Remote Desktop Services (Terminal Services) Team Blog

PingBack from http://blogs.msterminalservices.org/conger/2007/03/28/terminal-server-rdp-client-improvements/

Bob, this feature already exists in RDP Client 6.0.

Will the new client save credentials based upon servername *AND* port number, or just the servername like the current 6.0 client?

For example, five TS servers behind the same IP:

mydomain.com

mydomain.com:3390

mydomain.com:3391

mydomain.com:3392

mydomain.com:3393

Currently the 6.0 client only allows *one* credential set to be saved for the above scenario, even though it should allow five.

After using RDP since its inception through 6.0 and reading the above blog, I can tell you that this whole thing has gotten out of hand.

What used to be a relatively simple procedure is now way too complex, especially for those of us who rely on this functionality as part of our daily operational support roles.

Mark,

If you're using RDP 6.0 to connect to Windows Vista Ultimate or Windows Vista Enterprise machine, you can have certain local USB devices recognized on the remote machine.  See Guarav's post on this subject for more information:

http://blogs.msdn.com/ts/archive/2006/12/05/terminal-server-plug-and-play-device-redirection-framework-in-vista-and-longhorn-part-1.aspx

I have found a work-around! If you create different host (A) entries in DNS for the same termserv, you can setup a different username to use with each host record.

Hi,

you mention "Whenever you or your administrator enable group policy (GP) settings to use the currently logged on Windows credentials to provide a single sign-on experience for a given terminal server, you will see this status as shown below."

Can you point me at this GP setting?

Also, does this GP setting only work if you're using a Vista/Longhorn Server, or will it work with Win 2003 Termianl Server's as well?

What about client-side? Does it work with XP or does it need Vista?

John

Is there a fix for the "incompatible smart card" problem that appears in 6.0 but not in 5.1?

Redowa, could you please provide more details on your error?  

If it was working with RDP 5.0 client, then it should work with RDP 6.0 client.  To troubleshoot your issue fruther, could  you please

- provide the full error text that you are seeing including the error codes if avaialble.

- provide the client OS version.

- provide details about your Smart Card manufacturer and driver details.

Hi,

"The client could not connect. You are already connected to the console of this computer. A new console session cannot be established."

I raised this issue in the "Remote Desktop Connection (Terminal Services Client 6.0) for Windows XP and Windows Server 2003 (English Only) released" blog on December 1st and 8th. Gerard also seems to have the same issue see 13th December.

The scenario is I have two servers (lets call them ServerA and ServerB), both domain controllers, running Windows 2003 SP2. I have no problems connecting a Remote Desktop session to either with TSC 5.1 but I get the above message every time I try to connect to ServerA from any windows XP workstation running TSC 6.0. If I revert to TSC 5.1 I can again connect. No other sessions are in progress at the time.

I have no problem connecting to ServerB with TSC 6.0 and I can connect to ServerA from ServerB using TSC 6.0

ServerA runs all our FSMO roles as well as most of our other server software.

Roger

I been searching around and scratching my hair alot lately about authenciation on TS.  

Is it possible to implement terminal server which remote client need certicicate to install to able to access?, so far i only found authenciation to TS with SSL.

if client not has certificate then they not access TS even select "Alwasy connect..."?

Thanks

I like the improvements but have not found a solution besides disabling credssp to address the issue where the customer is using Remote Administration or connecting to a Longhorn server where they have a custom credential provider tile that they need exposed.  In one case the customer is filtering the default credential provider so that theirs is the only tile showing and therefore the user gets prompted twice.  Is there a way to not disable Network Level Authentication but still leverage the customer Credential Provider such as filling out the username and password fields but allowing the end user to enter the additional data needed for the custom credential provider?

Feedback #6 - sounds like a good work around

Additional feedback

a) when the program installs, please have it create a proper add/remove line item so that the item is identified by name not just by KB number (ie. its kb925876, after removing it from 10 or so machines in the past week, the number finally stuck in my head)

b) if the next version is to be considered beta too, please also identify it as such at windows/microsoft update, as well as in the add/remove applet because users may be instructed not to get beta software but that it is ok to get everything else.  And while 6.1 will be greatly anticipated in our org, we still don't want people installing it until **we** tell them its specifically ok to do so.

So is there *any* workaround to have saved credentials in each rdp-file again?

Hi,

I have some doubts about TS (not especifically this version 6.0):

I using TS in sites where we have low bandwidth (128 or 256 Kbps ex). When I´m using ERP, Excel, Word, Outlook, etc, I have no problem in performance, and my aplications works good. But, if a use a powerpoint (PPS), IE (ex.), that needs to show images or pictures, wow....it´s too slow. Looking my sniffer, I saw that TS use a lot of bytes to transfer the screen (mounted frame by frame).

More information: Compress is enable, I´m using just Bitmaps Cache Storage on Experience Menu.

The questions is:

1 - TS works this form?

2 - If not, Have any configuration to do on Server or Client?

3 - Do you recommend Citrix in this case?

More information (visiting a site with pictures, images, etc,  Metaframe used 880 Kb and with TS 3.1 Mb).

Regards

Disable initial pre-connection prompt:

Put the line

enablecredsspsupport:i:0

in your rdp.file used to connect.

Workaround for FQDN/IP/DOMAIN name prepended to username at server-side login:

Copy/paste this into a textfile, name it rdc.cmd, put it in windows-folder, then create a shortcut having this as commandline:

cmd /c rdc <your domainname, FQDN, IP or NETBIOS DOMAIN>

This batch simply strips whatever it otherwise prepends to the username. I admit, it's just a workaround, but at least it works until microsoft releases the next version which probably will have more logic added to detect better what the client is connecting to, and which also fixes the USernameHint-bug (which really is a bug in the 6.0 client). Hope this will help most people having this issue here.

This batch leaves all other options and features intact, so saving credentials, choosing not to save them, etc. all still works. This batch only strips every time you use it to logon, nothing more. Be advised that in a multi TS environment this batch can lead to other problems, be aware of this!

The batch:

@echo off

if %1x==x goto help

for /f "usebackq tokens=2 delims=: " %%i in ('echo %1') do set a=%%i

for /F "usebackq delims=" %%i IN (`reg query "HKCU\Software\Microsoft\Terminal Server Client\UsernameHint" /v %a%`) do set t=%%i

for %%i in (%t%) do set n=%%i

set name=%n%

if %n%==REG_SZ set name=

if %n%==UsernameHint set name=

if not %name%x==x for /f "usebackq tokens=2 delims=\" %%i in ('echo %name%') do set name=%%i

reg add "HKCU\Software\Microsoft\Terminal Server Client\UsernameHint" /v %a% /d "%name%" /f

start mstsc /f /v:%1

exit

:help

echo RDC FQDN/IP/DOMAIN to connect to

echo RDC replaces the annoying crediantial dialog of Remote Desktop Connection 6.0

echo     asking and setting FQDN\Username as default

echo     It does this by stripping the FQDN/IP/DOMAIN-part,leaving only the username

pause

When accessing a host by IP address, the credentials automatically fill-in each time as IPaddress/username - I always have to change it becuase I want to log on to the domain, not the local PC...it's annoying, so i've disabled the credential security service

When will a new RDP version be available.  I have not been able to locate this 6.1, is it not released yet?  

Also, I added enablecredsspsupport:i:0 to the .rdp file, but when you connect it still defaults to the local machine account instead of the domain account.  Is there a way to change this?

Scott,

Your problem is going to be addressed by the next version of TS Client.

TS Client v6.1 will use RDP file to pre-populate user name in credential prompt.

Please, see “feedback #6” in the above Blog.

My organization has the same problem with needing to connect to the same server with multiple different credentials.  I have tried creating different rdp files with different credentials for the same server with no success. I see this is supposed to be fixed in v6.1. When will this be released? Is there some sort of hotfix available now? The way users connect to an application we run has basically been crippled.

Looking forward to the 6.1 changes. these changes have cost me lot of hours of support problems.

BTW - I had a problem earlier this year with machines that did no have the DST patch, It would be helpful if there was an option on the RDP client to Use the Server time for the RDP session. I was told at the time that there is no Group Policy setting that could force the RDP client to use the Server time and that the time was controlled by the settings on the RDP client. Please look into this. All i need is a checkbox that forces them to use the server time for the server sessions they are starting.

-- thanks

I'm having such headaches with 6.0..

Does anybody know how I can obtain 5.2 to replace this?

Hello there!

What I am experiencing is that I connect to my Win2003 SBS with a VPN connection. After it has been set up, I go with RDP (from Windows Vista client) to my server and it gives me 3 choices:

1) 192.168.1.4\USER

2) use another account

3) reading smartcard...

On the laptop with Vista I'm using a local account.

I choose selection 1 and get not logged in because "Username" appears to be "192.168.1.4\USER". Therefore, I have to wait the timeout to expire and then I can delete and type my username.

Is there any solution to this?

Thanks...

Hy Sergey.

Thanks for your suggestion, but I already tried it. If I type "DOMAIN\Username" I get to the server login screen and see "Username: DOMAIN\Username", which of course is wrong and cannot be accepted for logging in.

Is it already possible to get TS Client 6.1 "standalone"?

Regards...

The problem with controlling the RDP options via the default.rdp file, e.g. to turn off the double logon prompt, is that after installing the client, you now have to touch the default.rdp file for every user on every PC or server they use, no an elegant solution. Why in the world don't you have global setiings, or use a GPO?

Another problem is that the Windows key now no longer works on the remote desktop, when you press the Windows key, it brings up the start menu, on the local desktop.

Could you please fix these issue ASAP?

Thanks,

Chuck Hallback

P.S>. This web site is SO slow it is almost unusable.

Will the problem with the Windows key combos, and alt-tab, not working on the remote desktop also be fixed? For us this is the biggest show stopper on deploying the 6.0 client.

I didn't see this mentioned on your list of issues, or feedback,  for the 6.0 version.

I would hate to have to use a premier support call to find out the answer to this

Thanks,

Chuck

I had the problem where RDP to win 2000 SRV would not save password, we fixed this by following the advice of a Microsoft employee (another page, cannot remember where) who pretty much said, user better software like:

Visionapp's Remote decktop (http://www.visionapp.com/111.0.html) which worked great, apart from we could not find the lauch the following program (in our case the business system) but this can be done in the user management of TS on the win 2000 server.  Nice!

hi all

when i log on to server have logon message box " you don't have level encryption to access this session". what problem?

We are desperate for a fix for the domain:s: parameter that can set in RDP files.

In our corporate environment, with hundreds of machines, I have the same id and password.  How can I get it to use the ONE credential and password for all client connections?

It doesn't make sense (read: really annoying) for me to have to enter the same info time and time again, since the servers are all in the same domain.

thanx in advance

NT - nice try - I use windows XP PRO in the corporate environment and at home (when I telecommute).  Therefore, it is not possible for me to use this circuitous route to enable SSO.

Not to mention my home account name is not the same as my corporate account name.

Why do you have to over-engineer the solution?

Being a software developer since the beginning of PCs, it is very easy for me to imagine a SSO checkbox embedded within MSTSC so it only accesses one set of credentials for all connections, as opposed to the current solution of tracking each connection and credential together.

How simple is it to store only one set of credentials to be used for all connections?  It's actually far simpler than tracking credentials separately, encoded in a .rdp file.

[sigh]

K.I.S.S.

If my machine and userid and password are compromised in such a manner, why would allowing per server credential logins be more secure than a single credential?

I don't see your logic/assertion as being correct.

assumption:

1) All RDP connections work because they have cached credentials

2) All corporate environments will require the same set of credentials to log into a server in the same domain

(so why be forced to act like there are different credentials??)

QED:

1) Therefore any malware could access any RDP connection regardless of how many credentials are cached (1 or multiple).

2) If my system is compromised, by human hands or malware, I have much more of a concern.

3) All credentials are encrypted and secure, so malware cannot access 1 or 2 or more passwords, whether they be stored singly or muliply (as the same credentials).

On the surface, one might take your statement as fact, but I can't see how it is little more than an introduction to a thought, rather than the conclusion of a series of thoughts.

Malware cannot delete your file system if you are not logged on as Administrator.

Malware cannot read domain credentials stored in Credential Manager (http://msdn2.microsoft.com/en-us/library/aa923650.aspx).

But, malware can read credentials stored in RDP files, or credentials stored in Credential Manager in generic format.

TS Client sends user credentials to the server it connects to. It is the only way to create an interactive session. On Vista to Vista connections TS Client uses CredSSP for this purpose (http://msdn2.microsoft.com/en-us/library/bb931352.aspx). CredSSP (as any other SSP) has a component running as SYSTEM, that reads user credentials from Credential Manager and sends them to the server. CredSSP has a policy that controls to which servers it can and to which it cannot send credentials (http://msdn2.microsoft.com/en-us/library/bb204773.aspx).

So, when connecting from Vista to Vista, it is possible to protect your saved credentials from malware. (We are also planning to ship CredSSP with XP SP3).

However, if you allow your credentials to be sent to any server, they are not safe.

I AGREE WITH IT:

the username:s: and password 51:s: parameters were key. I need to be able to simply double click two rdp files pointing to the *SAME* machine with two *DIFFERENT* credentials *WITHOUT* prompting.

You guys (whoever made the changes) are handicapped and stupid!

SIX FREE RDP ALTERNATIVES:

"In this post I am comparing six Remote Desktop clients in a feature table: RD Tabs 2.0.8, mRemote 0.0.8.0, RoayalTS 1.3.2, vissionapp Remote Desktop v1.5 (vRD), Terminals 1.6, and Remote Desktop Manager 3.0.0.1 (RD Manager)."

http://4sysops.com/archives/comparison-of-six-free-rdp-client-tools/

Good God!!!   I accidentally stumbled across RDP 6.1 client today after installing Vista SP1 RC.  

I feel like I've just been released from prison. That abortion of a client called version 6.0.

I have only been using it for a few hours but I now feel at least three times as productive as I connect to any of the hundreds of machines across multiple sites and domains that I manage.

Thank you!  When can we have it stand alone install?

Evidently this is by design.  Thanks.  I'll go edit a few dozen .RDP files.

http://www.ditii.com/2007/12/18/windows-server-2008-remote-administration-changes/

The users experience for Video or flash has always been poor with 5.0 and 6.0 over the internet. I understand this may be the cause of many factors but it would be nice to provide a near desktop experience for small videos and flash website. Will this goal be obtain in v6.1 or vX.XX?

I have a secure website using SSL which allows authenticated users to click a link on the web page which returns an RDP file which launches their Remote Desktop Session.  However, the user is still prompted for their password despite the fact that I have included the password hash in the RDP file and I am using SSL with Terminal Services.  What I need is the ability to put user and password in the RDP file and to never be prompted for these items whether or not the user has ever connected to the Terminal Server before. Since the Terminal Servers are hosted in a data centre single sign is not an option. Will the proposed improvements work in this situation?

I installed windows 2008 server and tried TS connection through windows XP system. First i got error message like " install client active X control" .

Then i installed Windows XP SP3 in my client system. Now its working fine. Actually we need RDC 6.1 version for TS web access. This one comes with XP SP3 and vista SP1.

This also stops any values being created in that key only so change permissions after you add the

[HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client] "PinConnectionBar"=dword:00000001

Value

Cheers - Mick

Upgrading from 6.0 to 6.1 made the "CTRL+ALT+RIGHT/LEFT ARROW" key combos be hard-wired to the mstsc and never transmitted.

This killed apps that had actually use those keys for actually useful purposes.

Is there any way to remap particular the key combos in mstsc.exe ?

Since installing XP SP3, the functionality of mstsc has changed. I used to be prompted for credentials before actually connecting to a server. Then, once the correct information was entered, the server gave me the warning dialog, and when accepted, logged me into the system.

Since I use multiple servers in multiple environments (multiple domains, and standalone), and since I also use a password manager with automatically generated passwords with a high complexity level, this was a great setup. I could copy/paste my passwords from the manager without ever exposing them to anyone (including myself).

I also use a management tool that allows me to have hot keys assigned to various functions. Selecting a server and executing a hot key against it will automatically launch the following command - "C:\WINDOWS\system32\mstsc.exe /console "C:\admintools\Default.rdp" /v:%E% /w:1024 /h:768"

This would launch against the servername (%E%), and use my default.rdp. The bonus to this setup was that my name (domain or computer)\username was prepopulated correctly. I did not need multiple .rdp files.

With 6.1, this is gone. How do I regain this functionality?

I am in a tech support roll that uses Remote desktop to assist customers and work on our servers. The problem I have with version 6 is that it only supports the last 10 used IP addresses/server names. I would like to increase that number. And no I do not want to use multiple RDP files, I already have enough short cuts on my desktop and tool bars. I would also like to be able to associate a name with an IP/server name. Sometimes I access hosted servers with the same IP, just a different port number and I cannot remember what server belongs to what port with out looking it up in my notes. And finally, I would like to be able to edit the log in hint. Some of my log ins have changed and the bad hint just requires an extra step to get logged in.

Hi Constantin,

Thanks for your feedback. Regarding your 2nd point (if you start a remote app and quit, the connection stays open) - with Windows Server 2008, you should actually get disconnected from the server within a brief period of time after closing the remote program(under 1 min) if you don't have any other remote applications open on that server.

In many cases I have to perform this client side registry hack to get client printers to work on Win 2003. (see KB 302361) can you add the FilterQueueType to the RDP client GUI.

It is an incredible pain to try to perform this hack on client machines. I've wasted so much time on this.

Is it possible with 6.1 to set the icon for the .rdp file. We use it to connect with a specific application, so it would be nice to have the same icon as the application.

Note, I am aware of the shortcut file solution (http://technet.microsoft.com/en-us/library/cc757282.aspx) but I'd rather have one file.

Hi,

I'm administering Windows Server 2008 and Vista machines from an XP SP3 desktop.  From this desktop I am able to rdp to Win2K8 and Vista with Network Level Authentication enabled using the Remote Desktop Connections client.  

I also have a custom mmc console using the Remote Desktops snap-in.  Using this method I am unable to connect to the same Win2K8 and Vista machines that have NLA enabled.  Is there any fix for this?

Thanks.

You might be having problems with smart card redirection.

Sometimes it takes a quite a long time for terminal server to recognise a redirected smart card. It would display logon screen until it becomes aware of the presence of your smart card, but when it does, it should log you on automatically.

With XP SP3 you must enable NLA - CredSSP

http://support.microsoft.com/kb/951608/

How to turn on CredSSP

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

Click Start, click Run, type regedit, and then press ENTER.

In the navigation pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In the details pane, right-click Security Packages, and then click Modify.

In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.

In the navigation pane, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

In the details pane, right-click SecurityProviders, and then click Modify.

In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.

Exit Registry Editor.

Restart the computer.

From a 2003 Client, I want to create an RDP connect to a 2008 Terminal Server. To use the new Easy Print driver, I need to use RDP 6.1 and .Net Framework 3.0 SP1 on the client.  Where can I find RDP 6.1?

I'm using rdp client 6.1 in Windows 7 and I get this weird behaiviour with the Connection Bar in full screen. If I check the Display the connection bar when I use full screen option i cannot unpin it (does not go away) and if I uncheck the option it's kind of cumbersome to close the rdp window (switch to taskmanager using ctrl-alt-delete end ending it from there).

Is this a bug or am I missing something?