Windows – Remote desktop authentication fails from one client, but not from another

authenticationremote desktopvpnwindows 10windows 7

I've been reliably using remote desktop from my Win 10 home machine (VPN using Dual Authentication) to my Windows 10 office machine for months (COVID work from home, very restricted environment at work). All of a sudden, I'm getting a message:

Authentication error has occurred. The Local Security Authority cannot
be contacted. Remote computer xxxxxxxxxxx This could be due to an
expired password . Please update your password if it has expired

I hauled my butt to work, after getting clearance to do so, rebooted, made sure my password was current — and it was. Nothing odd I could find on the host machine.

No love trying to RDP in. My credentials are correct, as when I use a wrong password, I get a simple authentication error.

Searching out the error suggests a bunch of host-side fixes, so just for giggles, I tried RD-ing in from a Win 7 laptop, and it worked like a charm — no issues. This leads me to wanting to handle this as a client-side issue. The only thing I could think of was a difference in local resource handling, but disabling local resources didn't help it.

I'm sort of at a loss for ideas. I suppose next steps would be to try a third party client, or somehow repairing the windows client, but wanted to ask about the possibility that this could even be a VPN issue (both client machines using anyconnect, 4.6.01103). I'd like to avoid working on the host, if at all possible.

Update: In response to the great suggestion that a credential cache was doing me in, I created another account on the client machine, and used that account to remote desktop in. Same error.

Best Answer

It's possible Windows is caching some credentials at some level you're not aware of (TERMSRV for example), and the cache has become corrupted.

You can see which credentials are cached using Credential Manager (Control Panel\User Accounts\Credential Manager). Here you can examine each of the cached credentials in detail, and edit or delete them as required.

Before embarking on the above, I'd suggest creating a temporary second local account for yourself on your computer, and trying out the RDP while logged on to the new account. If this succeeds, you will have isolated the problem to your user profile and you can then check the credential caching and also anything else in your user profile you suspect may be the cause.

Related Solutions

Windows – way to hide that you are connected to a computer via Remote Desktop or Virtual PC

Even though this is an ancient question, I ran into the same problem and I'll leave my solution here for Google to find. I'm using XP Mode because I don't want to install commercial VPN clients on my actual machine, they always mess things up with stupid security features.

The way to get around the weird anti-RDP setting is to "Disable Integration Features" from the Tools menu in the VM. Apparently that makes the VM viewer not use RDP, hence avoiding this problem.

Windows 7 Remote Desktop Connection Save Credentials not working

i found the solution. It was at the same time both subtle, and obvious.

As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:

Prompt for credentials on the client computer
Do not allow passwords to be saved

i was checking them on the server:

enter image description here

i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:

enter image description here

On my client Windows 7 machine, the policy was:

Do not allow passwords to be saved: Enabled
Prompt for credentials on the client computer: Enabled

i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though

Do not allow passwords to be saved

is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.

The truth table of functioning:

Do not allow saved  Prompt for creds  Works for 2008+ servers  Works for 2003 R2- servers
==================  ================  =======================  ==========================
Enabled             Enabled           No                       Yes
Enabled             Not Configured    No                       No
Not Configured      Enabled           Yes                      Yes
Not Configured      Not Configured    Yes                      Yes

So there is the trick. The group policy settings under:

Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client

on the client machine need to be configured with:

Do not allow passwords to be saved: Not Configured (critical)
Prompt for credentials on the client computer: Not Configured

The other source of confusion is that while

a domain Enabled policy cannot override a local Disabled
a domain Disabled policy can be overridden by a local Enabled policy

Which again leads to a truth table:

Domain Policy   Local Policy    Effective Policy
==============  ==============  ==============================
Not Configured  Not Configured  Not configured (i.e. disabled)
Not Configured  Disabled        Disabled
Not Configured  Enabled         Enabled
Disabled        Not Configured  Disabled
Disabled        Disabled        Disabled
Disabled        Enabled         Disabled (client wins)
Enabled         Not Configured  Enabled
Enabled         Disabled        Enabled (domain wins)
Enabled         Enabled         Enabled

Best Answer

Related Solutions

Windows – way to hide that you are connected to a computer via Remote Desktop or Virtual PC

Windows 7 Remote Desktop Connection Save Credentials not working

Related Question