none
Credentials Delegation with RDP RRS feed

  • Question

  • Hi,

    I have a strange issue with credentials delegation...

    I have an RDP taken from RDWeb, which does work. However, it annoyingly prompts for credentials on domain PC's - despite credential delegation being in place.

    I have tried adding to the GPO TERMSRV/* and specifying the URL, gateway, and RDSH's, still the same.

    The RDP uses a connection to remote.domain.com. If I open MSTSC and put the domain in, it does show windows credentials will be used.

    Here's where it gets even weirder:

    Using credentials manager, if I manually add the URL and logins, the RDP the works.

    If I use a batch file to automate adding the credentials into manager, they do appear correct. However, when attempting to launch the RDP it prompts for password still. Refreshing the credential manager then shows the entry has been deleted. I have tested, and it is the launching of the RDP which prompts windows to delete the credentials. This is the same whether the credentials persistence are in as "Log-In Session" or "Enterprise".

    Obviously I'd rather get the delegation working correctly, rather than messing around with batch files and Windows credentials manager. But an interesting addition of facts to the scenario...

    Many thanks in advance!

    Friday, November 1, 2019 9:37 AM

All replies

  • Hi,

    I have a strange issue with credentials delegation...

    I have an RDP taken from RDWeb, which does work. However, it annoyingly prompts for credentials on domain PC's - despite credential delegation being in place.

    I have tried adding to the GPO TERMSRV/* and specifying the URL, gateway, and RDSH's, still the same.

    The RDP uses a connection to remote.domain.com. If I open MSTSC and put the domain in, it does show windows credentials will be used.

    Here's where it gets even weirder:

    Using credentials manager, if I manually add the URL and logins, the RDP the works.

    If I use a batch file to automate adding the credentials into manager, they do appear correct. However, when attempting to launch the RDP it prompts for password still. Refreshing the credential manager then shows the entry has been deleted. I have tested, and it is the launching of the RDP which prompts windows to delete the credentials. This is the same whether the credentials persistence are in as "Log-In Session" or "Enterprise".

    Obviously I'd rather get the delegation working correctly, rather than messing around with batch files and Windows credentials manager. But an interesting addition of facts to the scenario...

    Many thanks in advance!

    Further on this:

    if I change 'gatewayusagemethod' from "1" to 2, 3 or 4 it does seem to successfully delegate the credentials, although I then get an unknown publisher prompt. Also doesn't make sense why 1 doesn't delegate and the others do?

    Friday, November 1, 2019 1:13 PM
  • Hi,

     

    Changing value from 1 to 2,3,4 for gatewayusagemethod means whether and how to utilize the Gateway server.

     

     

    As for the credential delegation, please check the guidance step by step in below and ensure you've well configured the Group policy:

    Configuring SSO (Single Sign-On) Authentication on Windows Server RDS

    http://woshub.com/sso-single-sign-on-authentication-on-rds/

     

    Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

     

    Best Regards,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 4, 2019 8:59 AM
  • Hi,

    Is there any update? Have you got a chance to verify above suggestions?

     

    Please feel free to let us know if more assistance needed.

     

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 6, 2019 3:08 AM
  • Hi Jenny,

    Apologies for my delayed reply! Unfortunately I still haven't found the answer on this, here's what I have found/ can confirm thus far:

    We do have the credentials delegation GPO configured, it actually includes URL, internal and external IP addresses - so all should be fully covered.

    What I have found is that the rdp files gatewayusagemethod has a direct impact on the credentials delegation, but I cannot figure out how/ the answer!

    The rdp file points to remote.domain.com, and inside of the network I have configured DNS to point this URL to the gateway.

    I have found the following with the gatewayusagemethod values:

    gatewayusagemethod:1 - prompts for credentials (has username per-inserted)

    gatewayusagemethod:2 - successfully delegates within the network, prompts for credentials when outside of the network

    gatewayusagemethod:3 - Successfully delegates within the network, prompts for credentials when outside of the network

    My logic would say that 1 - which doesn't bypass the gateway is the one we want. However, inside of the network 2 and 3 appear more successful, which both allow to bypass the gateway for local connections.

    Any thoughts much appreciated?

    Regards 

    Thursday, November 28, 2019 11:50 AM