Saved passwords problem

[Steve Garwood]

I have read tons of messages about saved RDP password problems with
shared machines, but I haven't seen this problem, though it's probably
related...

Client: Windows XP RDP
Client Domain: DomainA
TermServ: Windows 2000 Advanced Server
TermServ Domain: DomainB (no trusts between DomainA and DomainB)

Phase 1:
User saves his TermServ credentials in an rdp file.
For several weeks, user successfully uses this rdp file to autologon
to the TS.

Phase 2:
User changes his DomainA password
After the user logs off and logs on again, the RDP credentials no
longer work
If the user resaves the RDP file with the EXACT same DomainB password
as in Phase 1, autologon works again until the next DomainA password
change.


My theory:
It would appear the the user's cached DomainA credentials are used as
the encryption salt for the saved RDP password and, after changing the
password and logging off and on, the original salt is no longer
available for decrypting the saved password. Seems plausible, but I
have no idea if I'm right.

My question:
Is there any workaround for this other than installing the OCX and
scripting the OCX?

Thanks.

Steve Garwood
(e-mail address removed)

 

[Ivan Leichtling [MSFT]]

The windows cryptography APIs we use do make use of a key derived in
part from the user's domain password. There is no true work around.

I have read tons of messages about saved RDP password problems with
shared machines, but I haven't seen this problem, though it's probably
related...

Client: Windows XP RDP
Client Domain: DomainA
TermServ: Windows 2000 Advanced Server
TermServ Domain: DomainB (no trusts between DomainA and DomainB)

Phase 1:
User saves his TermServ credentials in an rdp file.
For several weeks, user successfully uses this rdp file to autologon
to the TS.

Phase 2:
User changes his DomainA password
After the user logs off and logs on again, the RDP credentials no
longer work
If the user resaves the RDP file with the EXACT same DomainB password
as in Phase 1, autologon works again until the next DomainA password
change.


My theory:
It would appear the the user's cached DomainA credentials are used as
the encryption salt for the saved RDP password and, after changing the
password and logging off and on, the original salt is no longer
available for decrypting the saved password. Seems plausible, but I
have no idea if I'm right.

My question:
Is there any workaround for this other than installing the OCX and
scripting the OCX?

Thanks.

Steve Garwood
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights