none
Remote Desktop won't remember credentials on Windows 7

    Question

  • I have a Terminal Server running Windows Server 2008 Standard SP1.  Domain controller is running Server 2008 SP2.  We want our users to be able to save credentials on the desktops to log in automatically.  On Windows XP, it works fine, on Windows 7 we get the error:

    Your credentials did not work: Your system administrator does not allow the use of saved credentials to log on to the remote computer x.y.com because its identity is not fully verified.  Please enter new credentials.

    The server is not configured to require saved credentials: Remote Desktop Configuration is set to not require credentials.  Domain Group Policy is set to not require credentials (Computer Config\Administrative templates\windows components\Terminal services\terminal server\security\Always prompt for password upon connection).  I've tested it on RDP 6.0 and 6.1 on XP machines and they work fine.  It doesn't work in Windows 7.  I followed the instructions from here:

    http://alinconstantin.blogspot.com/2007/08/terminal-service-client-not-using-saved.html

    Which I got from this technet post:

    http://social.technet.microsoft.com/Forums/en-US/itprovistasetup/thread/894b2a64-68c9-4b57-a65f-14d377e3a295

    But to no avail.  Since the server name doesn't match the FQDN, I've also tried installing the cert in Trusted Root, Intermediate Root and Third Party Root, but still get the error.  I've searched the internet but haven't been able to find anything.  Please let me know how to fix this.  Thanks

     

    Wednesday, April 13, 2011 8:51 PM

Answers

  • Yes, I've tried that and it doesn't work.  I am part of a different domain, but I don't believe that group policy is set from the domain.


    Do you mean you access the shared folder on Domain A from a domainB-joined client?

    What type of trust is create betweent the domains?

    You can refer to Best Practice for using security security groups accross forests in http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx

    Regards,

    Miya

     


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 18, 2011 9:03 AM
    Moderator
  • The workstation I test from is on a completely different forest that's not connected in any way to the terminal server I'm connecting to.  However, when I test this from a windows 7 machine not attached to any domain, it works just fine.  There must be some GP setting I'm missing in the domain attached to my computer.  I'm checking with the client to see if they're attached to a domain.

    Friday, April 22, 2011 7:51 PM

All replies

  • Hi,

    Thanks for the post!

    Try the following steps:

    1. On your Windows 7 client, click Start, input gpedit.msc in search bar, press Enter.

    2. Navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation.

    3. On the right pane, double click Allow Saved Credentials with NTLM-only Server Authentication.

    4. Click Enable. In the Show contents dialog box, click Add, type the name of remote computer(server) in this format: TERMSRV\<computername>, then click OK.

    Now check if it works.

    Regards,

    Miya


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by SConstantine Wednesday, September 26, 2012 7:36 PM
    Friday, April 15, 2011 9:02 AM
    Moderator
  • I ran into something similar a while back and what I found in my situation was remote desktop would not work using machine name, authentication would fail. however it worked as it should if I used the ip address.
    Friday, April 15, 2011 12:48 PM
  • Yes, I've tried that and it doesn't work.  I am part of a different domain, but I don't believe that group policy is set from the domain.
    Friday, April 15, 2011 8:27 PM
  • Sorry, let me be clear....

    Miya, I did make that change but it did not resolve the issue.  I also tried with the IP address and added the IP address to allowed servers, but it still prompts for my password.

    Friday, April 15, 2011 8:40 PM
  • Yes, I've tried that and it doesn't work.  I am part of a different domain, but I don't believe that group policy is set from the domain.


    Do you mean you access the shared folder on Domain A from a domainB-joined client?

    What type of trust is create betweent the domains?

    You can refer to Best Practice for using security security groups accross forests in http://technet.microsoft.com/en-us/library/cc772808(WS.10).aspx

    Regards,

    Miya

     


    This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, April 18, 2011 9:03 AM
    Moderator
  • The workstation I test from is on a completely different forest that's not connected in any way to the terminal server I'm connecting to.  However, when I test this from a windows 7 machine not attached to any domain, it works just fine.  There must be some GP setting I'm missing in the domain attached to my computer.  I'm checking with the client to see if they're attached to a domain.

    Friday, April 22, 2011 7:51 PM
  • Hi!

     

    i have the same problem....

    so what is the solution?

     

    Thank,

    Aviv Hassidim

    Tuesday, June 21, 2011 7:11 PM
  • i have change the deafult domin security policy and it works

    Sunday, July 31, 2011 1:26 PM
  • Thanks for the steps.  This worked for me.  I used the wildcard TERMSRV/* instead of specifying individual hosts.
    Thursday, March 29, 2012 2:52 PM
  • This issue is similar to mine.

    Single Physical Server running Windows Server 2008 R2 Standard 64bit.

    Configured as a DC and Terminal Server only. I have 6 Domain Accounts on the Server and the users login from 6 sites over the WAN using a mixture of Windows XP and Wndows 7 Client machines - which are members of Windows Domains in their own LANs.

    The problem does only appear to affect Windows 7 Clients.

    I tried altering the settings Miya has suggested above, but it still does not allow me connect with the saved credentials.

    The error suggests a Server-side policy that is preventing the users connecting with the RDP clients and using saved credentials. The error message states it is to do with Identity Verification. SO it stops and asks for the password again.

    It is important to resolve this asap, so if anybody can shed any more light on this I would really appreiate that.

    Thanks folks! :-)


    Richard

    Friday, March 01, 2013 4:00 PM
  • I have found that using the procedure described above by Miya does work for my scenario; however there is a minor mistake in steps 3 & 4.

    Original:

    1. On your Windows 7 client, click Start, input gpedit.msc in search bar, press Enter.

    2. Navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation.

    3. On the right pane, double click Allow Saved Credentials with NTLM-only Server Authentication.

    4. Click Enable. In the Show contents dialog box, click Add, type the name of remote computer(server) in this format:TERMSRV\<computername>, then click OK.

    New:

    1. On your Windows 7 client, click Start, input gpedit.msc in search bar, press Enter.

    2. Navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation.

    3. On the right pane, double click Allow Delegating Saved Credentials with NTLM-only Server Authentication.

    4. Click Enable. In the Show contents dialog box, click Add, type the name of remote computer(server) in this format:TERMSRV/<computername>, then click OK.

    NOTE THE DIRECTION OF THE SLASH CHARACTER - FORWARD SLASH, NOT BACKSLASH!

    I used "TERMSRV/*" to get it to work for my requirements.


    Richard

    • Proposed as answer by Archytype Friday, March 01, 2013 4:53 PM
    Friday, March 01, 2013 4:52 PM
  • In my case the issue only happened when connecting to some of the terminal servers in the trusted domain. The root CA was installed in the Trusted Root CAs store of all clients. 

    It was due to the fact that RDP did not pick a certificate that was issued to the machine by a CA, but instead it picked an auto generated certificate.

    To change that you have to go to Administrative Tools/Remote Desktop Services/Remote Desktop Session Host Configuration. Right click on RDP-Tcp under Connections and select Properties. Under Certificiate click on Select and select the correct certificate (Purpose: Proves your identity to a remote computer).

    Wednesday, April 03, 2013 1:34 PM
  • Can anyone having this problem when attached to a domain confirm that their AD servers are running on server 2003 without the optional expanded GP settings patch?
    Thursday, April 11, 2013 9:28 PM

  • Been a very long time since I use Server 2003. That is now out of mainstream support and near the end of extended support.

    I have a VM with it and I can connect to it fine with remote desktop from my Windows 7 rig

    I maintain it for testing applications that need migration only


    Do you still have the problem with saved credentials to a remote terminal server on a different domain when the client on the originating domain's AD is running 2003 without the extended GP settings? I'd create a test environment, but I don't have the resources available at this time.

    Like the OP, I have no problem saving the credentials on an XP machine in our domain, it works fine in win7 when logged into a local account on the machine without domain authentication, but it still doesn't work when logged into a domain account. 

    I'm wondering if the problem might actually be that the extended settings in the GP are missing, since all the fixes listed here have not worked for me. I would like to see if anyone else still having the problem has a similar setup in their domain, if they even have access to that information. I'd patch it just to see if it would help, but I don't have the authority.

    Thursday, April 11, 2013 10:10 PM