trust relationships to perform cross-domain authentication do not exist
  • Connecting to a machine in the same domain but without connectivity to a domain controller

Windows reverts to using NTLM, and by default the group policy for domain machines prohibit the use of default or saved credentials when using this older authentication protocol. However, unless this policy has been manually configured at the enterprise level it can easily be changed on an individual machine using the Group Policy Editor.

  1. Hit Start –> Run and type “gpedit.msc”.
     
  2. Navigate to Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation.

    Local Group Policy Editor Window
     
  3. Double click the policy “Allow Delegating Default Credentials with NTLM-only Server Authentication”.
     
  4. Set the policy to “Enabled”.

    Edit Policy Dialog
     
  5. Click the Show button and enter the string “TERMSRV/*” into the list. You can also be more specific here in case you don’t want to allow the use of saved credentials with all remote machines but rather just a select few.

    Show Contents Dialog
     
  6. Click OK twice to close the policy.
     
  7. Repeat steps 3 – 6 for the following policies:
    • “Allow Delegating Default Credentials”
    • “Allow Delegating Saved Credentials with NTLM-only Server Authentication”
    • “Allow Delegating Saved Credentials”

That should be it, hopefully no more of that annoying dialog. I have used this on Windows Vista and Windows 7 Beta 1. The same procedure should apply to Windows XP as well (it this policy change is needed on XP at all – I don’t recall ever having to jump through these hoops pre-Vista), but I have not tested it so the details may vary.

Add or view comments 8 comment(s) so far
Rate this post

Currently rated 4.8 by 6 people

  • Currently 4.833333/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Calendar

<<  March 2010  >>
MoTuWeThFrSaSu
22232425262728
1234567
891011121314
15161718192021
22232425262728
2930311234

View posts in large calendar

Recent comments

Comment RSS