Terminal Services Team Blog

PingBack from http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx

Unfortunately, we do not know when the required pieces for Windows Server 2003 R2, WinXP, etc. will be available.

Como sabéis al usar el cliente 6.0 de Remote Desktop normalmente pide validación antes de entrar en el

Some places have been suggesting to use 'enablecredsspsupport:i:0' as a way to avoid getting prompted for username and password on RDP connections. The side effect is that it also disables Network Level Authentication support in Vista and Longhorn, whic

I've experienced a delay between the first prompt and when the terminal session window finally comes up. Its not uncommon for that delay to last almost 30 seconds as I just see a box with "Connecting to <servername>" displayed.

Is there anyway to remedy this? The only suggestion that I've found that worked was to disable Netbios over TCP/IP. That's not really feasible for me as it disables too many other features as well.

Why mess with a good thing?  Not one admin I've spoken to since 6.0 has said anything nice about the new RDP client.  In fact, many times over, there have been dismay and expressions of anger.

If anything, the 6.0 client SHOULD have a check box where we can either do it the way it's always been done (i.e, 5.0 way of doing things) or the new Microsoft way.

I HATE having to type credentials in only to find out I can't connect to the box.

I've actually heard colleagues try to find 3rd party RDP clients because of this situation.  JavaRDP comes to mind.

And frankly, this situation could have been avoided if more customers were involved in that strategic direction.

@Jonathan: "Why mess with a good thing?"

It's called improvement.  The new RDP adds additional authentication, which is something that many of us want to see.  There may be some problems in the implementation, although it works for me just fine on the machines I maintain.  I just want to see Microsoft release RDP server for Windows 2003 that includes authentication.

I think a lot of people get caught up in the "change is bad" attitude.  I suggest you find jobs in more slow-changing industries.  If you don't like change, then IT is not for you.

@Patrick, My RDC client in Vista saves all my user name/passwords for all the different machines I connect to, without having to save individual RDP files, as I did in XP.  Is that not working for you?  I think the new system is more convenient, because it stores the credentials without having to save lots of files.

I do, because it is more convenient, and I don't see any disadvantage in doing so.

Today I received an angry call from one of our branch offices, telling me that most terminal clients don’t work anymore. Further inspection revealed that the cause is the new handling of credentials in TSC 6.0: The terminal clients are XP machines with a custom GINA that invokes mstsc.exe (within the guest account context) with a pre-defined tsc.rdp file upon CTRL-ALT-DEL. The RDP file contains the username and domain. Thanks to the new “ignore” feature, this doesn’t work anymore and users complain why they have to provide the username and why they have to do this twice (wrong domain name). I just hope that the “store password” feature is disabled under guest account context; otherwise I can kiss security good-bye. Well, I guess its my fault for trusting Microsoft and enabling auto-approval at WSUS. Because removal isn’t possible, I’m now honored of having the privilege to set-up new clients from scratch. But believe me, this time it’s going to be a Linux solution using rdesktop or something alike.

@Zardosht:

First of all, thanks for your answer. Allow me to elaborate the problem to further extend.

“If your users enter the username with the correct domain the first time around, they should not have to enter the username twice.”

The problem is that most users don’t know what a domain is. Seriously. Up to now, the domain name was stored within the RDP file and was preset, no user knowledge or interaction required. Now they have to retype the domain name every time they log on after somebody else, since a terminal client is used by many users connecting to the same server, or carefully select the previous username with the mouse up to the backslash and change the text, which might even take longer. So not only do they have to know what their domain is, they also have to keep in mind how to combine it with their username correctly.

However, that’s not the real problem. The real problem is the “save credentials” option, which is enabled by default. I know that it can be disabled by calling mstsc.exe with /public but guess how surprised I was to find out that now one terminal client user could actually open his/her account to everyone else!

So either change the custom GINA to call mstsc.exe with /public or set enablecredsspsupport:i:0. Well, I choose the second option. Now the only thing users have to do is to select their domain from a list of three (well actually four), which is tolerable. I just don’t get it why you chose to ignore the username/domain settings in RDP files even if enablecredsspsupport is disabled.

Otherwise, the new Remote Desktop seems to be awesome. Spanning, seamless apps,... Thumbs up on those new features.

Bryan: The behavior you see is the intended behavior for the credentials dialog throughout Windows Vista.

Bryan, thank you for your feedback. However, this is not a Remote Desktop issue. The credentials dialog is a property of Vista, not Remote Desktop. You will also see the same dialog when you try to join your machine to a domain.

I will forward your feedback to the appropriate people.

As usual Microsoft throws caution to the wind, ignores the whole concept of backwards compatibility, and decides to take something that half worked, and screw it over completely.

The Authentication implementation is a joke, it seems to drop the connection, takes ages to connect to any server... Surely people who implemented it were using it everyday to check whether it is indeed usable.

Just like VS 2005 SP1, it fixes somethings, but breaks others, and the thought of having to compile a .Net 1.1 application in 2005? Gasp, horror and God no.

Thank goodness I can take it off via an update rollback and the old one seems to work okay.

Progress and change are good, as long as their beneficial and don't implore some fundamental problems.

need help here...just upgraded my vaio from XP Professional to Vista Ultimate...here I am away on business and now I cant connect to my office...really bad news...costing me hndreds of thousands of dollars...I am eliminating vista for good, how do i remove vista and roll back to xp???? help me quick

@ Stan

Its called backup your data and reinstall XP, there is no rollback

I upgraded my XP Professional to Vista Ultimate, so why is it that I can NOT connect to  my office computer using Remote Desktop? It did work perfectly on the XP and very quickly....Is there something I need to do? It asks for my screen name and passwrd, but will not accept it.... Please help...and advise

Thanks

Stan , Miami FL

Rosalie, You can get it from Windows update.

@ Patrick

You miss the point, its not offering a new protocol/client and creating updates for the old OS's out there...

its making the client have the SIMPLIFIED ability to run as its predecessors.

ie. you click on the options button and change the Default Security behavior from that of RDP6, to be that of RDP5... that way the client can act like RDP 5 did and won't require pre-filling out the user and password.

Now let me also expand on THAT part.. have you ever fat fingered an IP or host name?

So then how secure is it, if you have a user fat fingering IP's or Hosts, putting in their user credentials, and then sending them off to some unknown IP somewhere?

The point of the credentials first wasn't security on the client side, and wasn't really security at all from what I've gathered.. but rather to make a DoS attack less easy to the server, by making the authentication happen *before* the server creates a user login space, and uses those resources.  Thus no denial from opening 100 connections to the server, it attempting to create 100 sessions with only 512 megs of ram, or any other resource the server doesn't have ample supply of..

And that part is actually even more simple... that is handled by having VPNs!  Client double clicks the icon, it starts the local VPN to office connection, and then starts RDP to the server of their choice..

It just seems microsoft didn't get that people actually have to work with their softare, and that people wouldn't be so annoyed by some BS stance on security.  Well.. they were wrong again..

just like forcing people to use UNC style naming for domain\usr ... there is NO need for the user to understand UNC if they have three boxes (user / pass / computer or domain)

OK, I'm not a Terminal Services expert and I don't understand half of this nonsense, I merely have a 2000 Terminal Server with access restricted to a single App through the RDP client. This is all internal.

So my boss gets "Automatic Updates" and installs this stupid RDP client (to take issue with Patrick this update was installed by our German IT manager and he wouldn't have known it would cause all these problems even if he'd read the update notes. It is so trivial I don't blame him, it is down to MS to decide what are "appropriate" updates and suprise suprise they pick one which causes me a couple of hours work and sends us all gaily skipping down the path to Vista upgrade through exhaustion).

OK, so I've got around the dual login issue no problem.

As far as I can see you haven't answered the domain problem. It is this. In the old RDP client you could input a server name and a domain to log onto, then the client would log into the particular server, but the login screen would be populated with the domain name.

As it is there doesn't seem to be a way to get the client to do this any more, therefore the dialogue defaults to logging onto the server, however I want them to default to logging onto the domain, they don't have a server account.

End result they have to change the server name to the domain name every time.

You've mentioned this but you don't seem to understand the problem, and everyone else appears to have given up on it.

So, How to I get back to where I can store credentials?  My RDP either has only the Delete option for credentials (on RDP files I previously had stored), or for a new RDP file, only says Credentials will be prompted for when you connect.

I need to change a password and cannot find out how to get to the edit option, and for new connections, really want to save credentials.

Saved credencials my be a good thik, if I could get it to work.  Otherwise, it's a pain to enter that info in twice.  I agree that we should have a choice.  And who idea was it to remove Hyper Terminal?  I found the download and reinstalled and it works just fine.

RSC

www.schmooseme.net/vista

Some places have been suggesting to use 'enablecredsspsupport:i:0' as a way to avoid getting prompted for username and password on RDP connections. The side effect is that it also disables Network Level Authentication support in Vista and Longhorn, whic

RDP6 is very annoying.

It doesn't save my password when I connect to a Windows 2000 server.

As a domain policy, we have to change our password every month or so. Everytime I change my password, my TSC saved credital needs to be updated again and I could not remember which one I've updated, which one not!

Plase fix it!

I have no problems connecting.. My problem is that it is SOOOO SLOOOWWWW.. Its virtually painting the screen on one block at a time.. Connectin via WinXP is perfect, Vista is so slow i have no idea.. I have stripped it down to basics...  i can not get it to work right at all.

Is it not possible for mstsc.exe to automatically present the currently logged on user's credentials to the server?

I need to RDP to about 250 servers, finding the right .rdp file will take me longer than typing my domain\password.  Not to mention that my password changes every 60 days, rendering my .rdp file pointless.

I've also got a problem involving smartcard.  For servers in a different domain, I authenticate my RDP session with smartcard and PIN.  This never works, throws errors on both my Vista x64 desktop and the Windows Server 2003 R2 machine in the other domain.  I know my smartcard is working though, because I can log on to Vista with it, and I can RDP with smartcard credentials to servers in the other domain from Vista x86 or XP desktops.

Please advise - with all versions of vista OS the connection to our 2003 terminal server is so slow! I will hit connect and the login screen starts painting itself one section at a time and never finishes and then finally just goes away. Any solutions to this?

Hello all,

   I finally found the answer to why I have been having connection problems using my Vista workstation with Remote Desktop trying to connect our 2003 terminal server.

  After first connecting to the terminal server and logging in successfully to the session, the login screen moves really slow, painting the display one pixel at a time and finally just locking up all together.

   Because of Vistas low initial setting on it's Auto Tuning feature I had to create a new shortcut on the desktop.  Enter the command "cmd" as the shortcut command.

Right-click on the shortcut and select "Run as Administrator".[You will be put in a DOS box]

Type "netsh interface tcp set global autotuninglevel=disabled"

[You should see a successful message]

I had to create the shortcut and use the run as command even though my user was an administator equivalent. Not sure why, but it worked.

How can i get updated Remote Desktop Client for Windows XP that support Network Level Authentication?

When I put in MYDOMAIN\Administrator in the credentials for a W2000 server connection, it connects OK but saves Administrator@MYDOMAIN in the registry, and displays this next time I connect.  BUT W2000 only displays Administrator@MYDOMA (ie 15 characters), so you have to change this every time!  It passes the correct string to a 2003 server.  Why can't it either keep the MYDOMAIN\username in the registry (as I initially entered) which works on 2000, or drop what's after the @ sign and use it to select the domain on the 2000 login screen?

is it no longer possible to save more than one username/pwd pair for a particular terminal server? I rely on the security of my workstation, and thus trus that my .rdp files and saved username/pwd combinations are safe. What possible security beneffit could be derived from no longer being able to store more than one username/pwd pair for a particular terminal server?!?!?

In the "How to remove invalid pre-populated domain names", I want to know the details why this was done for various reasons in Vista.

Even if they are too complicated the users should still have the right to know.

I have recently upgraded the remote desktop client on my windows xp box and one of my win2003 servers. I can no longer connect to the win2003 server anymore from the xp workstation. I keep getting the error

The client could not connect to the console of this computer. A new console session cannot be established.

Tried connecting to the console session with /console. Tried rebooting both boxes as well - no avail.

I can connect to another (non upgraded) server OK and from that connect to the actual server I want, but this is not a satisfactory solution.  Do you know what I need to do.

Akhtar

So if I use the new client on an XP box to connect to another XP box, and the destination XP box has the Novell Client installed, will I always have to be prompted for credentials twice?  I'm assuming yes, and that's really annoying.

I've searched around but can't find any information on how to set it so that when anybody connects to a Vista RDP session, they have to manually type in the username/password, versus having the popup screen with the available accounts displayed.

We've already tried setting "Do not Enable Ctrl-Alt-Del" and set it to Disabled.

That works for the interactive desktop, but not remote desktop sessions.

Any thoughts or pointers in the right direction?

--John

No matter how hard you guys try to explain this, it remains a frigging nightmare for a system administrator. Easy solution: detect remote server, if Vista or Longhorn use new way, if anything else use old method.

This is costing me so much freaking time it's not even funny, way to release beta crap to the public. Gimme back my old RDP client.

I can only say that at EVERY SINGLE SYSTEM I sit down that where the 6.0 client is installed I install the 5.2 R2 client even on Vista machines (I carry it on a USB key it’s that annoying to me).  The 6.0 client is just flat out horrible.  It's dog slow, dangerous (saving the username gives someone 1/2 of what they need to get into a remote system and offering to save a pwd EVERY SINGLE time is just flat out ridiculously dangerous with all the laptops that get stolen each year), and VERY time consuming.  What, ‘how is it time consuming’ you ask, ponder this...  A customer domain and username that's 20+ characters long with a pwd that's equally as long, it's 2AM and I get a page saying something on their LAN is flaky so I get out of bed and try to connect only to find out their TS is not online either.  I’ve spent the time entering the domain\username and pwd only to find out their TS isn’t available.  This is the flat out dumbest thing I've ever heard.  

Yes, I can use the hack to stop it from prompting me but I have 200+ .rdp files, how do you suggest I make this global change?

Under an SRX we opened with this we had many other concerns about the 6.0 client that just make the 6.0 client unusable for an admin (or support desk tech) who connects to dozens if not hundreds of remote systems.  First, the PR about how you authenticate before you connect is almost laughable (exactly how many production Terminal Servers support this today?).  I’m sorry but a connection is a connection, period unless you’re going to start issuing some sort of cert to each and every user but even then you’re sending info that cannot be authenticated because you offer to save usernames & pwds.  If I pass a username and pwd either in the background or in the foreground it's still passing.  Second, you claim you're saving resources on the remote server by doing it this way, sorry MS but last I checked WE paid for the hardware NOT you so if we want to be prompted for a username & pwd and that wastes OUR resources that's our right.

Anyway, for those of you who dislike the 6.0 client, find a 2003 Server and install the 5.2 client over the 6.0 client and restore logic to your daily tasks.  The 5.2 client works equally well in Vista as it does on 2k SP4.

Note to MS, please stop breaking things.  Perhaps in Longhorn's later betas you'll listen update this to 6.1 and remove or allow us to disable some of the stuff in the 6.0 client.  If you’re going to break things we’ve used for almost 10 years, please add options to allow admins capabilities to easily turn it off like HKCU (or HKLM)\Software\Microsoft\Terminal Server Client\SecurityLevel=0 that turns of drive warnings for every connection.  Would it be that hard to have the client look to the registry to disable the prompting for and saving of usernames/pwds?  Should take about 10 minutes to add that code.

When I try to connect using remote desktop in Windows Vista, it suddenly stops working.  McAfee firewall has been disabled and it doesnt work in safe mode with networking.  Any ideas>

I am one of the IT People in the field, and have been for 10+ years, not a MSFT Employee.  My contention is that developers that MSFT add features and make changes at the behest of customers, and people that bash them as if they're working 60 hours a week to intentionally annoy you with new features is a bit childish.  Points are received better if you merely make your case why a new feature is difficult to use, causes business interuption, loss of productivity or poses a security risk.  Calling people names and screaming like a 3 year old (not everyone in this blog) is pointless and non-productive.

The bottom line is that one can choose to use Vista or not, use RDP 6.0 or not, roll back to RDP 5.1.x or 5.2.x or not, manage their clients or not, make tactful comments or not.  

We've provided MSFT with your comments and concerns (along with our own) so you have been hear loud and clear.  

P.S. When the next version is released, it would be prudent to test it before allowing it to be deployed on all of your systems.  I realize that no one has complete control over every piece of software installed on every system they