How to i allow credentials to be saved when connecting to another machine with Remote Desktop Connection?
Background
i try to connect to a server, and the Remote Desktop Client does not have any saved credentials:
In order to try to save the credentials i check the option Allow me to save credentials:
i then initiate the connection, enter my password, and notice that the Remember my credentials option is checked:
Once connected to the server, i ensure that the local group policy options
Local Computer Policy ➞ Computer Configuration ➞ Administrative Templates ➞ Windows Components ➞ Remote Desktop Services ➞ Remote Desktop Connection Client
- Prompt for credentials on the client computer
- Do not allow passwords to be saved
which default to allowing passwords to be saved, and default to not prompting for credentials, are forced to allow passwords to be saved, and forced to not prompt for passwords:
And i run gpupdate /force
to ensure the forced off security settings are in use.
Repeat the above steps 4 or 5 times, on the 6th time creating screenshots for a stackoverflow question.
Notice that Remote Desktop Connection client refuses to save my password, noting:
You will be asked for your credentials when you connect
So the question is: How do save credentials when connecting to a machine?
Additional things tried
As was suggested:
i tried enabling the "Allow delegating saved credentials with NTLM-only server authentication" for TERMSRV/*
in gpedit.msc
on the client (e.g. Windows 7) machine:
People suggest this without realizing that it only applies to NTLM authentication. NTLM is an outdated, insecure, and should not be used:
NTLM is an outdated authentication protocol with flaws that potentially compromise the security of applications and the operating system. Although Kerberos has been available for many years many applications are still written to use NTLM only. This needlessly reduces the security of applications.
Either way: it didn't work.
Bonus information
- tried both modern
ian@avatopia.com
and legacyavatopia.com\ian
username formats - tried setting the group policy on the domain controller
- Windows 7 64-bit Professional client
- Windows Server 2008 R2 server
- Windows Server 2008 server
- Windows Server 2012 server
- Windows Server 2003 R2 server
- everything from Background on is just filler to make it look like i "attempted some research effort"; you can ignore it; including this line which talks about ignoring this line
Appendix A
The client is Windows 7, connecting to Windows Server 2008 R2, over RDP 7.1, with the server using an auto-generated certificate:
The client has authenticated the identity of the server:
It also happens when connecting to Windows Server 2008, and Windows Server 2012 (all from Windows 7 client). All machine are joined to the same domain.
Appendix B
The resultant set of policy (rsop.msc
) on the client has Always prompt for password on connect set to Disabled:
Appendix C
Results of connecting to every server i can find. i was wrong when i said it fails on any connection to Server 2003. The problem is limited to Server 2008, 2008 R2, and 2012:
- Windows Server 2000: Yes*
- Windows Server 2000: Yes*
- Windows Server 2003: Yes
- Windows Server 2003 R2: Yes
- Windows Server 2003 R2: Yes (Domain controller)
- Windows Server 2003 R2: Yes
- Windows Server 2008: No
- Windows Server 2008: No
- Windows Server 2008 R2: No
- Windows Server 2008 R2: No
- Windows Server 2012: No
- Windows Server 2012: No
*indicates it will use saved credentials, but must re-enter password at 2000 login screen
Bonus Reading
- KB281262: How To Turn On Remote Desktop Automatic Logon in Windows XP
- SuperUser: Remote Desktop connection is ignoring saved credentials
- Windows Seven Forums: Windows 7: Remote Desktop Connection Automatic Log On – Allow or Prevent
- Microsoft.com: Saving and changing logon credentials in Remote Desktop Connection
- Microsoft.com: Saving your logon credentials in Remote Desktop Connection
- MSDN Remote Desktop Services Blog: Saved credentials do not work
- Stackoverflow: Windows 7 Remote Desktop Connection Save Credentials not working [closed]
- Microsoft Forums: Remote Desktop Connection not using saved credentials
Best Answer
i found the solution. It was at the same time both subtle, and obvious.
As mentioned in the question, when i was modifying the following Remote Desktop Connection Client Group Policy settings:
i was checking them on the server:
i thought it would be the server that dictates what the client is allowed to do. Turns out that is completely wrong. It was @mpy's answer (while incorrect), which led me to the solution. i shouldn't be looking at the RDP client policy on the RDP server, i need to look at the RDP client policy on my RDP client machine:
On my client Windows 7 machine, the policy was:
i do not know when these options were enabled (i did not enable them in recent memory). The confusing part is that even though
is Enabled, the RDP client would still save password; but only for servers below Windows Server 2008.
The truth table of functioning:
So there is the trick. The group policy settings under:
on the client machine need to be configured with:
The other source of confusion is that while
Which again leads to a truth table: