Problems using saved credentials with Vista RDP clients and above

Problems using saved credentials with Vista RDP clients and above

  • Comments 17

Background Information

Windows Vista Credential Delegation policy does not allow a Vista RDP client to send saved credentials to a TS server when the TS server is not authenticated.  By default Vista RDP clients use the Kerberos protocol for server authentication. Alternatively, they can use SSL server certificates, but these are not deployed to servers by default.  There are three common scenarios where using the Kerberos protocol to authenticate the server is not possible, but using SSL server certificates is possible. Because SSL server certificates are not deployed by default, using saved credentials does not work in these scenarios.

Scenario 1: Connecting from home to a TS server through a TS Gateway server

When you connect from home through a TS Gateway server to a TS server hosted behind a corporate firewall, the TS client has no direct connectivity to a key distribution center hosted on a domain controller behind the corporate firewall. As a result, server authentication using the Kerberos protocol fails.  

Scenario 2: Connecting to a stand-alone computer

When connecting to a stand-alone server the Kerberos protocol is not used.

Recommended Solution for Scenarios 1 & 2

For scenarios 1 and 2, to enable server authentication, use SSL certificates that are issued by a trusted Certificate Authority and have the server name in the subject field.  Deploy them to all servers that you want to have server authentication. To set the SSL certificate for a connection:

1. At a command prompt, run tsconfig.msc. Note: tsconfig.msc is only available on servers.

2. Double-click the RDP-Tcp connection object.

3. On the General tab, click Select.

4. Select the certificate you want to assign to the connection, and then click OK.

Scenario 3: Connecting to a terminal server farm

Kerberos authentication does not work in terminal server farm scenarios because farm names do not have accounts associated with them in Active Directory. Without these accounts, Kerberos-based server authentication is not possible.  

Recommended Solution for Scenario 3

To enable server authentication in a server farm, use SSL certificates that are issued by a trusted Certificate Authority and that have the farm name in the subject field. Deploy them to all servers in your farm. The SSL certificate will provide server authentication for a TS server and therefore Credential Delegation policy will allow saved credentials to be used for remote desktop connections. 

Leave a Comment
  • Please add 2 and 1 and type the answer here:
  • Post
  • Hi Nomade,

    SSO is only supported with username and password (domain credentials). SSO it is not possible with smart cards unfortunately.

  • Hi DeepThinker,

    In the example above (and ususally), we use the FQDN of the server to connect (I would imagine it's also easier for the client to type in server name than an IP address). Although connection using IP address should work as well - do you think your DNS may be misconfigured (e.g. have multiple PTR records so reverse lookup is returning different host names?).

Page 2 of 2 (17 items) 12