Cannot automatically log in to RDP session: server's authentication policy does not allow connection requests using saved credentials
Solution 1
The IT team in my company has disabled the use of saved credentials, I have tried the solutions of TheKingOfScandinavia and "I say Reinstate Monica" but they do not work for me.
Instead I have resorted to a very low tech solution, a powershell script that opens the remote desktop window, waits, types in the password and press enter.
I find the solution ugly but it does the job, it saves me login into 5 machines manually everyday to ensure that our service account is logged in
Here is my powershell script: automaticMachineLogin.ps1
You just have to set your machine names, username and password
Set-PSDebug -Trace 0
$servers= @("SERVNAME1", "SERVNAME2", "SERVNAME3")
$username = "YOURUSERNAME";
# read the password from a file, or have it hardcoded
#$pw = Get-Content C:\pw.txt
$pw = "YOURPASSWORD";
echo "password read from file: " $pw
# login with remote desktop
foreach ($server in $servers)
{
mstsc /v:$server
# wait X seconds for the window to appear
Sleep 5
# creates a com object to send key strokes
$wshell = New-Object -ComObject wscript.shell;
# send the password
$wshell.SendKeys($pw)
# wait 1 second
Sleep 1
# send enter, this is a special chararecters for enter
$wshell.SendKeys('~')
Sleep 1
}
# optionally kill the remote connection at the end, since all I want to login the user, but this is probably not required for others
# kill all the remote desktop tasks, i.e. named mstsc.exe
Sleep 1
taskkill /IM "mstsc.exe" /F
Note that if you need to send some special characters other than enter, here is the full list , here is the full list in case you need special keys like shift, alt... https://docs.microsoft.com/en-us/previous-versions/office/developer/office-xp/aa202943(v=office.10)?redirectedfrom=MSDN
Solution 2
This is happening because the machine from which you are attempting to initiate the Remote Desktop Connection does not allow saving NTLM-only style credentials. This typically occurs when the computer initiating the Remote Desktop connection is in a different domain or workgroup than the computer being connected to.
You can override this behavior and enable saving RDP credentials by modifying the Allow Delegating Saved Credentials with NTLM-only Server Authentication
Group Policy setting. It is found at:
Computer Configuration/Administrative Templates/System/Credentials Delegation
This policy must be modified on the machine that initiates the RDP connection (or must affect said machine if delivered via domain Group Policy).
To enable saving RDP credentials for all remote servers, enable the GP setting and in the Add servers to the list: setting within the policy, add the value TERMSRV/*
as shown here:
If you instead only wish to enable delegation of credentials to a specific remote computer, enter it in the format TERMSRV/COMPUTERNAME
. You may provide multiple values to configure multiple remote computers.
Solution 3
I can't comment to ask a clarifying question, so I'm forced to write this as an answer:
At [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services]
is there a REG_DWORD named fPromptForPassword
entry with the value of 1?
On my Windows 7 client, this setting is set to 1, and I am allowed to save my password when I connect to the remote host.
As far as I can read from this, the value is to be set to 0 on the client if the client is not supposed to be allowed to store the credentials.
Alternatively, a similar question was answered detailed here: https://superuser.com/a/140322/115387
Related videos on Youtube
Enigma
Updated on September 18, 2022Comments
-
Enigma over 1 year
I've tried going into group policy and enabling/disabling some of the relevant policies but I still see this:
It doesn't matter that I check
Remember me
& enter the correct password.The credentials are stored locally but aren't being used:
I am connecting from Windows 10 to Windows 7.
gupdate
output:Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\> gpupdate.exe Updating Policy... User Policy update has completed successfully. Computer policy could not be updated successfully. The following errors were encountered: The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle. The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle. The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle. The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle. The processing of Group Policy failed because of an internal system error. Please see the Group Policy operational log for the specific error message. An attempt will be made to process Group Policy again at the next refresh cycle. To diagnose the failure, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy results.
Grabbing the
GPRESULT /H GPReport.html
Registry Failed 12/12/2017 4:06:01 PM Registry failed due to the error listed below. Unspecified error Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 12/12/2017 4:06:01 PM and 12/12/2017 4:06:01 PM.
GPReport.html
contains:Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security Policy Setting Winning GPO Always prompt for password upon connection Enabled {ID}, domain.com
However, in the group policy editor:
How do I force disable that policy?
-
Enigma over 6 yearsThat key is there with a value of
1
on the host/server. I'll try setting it to0
and restarting. It's already0
on the client -
Enigma over 6 yearsI think this might be it. After restarting, the value was reset to
1
again. I set it back to0
and removed all permissions from the key aside from read access. Rebooting again and will check. -
Enigma over 6 yearsWell. The permissions are getting reset also... Need to lock this value at
0
- any ideas? -
Enigma over 6 yearsAhh. I did this on the host/server instead. I saw that I was storing the appropriate
TERMSERV/
credentials in my client however so I thought that side of things was working. I enabled all of the Allow's on the client and server & restarted but no luck. Still provides the same response in the image at the top of the question. -
Enigma over 6 yearsIf I set the regedit key value to
0
as in the above question, I can log in without needing to re-enter the password but only until I reboot. -
Enigma over 6 yearsBefore I reboot, after setting the value to
0
, I am able to connect without re-entering the password. -
TheKingOfScandinavia over 6 yearsPerhaps there's a scheduled task set to run at startup that reverts it? Or maybe a 'run' setting in the registry?
-
I say Reinstate Monica over 6 years@Enigma This at least confirms that the issue is on the client side rather than a setting imposed by the server.
-
Enigma over 6 yearsIt could be an update to the group policy that resets it. Not sure how to identify what is changing it.
-
Enigma over 6 yearsI'm confused by that... I'm pretty sure this is confirming that it is definitely a server-side issue. If I change nothing on either the server or client except set
fPromptForPassword
to0
on the server, I am able to connect without a password prompt. As soon as I restart the server, that setting is reset to1
& I lose that ability. -
I say Reinstate Monica over 6 yearsAhh, my bad. I misunderstood which machine you made this change on.
-
TheKingOfScandinavia over 6 yearsPerhaps this piece of software can help: nirsoft.net/articles/find_modified_time_registry_key.html Or you can try to remove SYSTEM's and EVERYONE's permissions to the registry key, so only you can edit it.
-
Enigma over 6 yearsI actually did attempt to lock out everyone (System/Administrator/Users/Everybody) from all access to the
Terminal Services
section but it seems to get reset after rebooting. I'm playing with setting up a periodic.bat
file that runs on idle to set the key values to the correct ones. So far so good. -
TheKingOfScandinavia over 6 yearsWhen you wrote that it worked until you restarted, I was thinking of suggesting that, but I was hoping we could find a more 'elegant' solution :P -- let us know if the bat file works. Maybe you can set it to run at startup, maybe with a delay if the original registry change isn't done immediately upon startup?
-
Enigma over 6 yearsA more elegant solution is definitely welcome. I have it running at startup & periodically when system idles (since it seems to get reverted even post-startup). I'll also try adding it to run on remote desktop connection. Getting less elegant possibly but if it works I'm happy.