Terminal Service client not using saved credentials
I had this problem for quite a while now, and it finally
bothered me enough to go and search for a solution. I was trying to change this
on the Server (Host Computer) but it worked by changing the issue on the client
side (Windows 7). All along I was focusing on the host. This should work in other scenarios also. (Windows 7 to 2k3, XP to 2k8, etc.)
I use TS client to connect with smartcard from my home Vista machine to various machines at work through a Terminal Services Gateway.
When I'm connecting to Windows 2008 I am was receiving this error On this machine, TS(RDP) fails with the following message: "Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials."
I've searched the net for the exact error message but I could not find a solution. So I ended up asking the experts...
It turned out that my issue was described in this article from Terminal Services Team Blog, under Scenario 1 (Problems using saved credentials with Windows 7 RDP clients - Connecting remotely via RDP to a server ).
I use TS client to connect with smartcard from my home Vista machine to various machines at work through a Terminal Services Gateway.
When I'm connecting to Windows 2008 I am was receiving this error On this machine, TS(RDP) fails with the following message: "Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials."
I've searched the net for the exact error message but I could not find a solution. So I ended up asking the experts...
It turned out that my issue was described in this article from Terminal Services Team Blog, under Scenario 1 (Problems using saved credentials with Windows 7 RDP clients - Connecting remotely via RDP to a server ).
Fortunately there is a solution by altering the TS settings on the client side (this solution is not as secure as using certificates on server for server authentication).
In Vista, the Credential Security Support Provider protocol (CredSSP) adds a couple of group policy settings that are described in detail in MSDN CredSSP group policy settings page.
The following fixed the problem:
1. Log on to your local machine as an administrator.
2. Start Group Policy Editor - "gpedit.msc" and accept the UAC prompt.
3. Navigate to "Computer Configuration\Administrative Templates\System\Credentials Delegation".
4. Double-click the "Allow Saved Credentials with NTLM-only Server Authentication" policy.
5. Enable the policy and then click on the "Show" button to get to the server list.
6. Add "TERMSRV/" to the server list, in my case TERMSRV/alinc02.redmond.corp.microsoft.com. Using one wildcard (*) in a name is allowed. For example to enable the setting on all servers in "microsoft.com" domain you can type "TERMSRV/*.microsoft.com".
7. Confirm the changes by clicking on the "OK" button until you return back to the main Group Policy Object Editor dialog.
8. At a command prompt, run "gpupdate" to force the policy to be refreshed immediately on the local machine (although this changed for me after a while)
With this policy enabled, the login to my Windows 2k8 machine now works perfectly.
