Terminal Services Client 6.0 Authentication

[trev]

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use
the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For example, I
have always used RDP by running the command line "mstsc.exe [file
name].rdp". This always used to make the connection, and then go right
to a "Log On to Windows" dialog. But with TSC 6.0, I always get a
"Remote Desktop Connection" dialog first, and then still have to enter
the (same) credentials again on the "Log On to Windows" dialog. What is
the point to the "Remote Desktop Connection" dialog?

Also, on the "Remote Desktop Connection" dialog: Sometimes, the user
name is pre-filled as simply "User". Other times, it shows up as
"x.x.x.x\User", where x.x.x.x is the IP address. Still other times, it
appears as "(e-mail address removed)". This last case is especially irritating,
because the "(e-mail address removed)" carries over onto the "Log On to Windows"
dialog, where it causes authentication failure. So, whenever this
happens (which seems to be randomly, but often), I have to manually edit
the user name field on the "Log On to Windows" dialog, changing it from
"(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[trev]

with TSC 6.0, I always
get a "Remote Desktop Connection" dialog first, and then still have
to enter the (same) credentials again on the "Log On to Windows"
dialog. What is the point to the "Remote Desktop Connection" dialog?

I've found the answer to this part, at least. This behavior was the
result of having a Group Policy setting enabled:

Local Computer Policy > Computer Configuration > Administrative
Templates > Windows Components > Terminal Services > Always prompt
client for password upon connection

(I wish it were buried a few levels deeper.)

With the above setting "Not Configured", I get right to the remote
desktop after filling in the credentials on the "Remote Desktop
Connection" dialog.

I've had that Group Policy setting that way for years (which is why I
had forgotten about it). Why it behaved differently with the previous
TSC I don't know.

 

[Guest]

Hello,

try and use the "Do not use authentication" option in the Advanced Tab sheet
of
option. This does not persist however so if you want to make it permanent
add following line to the default.rdp file (or any other saved .rdp
file):enablecredsspsupport:i:0

That will take care of it. Cheers

 

[trev]

Thanks. I actually *have* to use that option, otherwise it will not
work at all. It tells me that it can't authenticate... Therefore, I
have no choice.

Hello,

try and use the "Do not use authentication" option in the Advanced
Tab sheet of
option. This does not persist however so if you want to make it
permanent add following line to the default.rdp file (or any other
saved .rdp file):enablecredsspsupport:i:0

That will take care of it. Cheers

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I
use the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For
example, I have always used RDP by running the command line
"mstsc.exe [file name].rdp". This always used to make the
connection, and then go right to a "Log On to Windows" dialog. But
with TSC 6.0, I always get a "Remote Desktop Connection" dialog
first, and then still have to enter the (same) credentials again on
the "Log On to Windows" dialog. What is the point to the "Remote
Desktop Connection" dialog? Also, on the "Remote Desktop Connection"
dialog: Sometimes, the
user name is pre-filled as simply "User". Other times, it shows up
as "x.x.x.x\User", where x.x.x.x is the IP address. Still other
times, it appears as "(e-mail address removed)". This last case is especially
irritating, because the "(e-mail address removed)" carries over onto the "Log On
to Windows" dialog, where it causes authentication failure. So,
whenever this happens (which seems to be randomly, but often), I
have to manually edit the user name field on the "Log On to Windows"
dialog, changing it from "(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[trev]

I've found the answer to this part, at least. This behavior was the
result of having a Group Policy setting enabled:

Local Computer Policy > Computer Configuration > Administrative
Templates > Windows Components > Terminal Services > Always prompt
client for password upon connection

(I wish it were buried a few levels deeper.)

With the above setting "Not Configured", I get right to the remote
desktop after filling in the credentials on the "Remote Desktop
Connection" dialog.

I've had that Group Policy setting that way for years (which is why I
had forgotten about it). Why it behaved differently with the previous
TSC I don't know.

Actually, (duh...), this was not the "answer" to anything. What I did
by changing the setting mentioned above was eliminate one prompt, but
the wrong one. The correct solution (for this part of my problem) is to
use the enablecredsspsupport:i:0 setting in the .RDP file (as pointed
out by "workinghard" in the other reply).

 

[trev]

Thanks, but now there's another (albeit minor) problem. Using
enablecredsspsupport:i:0 eliminates the RDC dialog, but when I get to
the server's login dialog, the user name is no longer remembered (as it
always used to be).

Hello,

try and use the "Do not use authentication" option in the Advanced
Tab sheet of
option. This does not persist however so if you want to make it
permanent add following line to the default.rdp file (or any other
saved .rdp file):enablecredsspsupport:i:0

That will take care of it. Cheers

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I
use the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For
example, I have always used RDP by running the command line
"mstsc.exe [file name].rdp". This always used to make the
connection, and then go right to a "Log On to Windows" dialog. But
with TSC 6.0, I always get a "Remote Desktop Connection" dialog
first, and then still have to enter the (same) credentials again on
the "Log On to Windows" dialog. What is the point to the "Remote
Desktop Connection" dialog? Also, on the "Remote Desktop Connection"
dialog: Sometimes, the
user name is pre-filled as simply "User". Other times, it shows up
as "x.x.x.x\User", where x.x.x.x is the IP address. Still other
times, it appears as "(e-mail address removed)". This last case is especially
irritating, because the "(e-mail address removed)" carries over onto the "Log On
to Windows" dialog, where it causes authentication failure. So,
whenever this happens (which seems to be randomly, but often), I
have to manually edit the user name field on the "Log On to Windows"
dialog, changing it from "(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[TP]

The new client can give roughly the same auth behavior as
the old client, it just works a little different on the front
end. You do not need the enablecredsspsupport option
that I discussed in a prior post:

http://groups.google.com/group/micr..._services/browse_frm/thread/7048672478cf3141/

I recommended that option because the poster specifically
asked for the old behavior and because he is using the
Novell client.

What behavior would you prefer, exactly?

When you run "mstsc [filename].rdp", would you like it to:

1.) Connect and log you in to your XP Pro machine, without
prompting for username/password at all?

2.) Connect to your XP Pro machine, but stop at the Log On
to Windows prompt, with your user name pre-filled and
the password box blank?

3.) Another option?

I am guessing you want option 2 above, please correct me if
I am wrong. Remove the enablecredsspsupport that you
added before.

In order to do this, you need to open up the client (manually, not
specifiying .rdp file) and connect to your XP Pro machine using
the same computer name stored in your .rdp file. When
prompted for your credentials, enter them exactly as you would
if you were entering them on your XP Pro machine, and check
the save password box.

After you have successfully connected, disconnect from
your XP Pro machine. Open up the client again, make sure
the computer name is still set to your XP Pro machine as used
above, and then click the edit credentials hyperlink. The
credentials screen should have your username as entered
above, with the password box blank. Click the OK button
to save your credentials, do *not* enter a password in the box.

Uncheck "Always ask for credentials". Optionally set all of your
connection preferences and then click the Save As button to
make a fresh .rdp file for this connection.

Click the Connect button. This time it should connect to your XP
Pro machine, but stop at the Log On to Windows screen with
the user name field pre-filled and the password blank. You
should have the same behavior if you use the rdp file as well.

Username and password are no longer stored in the .rdp
file.

Please let me know if you have any questions.

-TP

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use
the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For example,
I have always used RDP by running the command line "mstsc.exe [file
name].rdp". This always used to make the connection, and then go
right to a "Log On to Windows" dialog. But with TSC 6.0, I always
get a "Remote Desktop Connection" dialog first, and then still have
to enter the (same) credentials again on the "Log On to Windows"
dialog. What is the point to the "Remote Desktop Connection" dialog?

Also, on the "Remote Desktop Connection" dialog: Sometimes, the user
name is pre-filled as simply "User". Other times, it shows up as
"x.x.x.x\User", where x.x.x.x is the IP address. Still other times,
it appears as "(e-mail address removed)". This last case is especially
irritating, because the "(e-mail address removed)" carries over onto the "Log On
to Windows" dialog, where it causes authentication failure. So,
whenever this happens (which seems to be randomly, but often), I have
to manually edit the user name field on the "Log On to Windows"
dialog, changing it from "(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[trev]

Thank you! Your guess was a good onee; it was "option 2" that I was
after. Your instructions worked perfectly. I don't think I would have
figured that out on my own. (I very nearly removed TSC 6.0.)

The only caveat was that I had to temporarily disabled the "Local
Computer Policy > Computer Configuration > Administrative Templates >
Windows Components > Terminal Services > Client > Do not allow passwords
to be saved" setting on the client. (Otherwise, no "Save password"
option appears at all.)

Thanks again.

The new client can give roughly the same auth behavior as
the old client, it just works a little different on the front
end. You do not need the enablecredsspsupport option
that I discussed in a prior post:

http://groups.google.com/group/micr..._services/browse_frm/thread/7048672478cf3141/

I recommended that option because the poster specifically
asked for the old behavior and because he is using the
Novell client.

What behavior would you prefer, exactly?

When you run "mstsc [filename].rdp", would you like it to:

1.) Connect and log you in to your XP Pro machine, without
prompting for username/password at all?

2.) Connect to your XP Pro machine, but stop at the Log On
to Windows prompt, with your user name pre-filled and
the password box blank?

3.) Another option?

I am guessing you want option 2 above, please correct me if
I am wrong. Remove the enablecredsspsupport that you
added before.

In order to do this, you need to open up the client (manually, not
specifiying .rdp file) and connect to your XP Pro machine using
the same computer name stored in your .rdp file. When
prompted for your credentials, enter them exactly as you would
if you were entering them on your XP Pro machine, and check
the save password box.

After you have successfully connected, disconnect from
your XP Pro machine. Open up the client again, make sure
the computer name is still set to your XP Pro machine as used
above, and then click the edit credentials hyperlink. The
credentials screen should have your username as entered
above, with the password box blank. Click the OK button
to save your credentials, do *not* enter a password in the box.

Uncheck "Always ask for credentials". Optionally set all of your
connection preferences and then click the Save As button to
make a fresh .rdp file for this connection.

Click the Connect button. This time it should connect to your XP
Pro machine, but stop at the Log On to Windows screen with
the user name field pre-filled and the password blank. You
should have the same behavior if you use the rdp file as well.

Username and password are no longer stored in the .rdp
file.

Please let me know if you have any questions.

-TP

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I
use the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For example,
I have always used RDP by running the command line "mstsc.exe [file
name].rdp". This always used to make the connection, and then go
right to a "Log On to Windows" dialog. But with TSC 6.0, I always
get a "Remote Desktop Connection" dialog first, and then still have
to enter the (same) credentials again on the "Log On to Windows"
dialog. What is the point to the "Remote Desktop Connection" dialog?

Also, on the "Remote Desktop Connection" dialog: Sometimes, the user
name is pre-filled as simply "User". Other times, it shows up as
"x.x.x.x\User", where x.x.x.x is the IP address. Still other times,
it appears as "(e-mail address removed)". This last case is especially
irritating, because the "(e-mail address removed)" carries over onto the "Log On
to Windows" dialog, where it causes authentication failure. So,
whenever this happens (which seems to be randomly, but often), I have
to manually edit the user name field on the "Log On to Windows"
dialog, changing it from "(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[TP]

You are welcome. Thank you for posting your
results.

I did not think to have you disable the policy setting
because you mentioned in an earlier post that you
had set it to Not Configured.

-TP

 

[trev]

Sorry--I've been playing with so many settings I can't keep track of
them all.

I've noticed that enabling the "require FIPS" setting in either one of
my two clients prevents me from being able to connect to the other.
Weird, given they're both XP systems. (I know I probably don't need
hardcore 3-DES but hey...)

 

[TP]

Windows XP does not support FIPS encryption for *incoming*
Remote Desktop connections.

So, when you require FIPS the Remote Desktop Client will
only connect if it can successfully negotiate FIPS encryption with
the destination machine. It can't, because in your case the
destination machine is XP.

-TP

 

[trev]

That sucks, but thanks again for the response.

Windows XP does not support FIPS encryption for *incoming*
Remote Desktop connections.

So, when you require FIPS the Remote Desktop Client will
only connect if it can successfully negotiate FIPS encryption with
the destination machine. It can't, because in your case the
destination machine is XP.

-TP

 

[dwgeis]

TP, I have a question about the saved credentials. The credentials
seem to be saved by *machine* not by RDP file.

In other words, if I want to create two RDP files to connect to the
same machine with two different sets of credentials it does not work.
Every time I changed the saved credentials in the one RDP file, it
changes them in the other file. This used to work. What am I doing
wrong?

The new client can give roughly the same auth behavior as
the old client, it just works a little different on the front
end. You do not need the enablecredsspsupport option
that I discussed in a prior post:

http://groups.google.com/group/micr..._services/browse_frm/thread/7048672478cf3141/

I recommended that option because the poster specifically
asked for the old behavior and because he is using the
Novell client.

What behavior would you prefer, exactly?

When you run "mstsc [filename].rdp", would you like it to:

1.) Connect and log you in to your XP Pro machine, without
prompting for username/password at all?

2.) Connect to your XP Pro machine, but stop at the Log On
to Windows prompt, with your user name pre-filled and
the password box blank?

3.) Another option?

I am guessing you want option 2 above, please correct me if
I am wrong. Remove the enablecredsspsupport that you
added before.

In order to do this, you need to open up the client (manually, not
specifiying .rdp file) and connect to your XP Pro machine using
the same computer name stored in your .rdp file. When
prompted for your credentials, enter them exactly as you would
if you were entering them on your XP Pro machine, and check
the save password box.

After you have successfully connected, disconnect from
your XP Pro machine. Open up the client again, make sure
the computer name is still set to your XP Pro machine as used
above, and then click the edit credentials hyperlink. The
credentials screen should have your username as entered
above, with the password box blank. Click the OK button
to save your credentials, do *not* enter a password in the box.

Uncheck "Always ask for credentials". Optionally set all of your
connection preferences and then click the Save As button to
make a fresh .rdp file for this connection.

Click the Connect button. This time it should connect to your XP
Pro machine, but stop at the Log On to Windows screen with
the user name field pre-filled and the password blank. You
should have the same behavior if you use the rdp file as well.

Username and password are no longer stored in the .rdp
file.

Please let me know if you have any questions.

-TP

I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use
the MCE system to connect to the Pro system via RDP.

So far, all I've noticed in TSC 6.0 are new annoyances. For example,
I have always used RDP by running the command line "mstsc.exe [file
name].rdp". This always used to make the connection, and then go
right to a "Log On to Windows" dialog. But with TSC 6.0, I always
get a "Remote Desktop Connection" dialog first, and then still have
to enter the (same) credentials again on the "Log On to Windows"
dialog. What is the point to the "Remote Desktop Connection" dialog?

Also, on the "Remote Desktop Connection" dialog: Sometimes, the user
name is pre-filled as simply "User". Other times, it shows up as
"x.x.x.x\User", where x.x.x.x is the IP address. Still other times,
it appears as "(e-mail address removed)". This last case is especially
irritating, because the "(e-mail address removed)" carries over onto the "Log On
to Windows" dialog, where it causes authentication failure. So,
whenever this happens (which seems to be randomly, but often), I have
to manually edit the user name field on the "Log On to Windows"
dialog, changing it from "(e-mail address removed)" to "User". Annoying. Very.

Any info would be appreciated.

 

[TP]

You are not doing anything wrong. I am drafting a response
to Rob Leitman regarding a different issue where I plan to
bring this up. The credentials are stored on a per-name
basis, and not only that they do not take into account custom
ports.

So, for example, you can have several TS servers/XP Pro
machines addressable through one ip address, like so:

ts.contoso.com
ts.contoso.com:6000
ts.contoso.com:6001
ts.contoso.com:6002

Each one is a unique machine, and as such the client should
allow you to save a set of credentials for each. Instead it only
allows *one* set of credentials, because they all have the
same name: ts.contoso.com.

Credentials are not stored in the rdp file any more. Of course
it would be possible for MS to modify the client so that it
could store a unique credential set for each unique rdp file.

You can run the 5.2.3790.x client version alongside the 6.x
version if you want without problems. The new version will
use credentials that were stored in the .rdp file by the old
version.

Keep in mind that the primary reason the new client exists
is to allow you to use the new features when connecting to
Vista and Longhorn server. It is an optional update.

Also, saving credentials in a text file is not considered
secure, even though the password is encrypted. Even the
new method of storing them is a security risk and there is
a Group Policy to disable the feature.

-TP

 

[bjdraw]

Thanks for the tips, I have another question.

The problem we are having is that the username that is being cached is
not correct.

The first time I login to ts.mydomain.com I use
username
password

The next time I login it cached
ts.mydomain.com\username

The correct username would be
mydomain.com\username

This is annoying and worst of all users don't know what is wrong.

Is there a way to make the machine cache the correct username?

Thanks

 

[TP]

There is a bug in the UsernameHint functionality of the new
client. UsernameHint pre-fills the user name field when
the client prompts the user for credentials in the case
where no previously-saved credentials exist for the server
name specified.

This bug will cause an incorrect value to be pre-filled in
the user name field when connecting to a legacy server
(2003, XP, 2000, etc.). If the user does not manually
correct the user name, then the incorrect value will be
sent to the server.

You can work around the bug by having your users
save credentials when connecting. They don't have to
save both user name and password, simply saving their
username with an empty password is enough. Then
make sure that "Always ask for credentials" is
unchecked so that they will not be prompted each
time.

Naturally, if they save a blank password they will have
to enter their password at the server logon screen.

Another work around is to "break" the UsernameHint
capability by denying permissions on its registry
key. The key is for each user:

HKCU\Software\Microsoft\Terminal Server Client\UsernameHint

Set the permissions to Deny Full Control for each user.

-TP