Cannot automatically log in to RDP session: server's authentication policy does not allow connection requests using saved credentials

8,651

Solution 1

The IT team in my company has disabled the use of saved credentials, I have tried the solutions of TheKingOfScandinavia and "I say Reinstate Monica" but they do not work for me.

Instead I have resorted to a very low tech solution, a powershell script that opens the remote desktop window, waits, types in the password and press enter.

I find the solution ugly but it does the job, it saves me login into 5 machines manually everyday to ensure that our service account is logged in

Here is my powershell script: automaticMachineLogin.ps1

You just have to set your machine names, username and password

Set-PSDebug -Trace 0
$servers= @("SERVNAME1", "SERVNAME2", "SERVNAME3")
$username = "YOURUSERNAME";
# read the password from a file, or have it hardcoded
#$pw = Get-Content C:\pw.txt
$pw = "YOURPASSWORD";

echo "password read from file: " $pw

# login with remote desktop
foreach ($server in $servers)
{     
  mstsc /v:$server
  # wait X seconds for the window to appear
  Sleep 5
  # creates a com object to send key strokes
  $wshell = New-Object -ComObject wscript.shell;
  # send the password
  $wshell.SendKeys($pw)
  # wait 1 second
  Sleep 1
  # send enter, this is a special chararecters for enter
  $wshell.SendKeys('~')
  Sleep 1
} 

# optionally kill the remote connection at the end, since all I want to login the user, but this is probably not required for others
# kill all the remote desktop tasks, i.e. named mstsc.exe 
Sleep 1
taskkill /IM "mstsc.exe" /F

Note that if you need to send some special characters other than enter, here is the full list , here is the full list in case you need special keys like shift, alt... https://docs.microsoft.com/en-us/previous-versions/office/developer/office-xp/aa202943(v=office.10)?redirectedfrom=MSDN

Solution 2

This is happening because the machine from which you are attempting to initiate the Remote Desktop Connection does not allow saving NTLM-only style credentials. This typically occurs when the computer initiating the Remote Desktop connection is in a different domain or workgroup than the computer being connected to.

You can override this behavior and enable saving RDP credentials by modifying the Allow Delegating Saved Credentials with NTLM-only Server Authentication Group Policy setting. It is found at:

Computer Configuration/Administrative Templates/System/Credentials Delegation

This policy must be modified on the machine that initiates the RDP connection (or must affect said machine if delivered via domain Group Policy).

To enable saving RDP credentials for all remote servers, enable the GP setting and in the Add servers to the list: setting within the policy, add the value TERMSRV/* as shown here:

If you instead only wish to enable delegation of credentials to a specific remote computer, enter it in the format TERMSRV/COMPUTERNAME. You may provide multiple values to configure multiple remote computers.

Solution 3

I can't comment to ask a clarifying question, so I'm forced to write this as an answer:

At [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services] is there a REG_DWORD named fPromptForPassword entry with the value of 1?

On my Windows 7 client, this setting is set to 1, and I am allowed to save my password when I connect to the remote host.

As far as I can read from this, the value is to be set to 0 on the client if the client is not supposed to be allowed to store the credentials.

Alternatively, a similar question was answered detailed here: https://superuser.com/a/140322/115387

8,651

Enigma

Updated on September 18, 2022

Comments

Enigma over 1 year

I've tried going into group policy and enabling/disabling some of the relevant policies but I still see this:

It doesn't matter that I check Remember me & enter the correct password.

The credentials are stored locally but aren't being used:

I am connecting from Windows 10 to Windows 7.

gupdate output:

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\> gpupdate.exe
Updating Policy...

User Policy update has completed successfully.
Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.
The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.

Grabbing the GPRESULT /H GPReport.html

Registry    Failed  12/12/2017 4:06:01 PM
Registry failed due to the error listed below.

Unspecified error

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 12/12/2017 4:06:01 PM and 12/12/2017 4:06:01 PM.

GPReport.html contains:

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Policy  Setting Winning GPO
Always prompt for password upon connection  Enabled {ID}, domain.com

However, in the group policy editor:

How do I force disable that policy?

Enigma over 6 years

That key is there with a value of 1 on the host/server. I'll try setting it to 0 and restarting. It's already 0 on the client
Enigma over 6 years

I think this might be it. After restarting, the value was reset to 1 again. I set it back to 0 and removed all permissions from the key aside from read access. Rebooting again and will check.
Enigma over 6 years

Well. The permissions are getting reset also... Need to lock this value at 0 - any ideas?
Enigma over 6 years

Ahh. I did this on the host/server instead. I saw that I was storing the appropriate TERMSERV/ credentials in my client however so I thought that side of things was working. I enabled all of the Allow's on the client and server & restarted but no luck. Still provides the same response in the image at the top of the question.
Enigma over 6 years

If I set the regedit key value to 0 as in the above question, I can log in without needing to re-enter the password but only until I reboot.
Enigma over 6 years

Before I reboot, after setting the value to 0, I am able to connect without re-entering the password.
TheKingOfScandinavia over 6 years

Perhaps there's a scheduled task set to run at startup that reverts it? Or maybe a 'run' setting in the registry?
I say Reinstate Monica over 6 years

@Enigma This at least confirms that the issue is on the client side rather than a setting imposed by the server.
Enigma over 6 years

It could be an update to the group policy that resets it. Not sure how to identify what is changing it.
Enigma over 6 years

I'm confused by that... I'm pretty sure this is confirming that it is definitely a server-side issue. If I change nothing on either the server or client except set fPromptForPassword to 0 on the server, I am able to connect without a password prompt. As soon as I restart the server, that setting is reset to 1 & I lose that ability.
I say Reinstate Monica over 6 years

Ahh, my bad. I misunderstood which machine you made this change on.
TheKingOfScandinavia over 6 years

Perhaps this piece of software can help: nirsoft.net/articles/find_modified_time_registry_key.html Or you can try to remove SYSTEM's and EVERYONE's permissions to the registry key, so only you can edit it.
Enigma over 6 years

I actually did attempt to lock out everyone (System/Administrator/Users/Everybody) from all access to the Terminal Services section but it seems to get reset after rebooting. I'm playing with setting up a periodic .bat file that runs on idle to set the key values to the correct ones. So far so good.
TheKingOfScandinavia over 6 years

When you wrote that it worked until you restarted, I was thinking of suggesting that, but I was hoping we could find a more 'elegant' solution :P -- let us know if the bat file works. Maybe you can set it to run at startup, maybe with a delay if the original registry change isn't done immediately upon startup?
Enigma over 6 years

A more elegant solution is definitely welcome. I have it running at startup & periodically when system idles (since it seems to get reverted even post-startup). I'll also try adding it to run on remote desktop connection. Getting less elegant possibly but if it works I'm happy.