none
Username "hint" bug

    Question

  • Due to the performance increases in RDP6, I decided to switch to it.  Probably not one of my better ideas, because now I'm haunted with what appears to be an obvious programming error somewhere in the client portion.

    Reproducing this bug is very simple.  Client is a Windows XP machine running RDP6 build 6.00.6000, server is a Windows XP machine running RDP6 build 6.00.6000:

    * Launch Remote Desktop Client, and connect to a hostname (ex. foo.bar.com)

    * Put in your credentials (the Client asks for this beforehand, as I'm sure you all know); ex. username: bob, password: (doesn't matter)

    * Authentication is successful, you're now logged into the remote box.

    * Log out (click [X], or whatever other means you desire)

    * Launch Remote Desktop Client, and pull down the foo.bar.com host entry and connect to the host.

    * Client asks for your credentials.  It's apparently tried to be smart, and has changed the previously entered username from "foo" to foo.bar.com\bob.

    * Put in your password and connect.  Authentication is successful, you're now logged in.

    * Again, log out (click [X], whatever).

    * Once more, launch Remote Desktop Client, and pull down the foo.bar.com host entry and connect to the host.

    * Client asks for your credentials.  This time, it's done something absolutely retarded: it's changed foo.bar.com\bob to bob@foo.bar.com -- and yes, you read that right.

    If you use a RDP shortcut, you'll run into the same problem as well.  EnableCredSSPSupport:i:0 does not fix this problem either.

    The problem appears to directly relate to the registry entries under HKCU\Software\Microsoft\Terminal Server Client\UsernameHint.  During each connection phase above, you can actually watch the registry get changed by the RDP6 client.  key foo.bar.com value "bob" get changed to "foo.bar.com\bob", then the third time to bob@foo.bar.com.

    This behaviour is seriously flawed.  I don't know what piece of code in the client is doing this, but it's obviously broken.  A new build needs to be posted to fix this.  Please, Microsoft folk, DO NOT "cache" stuff like this, nor try to perform any "smart" optimisation logic to username syntaxes.  I realise you want hostname\username, which is fine, but whatever code is changing this to username@hostname is seriously busted.

     

    Tuesday, December 05, 2006 3:36 PM

Answers

  • We are aware of these issues.  The username hint bug is a known issue that will be fixed in future builds.

    We have no ETA yet.

    Thanks for your patience and feedback.

    Alex Balcanqual

    Friday, January 12, 2007 12:27 AM
    Moderator
  •  Terabyte.net wrote:

    Alex,


    It's been 2+ months.  When will MS release an updated version of the RDP 6 client that fixes oh so many of it's problems? 

     

    I am unclear precisely which behaviours you are talking about.  I think you are complaining about being prompted for passwords when you have saved them?  If so do you have always prompt for password enabled on your terminal server? - if so please turn it off, this setting is quite pointless yet the cause for many double prompts.

     

    We have clearly stated that we do NOT recommend using the EnableCredSSP:i:0 as this will leave the system less secure when using Vista / Windows Server 2008 host machines

     

    Asking users to remember usernames is not a security hole in anyway whatsoever - usernames should always be considerd a known fact, moreover the user can save their password and username on Vista after first entry - removing the need to enter it eveytime.  Given that the user has to enter their password at least once no matter it is no more of an issue to enter the username at the same time.  It is good pratice to always ensure that a username and password combo is entered (and never just passsword alone) so that the user is sure which username they are supplying the password to.  To be clear ther should be no reason when using Vista that the user be prompted every time.

     

    Please refer to the following blog post for information on what we are doing http://blogs.msdn.com/ts/archive/2007/03/28/ts-connection-experience-improvements-based-on-rdp-6-0-client-customer-feedback.aspx and why.

     

    The fixes described in the blog post will be in place for Windows 2008 Server RTM - in fact if you use Windows Server 2008 you can see how the changes behave today

    I don't have any news at this time on when the updated client will be avaiable for Vista RTM or Downlevel clients like XP and 2003.

     

    Alex

    Tuesday, June 19, 2007 2:11 AM
    Moderator

All replies

  •  Jeremy Chadwick wrote:

    If you use a RDP shortcut, you'll run into the same problem as well.  EnableCredSSPSupport:i:0 does not fix this problem either.

    I should explain what I mean by "EnableCredSSPSupport:i:0 does not fix this problem either."

    If you set EnableCredSSPSupport:i:0 in default.rdp or any of your RDP shortcuts, you'll simply disable the client-side authentication box that appears.  You'll be asked for authentication once connected to the remote system.

    EnableCredSSPSupport:i:0 also causes the RDP6 client to not bother adding/changing entries in HKCU\Software\Microsoft\Terminal Server Client\UsernameHint.  So, in a way, EnableCredSSPSupport:i:0 is a "workaround" for this problem.

    Thus, it seems the client-side authentication "stuff" that's being done before the RDP connection is established is really what's to blame here.  It took me literally under 2 minutes after installing RDP6 to find this bug (simply by using the software!).  How is it an *entire team* of developers at Microsoft did not catch this?  :-)

    Tuesday, December 05, 2006 4:14 PM
  • Good question. The problem I'm currently having is similar, I can put in the server, domain, etc. into an RDP file and when I run:

    mstsc "profile.rdp" /f

    Nothing works (server, domain, etc.). Even though this worked just fine before. I'm still trying to figure out why promptforcredentials isn't removing that annoying prompt ahead of time? Maybe some of your customers really don't mind the small extra-overhead that comes with establishing a TS session with the box.

    Thursday, January 11, 2007 2:30 PM
  • We are aware of these issues.  The username hint bug is a known issue that will be fixed in future builds.

    We have no ETA yet.

    Thanks for your patience and feedback.

    Alex Balcanqual

    Friday, January 12, 2007 12:27 AM
    Moderator
  • Alex,


    It's been 2+ months.  When will MS release an updated version of the RDP 6 client that fixes oh so many of it's problems?  I've had to go as far as to install the 5.2 client on all our Vista systems and to carry it on a USB key to "fix" customer systems where this absolutely ridiculous and poorly tested RDP client has been installed.  The problems are numerous enough in fact that we opened a SRX case on it.  It's wasting our time and $ every time we have to use it and it creates HUGE security holes by FORCING users to remember usernames.  Its insistence on checking the remote TS and then whining when it doesn't know what it is is getting VERY old, and asking us to add enablecredsspsupport:i:0 to hundreds upon hundreds of .rdp files is so totally out of line it's not even funny.  It’s time for MS to admit that it made some royal mistakes with the 6.0 client and immediately release a 6.1 client with the following:

     

    1)     The ability to set a group policy at a 2003 Domain Controller to disable credential caching;

    2)     The ability to set a registry entry to stop asking for credentials before connecting to a remote machine;

    3)     The ability for the RDP client to actually connect with the RIGHT domain when reconnecting.

     

    Until then we need a policy we can deploy like the IE7 policy to prevent the RDP 6 client from getting installed or even offered by Microsoft Update.

    Wednesday, March 28, 2007 7:46 PM
  • Terabyte.net,

     

    Forgive my ignorance, but how can I get the 5.2 client to run on Vista?  I have been unsuccessful in removing 6.0 and downgrading to 5.2.  Thank you in advance.

     

     

    Saturday, June 16, 2007 3:32 AM
  •  Terabyte.net wrote:

    Alex,


    It's been 2+ months.  When will MS release an updated version of the RDP 6 client that fixes oh so many of it's problems? 

     

    I am unclear precisely which behaviours you are talking about.  I think you are complaining about being prompted for passwords when you have saved them?  If so do you have always prompt for password enabled on your terminal server? - if so please turn it off, this setting is quite pointless yet the cause for many double prompts.

     

    We have clearly stated that we do NOT recommend using the EnableCredSSP:i:0 as this will leave the system less secure when using Vista / Windows Server 2008 host machines

     

    Asking users to remember usernames is not a security hole in anyway whatsoever - usernames should always be considerd a known fact, moreover the user can save their password and username on Vista after first entry - removing the need to enter it eveytime.  Given that the user has to enter their password at least once no matter it is no more of an issue to enter the username at the same time.  It is good pratice to always ensure that a username and password combo is entered (and never just passsword alone) so that the user is sure which username they are supplying the password to.  To be clear ther should be no reason when using Vista that the user be prompted every time.

     

    Please refer to the following blog post for information on what we are doing http://blogs.msdn.com/ts/archive/2007/03/28/ts-connection-experience-improvements-based-on-rdp-6-0-client-customer-feedback.aspx and why.

     

    The fixes described in the blog post will be in place for Windows 2008 Server RTM - in fact if you use Windows Server 2008 you can see how the changes behave today

    I don't have any news at this time on when the updated client will be avaiable for Vista RTM or Downlevel clients like XP and 2003.

     

    Alex

    Tuesday, June 19, 2007 2:11 AM
    Moderator
  • Alex,

    I think what he's really refering to is the replacement of the DOMAIN\username style credentials with the UPN style (username@DOMAIN) for the username hint.  While technically you can logon using the UPN, I have noticed that there seems to be a limit to the length of the username that gets passed automatically which could result in the last few characters being cut off.

    It does seem unneccessary to replace a working cached username with a different format upon logon.  Was/is there a reason for this?

    Also, while it might be less secure to disable the prompt used for network-based authentication in an environment where you are Vista/2008...most of us are no where near there yet.  To be honest, while the credentials can be passed for logon to Windows Server 2003 boxes....some of us still have to support older machines.  The ability to turn the prompt/network authentication attempt on or off per server would be welcomed.  The default could still be to ask in that case, but for boxes we know it won't work it would be nice not to be prompted again.

    Just my two cents.

    Jordan
    Saturday, December 22, 2007 12:21 AM