Update: Some additional improvements are coming in this area. Please see this article.
There has been a lot of feedback about the new authentication features introduced in the latest version of the Remote Desktop Connection client. These features are part of our efforts to improve security for Terminal Services (TS) in Windows Vista and Windows Server code name “Longhorn” , however some users have run into a variety of problems that have caused frustration. In order to alleviate some of the frustrations, below is an FAQ on various symptoms users have run into, along with solutions and workarounds.
When using Remote Desktop Client 6.0 to connect to a Windows 2003 machine, some users have to enter credentials twice. Once before connection they will see Picture 1 below if they have Windows XP or Windows Server 2003 as the client or Picture 2 if they are using Windows Vista as the client.
Picture 1 - Windows XP - Windows Server 2003
Picture 2 - Windows Vista
The second time they will be prompted as the remote servers logon screen (picture 3)
No error messages will be shown.
Answer: This is most likely the result of the way the remote server is configured. There are two possible settings that may be causing this:
When either the option in Terminal Server Configuration administrative tool (tscc.msc) is selected or the group policy is enabled, the TS server will always show a winlogon prompt, regardless of what version of the Remote Desktop Client the user is running.
Why do users always have to enter credentials twice on Windows 2000 Server?
Answer: The setting in tscc.msc mentioned in the first question is enabled by default on Windows 2000. The administrator should disable this setting to fix the undesired behavior. Afterwards, the user can expect to not run into the winlogon screen or duplicate prompts.
Why is it that when connecting to Windows Server 2003, the credentials entered in the credentials dialog are rejected as follows:
Answer: The above behavior is caused when winlogon on the TS server cannot validate your credentials. This may be from a number of reasons: For example, the password or username may be incorrect. Other times, (and this may be the most frustrating to users), the domain may be in a format that is not recognized by the TS server. The best thing to do, when entering credentials into the credentials dialog, is to make sure that the domain, username, and password are all in a format that the server will accept. For example, let’s say one tries to connect to MyServer and you intend to log in with the MyUserName account from the MyDomain domain. If the user will just type in “MyUserName” in the User Name field in Credentials Dialog, the Windows 2003 Server will automatically pick “MyServer” as the domain value for login and the login will fail. But if the user provides “MyDomain\MyUserName” as input for the User Name, logon will complete successfully.
Despite having saved credentials, users are still prompted to enter credentials on the remote server’s winlogon screen.
Answer: This can be due to one of two reasons. Either one of the policies mentioned in the answer to the first question are enabled, or the credentials that have been saved are not valid.
In instances where the saved credentials are not valid, there is one possible scenario that may lead to this behavior and cause user confusion. Consider the following:
This is because the credentials that have been saved on the client side are:
Note that the password saved is not correct. This happens because whenever the user selects “Remember my credentials” in the credentials dialog, the credentials that are saved are whatever was typed in the credentials dialog. If the credentials are updated after connecting to the server, the correct credentials are not propagated back to the TS client and updated.
If the saved credentials are not correct, you may edit or delete them in Remote Desktop by clicking on the “Options” button. The dialog below should appear. Clicking “delete” will delete the saved credentials, and clicking “edit” will allow you to modify them.
Note that if the text “The saved credentials for this…” do not appear, then credentials are not saved.
Some users are having trouble using smart card credentials to logon.
Answer: To ensure that you can connect to Windows XP or Windows Server 2003 with smartcards, make sure that smartcards redirection is enabled.
Some users have noticed that an invalid pre-populated domain name is placed in front of the user name in the credential dialog. Users are frustrated at having to delete this bad domain on every connection. The sequence of steps causing this behavior is as follows:
Answer: When a domain is not presented for the username, Remote Desktop assumes by default that a local server account will be used and the domain name is pre-filled accordingly. In this case, the server name entered was “127.0.0.1”, and as a result, the domain entered was the same. This was done for various reasons in Vista that are too complicated (and irrelevant) to go into detail here.
The best workaround for this behavior is to always enter a proper domain into the credentials dialog. If you are connecting to machine “MyMachine” using the “Administrator” account, do not just enter “Administrator” as the username, enter “MyMachine\Administrator”. From there on out, the proper domain and username will be prepopulated in the credentials dialog. Alternatively, if the user account is an account named “DomainUser” in the domain “MyDomain”, use “MyDomain\DomainUser” instead of just “DomainUser”.
Despite having a string in the RDP file “username:s:Machine\Administrator”, the pre-populated username in the credentials dialog is something different (or maybe even blank).
Answer: This is a result of a design change. Instead of populating the credentials dialog with the last username used to connect to any server, we felt (and received positive feedback) that we should populate the credentials dialog with the last username used to connect to the specific server the user is connecting to. We felt this would provide a better experience. The downside is that users connecting to various machines with the same username would now have to reenter the username once upon their first connection to a machine. From then on, the username will be pre-populated on subsequent connections.
In the dialog below, some users don’t see how to change the domain from “127.0.0.1” to “MyDomain”
Answer: To change the domain used in the credential dialog box show above you simply put a fully qualified domain username or UPN. For example if the domain is called “MyDomain”. Simply enter “MyDomain\<username>” or username@domain.<fqdn> into the username field and the domain will automatically be updated, as shown in the two examples below.
When you connect to server with the ‘always connect, even if authentication fails’ setting set you will see the following notification dialog:
Answer: Before connecting, in Remote Desktop, do the following:
This will disable the warning prompt. Please be aware that selecting this option makes it possible for attackers to intercept and modify the data exchanged between client and server.
Several other forums on the internet have suggested placing “enablecredsspsupport:i:0” in the RDP file used by the Remote Desktop client.
Answer: This option does disable the new credential prompting behavior, but it also disables support for Network Level Authentication for Vista (and Longhorn Server) RDP connections; Network Level Authentication requires credentials to be provided by the client before a session is created on the server side.
This option is meant for dealing with unexpected failures on connections using Network Level Authentication.
We strongly recommend users avoid using this flag unless none of other fixes described in this post work and no other alternative is available. If this setting is used try to limit its scope as much as possible by using it only those RDP files meant for connections to specific servers (i.e. avoid setting it in your Default.rdp file).
Deploying this configuration option widely will cause hard to diagnose issues when connecting to Vista and Longhorn Server computers that require Network Level Authentication.
When I try to use Windows Vista Ultimate Termial Server to RDP into Windows 2003 Server on another Domain or Workgroup, I get an error and I cannot connect. It merely hangs, then ends the connection.
At first I am prompted with the following:
Remote Desktop cannot verify the identity of the computer you want to
connect to. This problem can occur if:
1) The remote computer is running a version of Windows that is earlier
than Windows Vista.
2) The remote computer is configured to support only the RDP security
Contact your network administrator or the owner of the remote computer
Do you want to connect anyway?
Once you "connect anyway" you get the next message:
Your remote desktop session has ended.
The connection to the remote computer was lost, possibly due to network connectivityproblems. Try connecting to the remote computer again. If the problem continues, contact your network administrator or technical support.
RDP6 is very annoying.
It doesn't save my password when I connect to a Windows 2000 server.
As a domain policy, we have to change our password every month or so. Everytime I change my password, my TSC saved credital needs to be updated again and I could not remember which one I've updated, which one not!
Plase fix it!
The issue with saved credentials when connecting to a Windows 2000 server has been noticed and will be addressed.
I have no problems connecting.. My problem is that it is SOOOO SLOOOWWWW.. Its virtually painting the screen on one block at a time.. Connectin via WinXP is perfect, Vista is so slow i have no idea.. I have stripped it down to basics... i can not get it to work right at all.
ok my question is slightly different, I too get that annoying error when connecting and I go and change the option to always connect even if authentication fails. And this works a treat, however the next time I run it the option has reverted back. Is this a GPO that I'm missing that restores this setting?
Is it not possible for mstsc.exe to automatically present the currently logged on user's credentials to the server?
I need to RDP to about 250 servers, finding the right .rdp file will take me longer than typing my domain\password. Not to mention that my password changes every 60 days, rendering my .rdp file pointless.
I've also got a problem involving smartcard. For servers in a different domain, I authenticate my RDP session with smartcard and PIN. This never works, throws errors on both my Vista x64 desktop and the Windows Server 2003 R2 machine in the other domain. I know my smartcard is working though, because I can log on to Vista with it, and I can RDP with smartcard credentials to servers in the other domain from Vista x86 or XP desktops.
Vista is rapidly becoming one rolling disappointment.
The MSTSC behaviour is infuriating - and inconsistent with it. I have 2 Vista machines here, one works perfectly (saved RDP details *just work*) and the other doesn't - password details are always blank.
infuriating doesn't begin to describe it - when I have typed my username, password and domain name for the fiftieth damn time today, just to connect to my SBS...
more work and hassle for zero benefit. woo.hoo.
Please advise - with all versions of vista OS the connection to our 2003 terminal server is so slow! I will hit connect and the login screen starts painting itself one section at a time and never finishes and then finally just goes away. Any solutions to this?
I am having so much problems with this!!! It's unbeliavable.
I connect to several clients through VPN/RDP and now that I have a Win Vista Business machine nothing is working. VPN connects just fine but I cannot RDP!! I enter the right user/pwd but always get the message: "Your credentials didn't work..." I don't see any way of deleting credentials (through mstsc.exe>Options). Is there any way of deleting credentials? Editing registry keys perhaps??
TIA for any feedback!!!
I finally found the answer to why I have been having connection problems using my Vista workstation with Remote Desktop trying to connect our 2003 terminal server.
After first connecting to the terminal server and logging in successfully to the session, the login screen moves really slow, painting the display one pixel at a time and finally just locking up all together.
Because of Vistas low initial setting on it's Auto Tuning feature I had to create a new shortcut on the desktop. Enter the command "cmd" as the shortcut command.
Right-click on the shortcut and select "Run as Administrator".[You will be put in a DOS box]
Type "netsh interface tcp set global autotuninglevel=disabled"
[You should see a successful message]
I had to create the shortcut and use the run as command even though my user was an administator equivalent. Not sure why, but it worked.
I've been experiencing connection issues with extremely slow painting of the Login screen and the connection eventually timing out.
This only occurred when connecting to an SBS 2003 R2 server (via a TS Gateway). RDP worked with all the other servers. Disabling TCP autotuning as suggested by Steve fixed this issue. Thanks for the tip.
How can i get updated Remote Desktop Client for Windows XP that support Network Level Authentication?
Kyaw, the latest remote desktop client uses Network Level authentication when available. The problem is that Network Level Authentication is a property of the operating system you are running. XP does not currently support NLA and we do not know when it will. Once XP supports NLA, the current remote desktop client will be able to use it.
When I put in MYDOMAIN\Administrator in the credentials for a W2000 server connection, it connects OK but saves Administrator@MYDOMAIN in the registry, and displays this next time I connect. BUT W2000 only displays Administrator@MYDOMA (ie 15 characters), so you have to change this every time! It passes the correct string to a 2003 server. Why can't it either keep the MYDOMAIN\username in the registry (as I initially entered) which works on 2000, or drop what's after the @ sign and use it to select the domain on the 2000 login screen?
Blah, blah. Change is change, but a lot of these changes don't do anything other than annoy the hell out of people. As a consultant, I connect to multiple networks all day, so the pre-filled domains is a complete waste of time as I have to change them almost every time I connect with RDC 6.0. The client in Vista never remembers my credentials even when I check to save them. It's just a piece of garbage with all the inconsistencies, but I guess it goes hand-in-hand with Vista overall, because there is no rhyme or reason for some of the changes in Vista as well...