When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not to enter them each time. Also there is one more important thing. If your connection is from domain computer to remote computer in a workgroup or another domain, it is impossible to use saved credential to access RDP server. Remote Desktop client refuses usage of saved credentials, each time forcing you to re-enter your password. The problem occurs in Windows Vista and higher.
You will receive the following error message:
[Start]Your Credentials did not work
Your system administrator does not allow the use of saved credentials to log on to the remote computer server_name because its identity is not fully verified. Please enter new credentials.
The logon attempt failed
The fact is that using of saved login credentials when connecting to a remote computer is forbidden by default domain policy, because there is no trust relationship between your computer and the server in a remote domain (or workgroup). However, this settings can be changed.
On the computer from which you are performing the Remote Desktop connection, press Win + R, type the following command and then click OK.
Additionally, you may need to enter an Administrator password or confirm the elevation (depending on the UAC policy).
In the new window of Local Group Policy Editor, go to section Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. We are interested in the policy Allow delegating default credentials with NTLM-only server authentication.
Open policy and enable it, then click Show button.
In the new window you need to set the list of servers that are explicitly allowed the saved credential usage when connecting over RDP.
The list of allowed systems must be specified in following formats:
- TERMSRV/remote_pc — allow to save login credentials for a specific computer
- TERMSRV/*.theitbros.com — allow to use the saved credentials for all computers in the domain theitbros.com
- TERMSRV/* — allow to store saved credentials for all computers, without exception.
Note. Use TERMSRV in uppercase, as in the example. If you specify a specific computer, remote_pc value must exactly match the name entered in the “Computer” field of rdp-client.
Press OK to save changes and then close the Group Policy Editor. Open Command prompt and apply current Group Policy settings by running:
Now you should connect to Remote Desktop with saved credentials without providing password over and over again.
So, we allowed to save the login credentials only on one particular computer using Local Group Policy. For multiple computers it will be better to create a separate domain OU and attach to it appropriate domain policy. Hope this was useful!