TS connection experience improvements based on RDP 6.0 client customer feedback

TS connection experience improvements based on RDP 6.0 client customer feedback

Many users have downloaded the RDP 6.0 TS client through Windows update since it was released. We have received significant feedback on the RDP 6.0 client -- both on what you liked and what you disliked. In this post we want to let you know that we heard you and show you how your continued feedback helped us to improve the TS client connection experience for all of our users.

The improvements discussed in the post will be available to the public as part of the next planned TS client update. I will update this blog with a link to the new beta client download page once it is released. In the meantime, I thought I would provide an update to our TS user community that we heard your feedback, and we have made improvements in the next beta of the RDP client.

The improvements we made in the beta RDP client are discussed and organized by feedback topics. I have grouped your most common feedback into one of these seven buckets. Of course, additional comments/feedback is appreciated.

Feedback #1:  When using Remote Desktop Client 6.0 to connect to a computer running Windows 2003 Windows 2000, some users are forced to enter credentials (user name and password) twice in a row - once at the TS client, and again at TS server.

This blog post provides details on cause for these problems and possible workarounds.  To better address the problems mitigated by these workarounds, we changed the design for the next version as summarized by the following table:

Client OS with RDP 6.1

Target TS Server OS

Prompt for credentials

Windows Vista and Windows Longhorn

Windows Longhorn and Windows Vista

Always at TS client side

Windows XP, Windows 2003, and Windows 2000

Windows Longhorn and Windows Vista

Always at TS Server side

Windows Vista, Windows XP, Windows 2003, and Windows 2000

Windows XP, Windows 2003, and Windows 2000

Always at TS server side

With this design change, users will not be prompted for credentials twice anymore, provided they have installed the latest RDP client.

Feedback #2:  Saved credentials (user name, password) do not work. I don't know how to edit or delete my saved credentials.

This blog post provides details on the cause of these problems and possible workarounds.  In the new beta RDP client, we have bubbled up the "save" and "edit" options to the top-level UI by showing the logon settings on the TS client UI as shown below. If you need to edit or delete the saved credentials, you can do it directly from this UI instead of clicking the "Options" button and then editing them at the TS client expanded UI.  Remember that saved credentials are per target computer name. This means whenever you select a different computer name, it will tell you which user name and credentials it is going to use for the remote connection.

Whenever you or your administrator enable group policy (GP) settings to use the currently logged on Windows credentials to provide a single sign-on experience for a given terminal server, you will see this status as shown below.

When TS client has no saved credentials for the selected target computer, it will show the appropriate status as shown below.

Feedback #3: RDP 6.0 client provides no easy way to save credentials for the target server similar to what we had in RDP 5.0 client.

In the RDP 6.0 client, we removed the option to save credentials (user name and password) in the RDP file. If you need your RDP 6.0 client to remember your logon credentials, when you connect to Windows Longhorn TS server or Windows Vista, select the "Remember my credentials" checkbox in the credential prompt UI shown below.

 

This will store the credentials in Windows credential manager. Next time, when you connect to the same TS server, your saved credentials will be used automatically, and you will not be prompted for credentials. 

 

What about storing credentials for Windows Server 2003 or Windows 2000 Server TS connections?  In the new beta RDP client, we have provided an "Allow me to save credentials" checkbox at the TS client for pre-Longhorn terminal servers. This checkbox will be visible to you only when the TS client doesn't have saved credentials for the target computer. When you select this checkbox, you will be prompted for credentials at the TS client side once, even though your target computer is Windows 2000 or 2003 server, but when you enter the credentials, it will automatically save the credentials for you at the TS client computer. Next time, when you connect to a Windows 2000 or 2003 server, your saved credentials will be used automatically.

 

To see this checkbox, you need to click on the "Options" buttons in the TS client. Here is the expanded TS client UI with the "Allow me to save credentials" checkbox.

Important note:  Whenever your saved credentials (user name and password) have expired for a target TS server running Windows 2003 or Windows 2000, the target TS server will prompt for credentials again using Winlogon UI but the TS client will not be automatically updated with your newly entered credentials. When this happens, you need to manually edit the saved credentials on the TS client. Note that this is the same behavior as when connecting to a Windows 2000 or Windows 2003 Server from a pre-RDP 6.0 client.

Feedback #4:  Credentials entered in TS client get rejected when connecting to Windows Server 2003.

With the design in the new beta RDP client, you will not see this problem anymore because when you connect to Windows Server 2003 or Windows 2000 Server, TS client will not ask for credentials. Refer to Feedback #1 section for more details.

Feedback #5: When connecting to Windows Server 2003 or Windows Server 2000 using RDP 6.0, I am seeing a new credential UI prompt which I don't like.

If you always connect to Windows Server 2003 or Windows Server 2000 using the new beta RDP client, you will not see the new credential prompt anymore, and you will see the typical remote TS server logon screen (Winlogon) as it was in RDP 5.0.

 

 

But if you are connecting to Windows Vista or Windows Longhorn Server using the new beta RDP client from Windows Vista, you will see the new credential prompt at the client side as shown below.

We are showing this new credential UI prompt at the client because we want to do network level authentication for all TS connections to Windows Vista or Windows Longhorn Server. The new CredSSP (Credential Security Service Provider) used in Longhorn TS server provides benefits like RDP data stream protection, RDP port attack surface reduction, and server authentication by default.

Feedback #6:  The pre-populated user name in the credentials dialog does not match the user name that is in the RDP file.

Most users make a TS connection in one of two ways:

  • Style #1 by double-clicking a custom RDP icon published by your admin or a custom RDP file authored by you.
  • Style #2 by launching the "Remote Desktop Connection" icon in the Accessories folder on the Windows Start menu and typing in the remote computer name and user name and then clicking the "Connect" button, or by typing mstsc.exe from a command prompt. Whenever you use this style, TS client uses the default.RDP file.

 

With the RDP 5.0 client, when you use a custom RDP file, it always reads the user name from the file. It is optimized for users following connection style #1. The downside with the RDP 5.0 client is that if your connection style is #2, and you connect to five different TS servers in a day, you will be required to enter the user name again and again because it shows only the most recently used computer name and user name.

 

In RDP 6.0 client, we have optimized it for connection style #2 users but we understand that this approach breaks the "TS Remote Admin" scenario with connection style #1 where two different RDP files with two different user names are used for the same TS server, or where you want to use a custom RDP file with the user name pre-filled for you by your administrator.

 

Here is a proposed new solution to address both these cases. Whenever the TS client uses the default RDP file (this is the case for connection style #2), it will always use the user name hint from the registry. Whenever you use a custom RDP file (this is the case for connection style #1), it will read from the RDP file if it is available, or else it will read the user name hint from the registry. With this proposed solution, we think we'll be able to address both connection styles that customers use and all possible edge scenarios supported by RDP 5.0 clients. Please let us know your feedback.

Feedback #7: How to suppress the ‘Remote Desktop cannot verify the identity of the computer you want to connect to..." security warning message?

This blog post provides details on cause for this problem and possible solution. We are investigating how to make this security warning message valuable while still making it easy for customers to suppress it when it is not needed. We are considering is to provide a checkbox called "Don't ask me again for remote connections to this computer."  If the user selects this checkbox, it will be remembered and will automatically ignore this warning the next time.

 

If the user clicks on this checkbox to suppress the security warning on server authentication failure, and one year later the TS server admin has changed the server certificate or a bad TS server sends an incorrect server certificate, we will show this security warning again until user click again to suppress it. This way, it is suppressed for the same server certificate error messages only. Here is the proposed UI mockup.

 

 

 

 

 

Leave a Comment
  • Please add 6 and 8 and type the answer here:
  • Post
  • Since installing XP SP3, the functionality of mstsc has changed. I used to be prompted for credentials before actually connecting to a server. Then, once the correct information was entered, the server gave me the warning dialog, and when accepted, logged me into the system.

    Since I use multiple servers in multiple environments (multiple domains, and standalone), and since I also use a password manager with automatically generated passwords with a high complexity level, this was a great setup. I could copy/paste my passwords from the manager without ever exposing them to anyone (including myself).

    I also use a management tool that allows me to have hot keys assigned to various functions. Selecting a server and executing a hot key against it will automatically launch the following command - "C:\WINDOWS\system32\mstsc.exe /console "C:\admintools\Default.rdp" /v:%E% /w:1024 /h:768"

    This would launch against the servername (%E%), and use my default.rdp. The bonus to this setup was that my name (domain or computer)\username was prepopulated correctly. I did not need multiple .rdp files.

    With 6.1, this is gone. How do I regain this functionality?

  • Hi Paul,

    What you are seeing when connecting with the RDC 6.1 client to SBS does not seem to be a planned reduction in functionality.  If you would like to provide more details so we can get to the bottom of this, please send an e-mail via the link on the top right of the page and we will try to look into this further.

  • I am in a tech support roll that uses Remote desktop to assist customers and work on our servers. The problem I have with version 6 is that it only supports the last 10 used IP addresses/server names. I would like to increase that number. And no I do not want to use multiple RDP files, I already have enough short cuts on my desktop and tool bars. I would also like to be able to associate a name with an IP/server name. Sometimes I access hosted servers with the same IP, just a different port number and I cannot remember what server belongs to what port with out looking it up in my notes. And finally, I would like to be able to edit the log in hint. Some of my log ins have changed and the bad hint just requires an extra step to get logged in.

  • First, if you change an option and then click connect the option is not saved. You have to click general and then save.

    It would be better if the program would notice the change and asked for a save.

    Second, if you start a program and quits it , the connection stays open. Please provide an option "Log off after the program quits". I usually enter batch files in it and add a line "shutdown -l" (log off user) to it for quiting.

    Third, provide an option so you can choose between "Start a command prompt only" and "Start the following program"

    RCMD is no longer in the resourcekit of windows 2003

    Finally, if you use local resources "drives", you can't specify a drive letter and you can't access that drive under a command prompt. You can however access it from the explorer.

    Constantijn Enders

  • Hi Constantin,

    Thanks for your feedback. Regarding your 2nd point (if you start a remote app and quit, the connection stays open) - with Windows Server 2008, you should actually get disconnected from the server within a brief period of time after closing the remote program(under 1 min) if you don't have any other remote applications open on that server.

  • Is anyone going to respond to the question posted on July 22 that started out "I am in a tech support roll that uses Remote desktop to assist customers and work on our servers."

  • In many cases I have to perform this client side registry hack to get client printers to work on Win 2003. (see KB 302361) can you add the FilterQueueType to the RDP client GUI.

    It is an incredible pain to try to perform this hack on client machines. I've wasted so much time on this.

  • I can not connect via vista --> SBS 2003. All i get is the log on screen and that s it. I have disabled the vista firewall and change the auth method. This is BS. Why is it so difficult connecting to SBS? Anyone else have the same issue?

  • Is it possible with 6.1 to set the icon for the .rdp file. We use it to connect with a specific application, so it would be nice to have the same icon as the application.

    Note, I am aware of the shortcut file solution (http://technet.microsoft.com/en-us/library/cc757282.aspx) but I'd rather have one file.

  • Hi.  I wrote an entry here on July 25, 2007.  I have since walked away from RDP 6 until recently as XP (I'll never go to Vista) rammed RDP 6.1 down my throat in SP3... which is why I haven't installed sp3 until today.

    See I still will not use RDP 6.1 because, while passwords in files are honored, you cannot save a password to a file.  Microsoft wants to force per-machine passwords and therefore still has not listened to the customer, which is fine.  I'm using mostly Linux now.  I am so annoyed with Microsoft these days and have no intention of hiding it in these words or in my budgetary decisions.

    Anyway, for those of you annoyed with RDP 6.x being forced upon you in sp3, the solution is as follows:  1) Install sp3. 2) Download and install the RDP 5.2 client.  It writes over the top of RDP 6.1 thus restoring proper functionality.

  • Hi,

    I'm administering Windows Server 2008 and Vista machines from an XP SP3 desktop.  From this desktop I am able to rdp to Win2K8 and Vista with Network Level Authentication enabled using the Remote Desktop Connections client.  

    I also have a custom mmc console using the Remote Desktops snap-in.  Using this method I am unable to connect to the same Win2K8 and Vista machines that have NLA enabled.  Is there any fix for this?

    Thanks.

  • Hi,

    I'm running server 2008 + Vista as client (RDP 6.1) and use smart card logon towards terminal server. Sometimes, but not always, I do have to enter user+password at TS-server.

    My initial test had 2003-server as DomainController and 2008-server as terminal server + CA. To eliminate 2003-dependency I made my 2008-server run as DomainController as well but no change in behavior.

    I issue my Smartcard User certificate via web-enrollment and have no problem to use it locally. Any hints?

    Best Regards

    /Håkan

  • You might be having problems with smart card redirection.

    Sometimes it takes a quite a long time for terminal server to recognise a redirected smart card. It would display logon screen until it becomes aware of the presence of your smart card, but when it does, it should log you on automatically.

  • Thanx, but even if I wait ca 30s it wont't log me on (after 30s it times out and goes back to local screen). But it's a good hint, maybe I can investigate further on this. Maybe the server won't recongnize my smart card at all in the cases where I have to enter user+password.

    BR/Håkan

  • With XP SP3 you must enable NLA - CredSSP

    http://support.microsoft.com/kb/951608/

    How to turn on CredSSP

    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

    322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

    Click Start, click Run, type regedit, and then press ENTER.

    In the navigation pane, locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    In the details pane, right-click Security Packages, and then click Modify.

    In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.

    In the navigation pane, locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

    In the details pane, right-click SecurityProviders, and then click Modify.

    In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.

    Exit Registry Editor.

    Restart the computer.

Page 7 of 8 (112 items) «45678