October 15 2009, 00:19

How to Make Internet Explorer (And Others) Remember Username and Password

Categories: English | Windows   Tags: internet explorer | remember password | authentication | credentials

<UninterestingFluff>First of all, as if the following worn-down cliché had not been used enough times in the blogosphere already: I do apologize (mostly to myself) for not posting more in the months that have passed since I first created my blog. [Insert the usual excuse about being so busy with this and that and yada yada yada…] In all honesty, for every day I don’t get around to posting something, it feels more and more almost like I wasted all the time and effort that went into creating the design and setting everything up just the way I wanted it. Can’t have that. And I really do have a lot of stuff to post – in fact, I maintain an offline list of subjects I sooo badly want to blog about! I guess it’s been a classic case of a vicious circle – the longer I wait, the heavier the burden of getting caught up. Anyway, I’m going to make a serious attempt at breaking the circle now, so expect more frequent postings from here on out.</UninterestingFluff>

The Problem

Just to pick a random topic out of my great big pile, I decided to mark the beginning of this new and more active era with something that a lot of people around me always seem to struggle with: how to get Internet Explorer (and a number of other applications that also access HTTP servers using the WinInet API, such as Visual Studio Team Foundation Client) remember your credentials (username and password) for sites that require authentication, and reuse them on subsequent accesses.

Below is the dreaded password prompt as it looks in Internet Explorer 8 on Windows 7:

As you’ve probably noticed, with the default settings, if the server you are accessing is not on the local LAN, you can check that “Remember my credentials” checkbox all you want – the password prompt is till going to pop up the next time you access the server in a new browser session.

So what’s going on? Well, in short, the default settings make sure that credentials are only saved and reused for URLs that are on the local LAN. This is for some sort of clever “security reasons” no doubt – because as we all know, it’s much more secure to force users to write down their passwords on sticky notes and attach them to their monitors, than to save those passwords is the heavily secured and encrypted protected storage of the user profile. Yeah. Seriously.

The Solution

Actually, there are two effective solutions to this problem, one of which I advocate more than the other:

• The really easy (but in my opinion somewhat blunt and unnecessarily dangerous) approach is to make Windows save and reuse credentials for any URL within the Internet zone.
• The slightly more demanding (but in my opinion considerably safer) approach is to add specific sites for which you want Windows to remember credentials to the Trusted Sites zone and make Windows save and reuse credentials for that zone only.

I’m going to show you how to accomplish the latter (if you really want to do the former I’m sure you can figure it out). Here’s how you do it:

1. Go to Control Panel and open Internet Options.
    
2. Go to the Security tab, select Trusted Sites and click Custom Level:
   
   
    
3. Scroll to the bottom of the options list and in the category User Authentication –> Logon, select Automatic logon with current user name and password:
   
   
    
4. Click OK, and then click Sites.
    
5. Uncheck the Require server verification (https:) for all sites in this zone checkbox, and then add the sites for which you want credentials to be saved and reused to the list of sites for this zone with both HTTP and HTTPS schemes:
   
   
    
6. Click Close and then click OK.

That’s it. Hopefully, next time you access one of the configured URLs either by browsing to them via Internet Explorer or connecting to them by some other means through an application that uses WinInet for HTTP connectivity under the hood, the credentials prompt will not appear. Screen shots are from Internet Explorer 8 on Windows 7, but the steps should be identical all the way back to Internet Explorer 6 on Windows XP.

February 3 2009, 17:30

How To Enable Use of Saved Credentials with Remote Desktop to Almost Fully Authenticated Machines

Categories: English | Windows   Tags: remote desktop | group policy | authentication | credentials

I use Remote Desktop a lot, and being able to save Remote Desktop shortcuts to specific machines as well as save the credentials to connect with is a very handy feature that saves a lot of time. However, sometimes when trying to connect to a remote machine with saved credentials, the following message would appear (username obscured for obscure reasons):

Just to make sure this ends up in the indexes out there, the full message is:

Your credentials did not work

Your system administrator does not allow the use of saved credentials to log on to the remote computer [computer name] because its identity is not fully verified. Please enter new credentials.

This happens whenever Kerberos cannot be used as the authentication protocol, which include (but may not be limited to) the following situations:

• Connecting to a machine in another domain and the appropriate trust relationships to perform cross-domain authentication do not exist
• Connecting to a machine in the same domain but without connectivity to a domain controller

Windows reverts to using NTLM, and by default the group policy for domain machines prohibit the use of default or saved credentials when using this older authentication protocol. However, unless this policy has been manually configured at the enterprise level it can easily be changed on an individual machine using the Group Policy Editor.

1. Hit Start –> Run and type “gpedit.msc”.
    
2. Navigate to Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation.
   
   
    
3. Double click the policy “Allow Delegating Default Credentials with NTLM-only Server Authentication”.
    
4. Set the policy to “Enabled”.
   
   
    
5. Click the Show button and enter the string “TERMSRV/*” into the list. You can also be more specific here in case you don’t want to allow the use of saved credentials with all remote machines but rather just a select few.
   
   
    
6. Click OK twice to close the policy.
    
7. Repeat steps 3 – 6 for the following policies:
   • “Allow Delegating Default Credentials”
   • “Allow Delegating Saved Credentials with NTLM-only Server Authentication”
   • “Allow Delegating Saved Credentials”

That should be it, hopefully no more of that annoying dialog. I have used this on Windows Vista and Windows 7 Beta 1. The same procedure should apply to Windows XP as well (it this policy change is needed on XP at all – I don’t recall ever having to jump through these hoops pre-Vista), but I have not tested it so the details may vary.