When you are connecting to remote system using native Microsoft RDP client (mstsc.exe), you have the ability to save login credentials in order to not to enter them each time. Also there is one more important thing. If your connection is from domain computer to remote computer in a workgroup or another domain, it is impossible to use saved credential to access RDP server. Remote Desktop client refuses usage of saved credentials, each time forcing you to re-enter your password. Your system administrator does not allow the use of saved credentials problem occurs in Windows Vista and higher.
You will receive the following error message:
[Start]Your Credentials did not work
Your system administrator does not allow the use of saved credentials to log on to the remote computer server_name because its identity is not fully verified. Please enter new credentials.
The logon attempt failed
[/End]
Your system administrator does not allow the use of saved credentials — what does it mean?
The fact is that using of saved login credentials when connecting to a remote computer is forbidden by default domain policy, because there is no trust relationship between your computer and the server in a remote domain (or workgroup). However, this settings can be changed.
On the computer from which you are performing the Remote Desktop connection, press Win + R, type the following command and then click OK.
gpedit.msc
Additionally, you may need to enter an Administrator password or confirm the elevation (depending on the UAC policy).
In the new window of Local Group Policy Editor, go to section Local Computer Policy –> Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. We are interested in the policy Allow delegating default credentials with NTLM-only server authentication.
Open policy and enable it, then click Show button.
In the new window you need to set the list of servers that are explicitly allowed the saved credential usage when connecting over RDP.
The list of allowed systems must be specified in following formats:
- TERMSRV/remote_pc — allow to save login credentials for a specific computer
- TERMSRV/*.theitbros.com — allow to use the saved credentials for all computers in the domain theitbros.com
- TERMSRV/* — allow to store saved credentials for all computers, without exception.
Note. Use TERMSRV in uppercase, as in the example. If you specify a specific computer, remote_pc value must exactly match the name entered in the “Computer” field of rdp-client.
Press OK to save changes and then close the Group Policy Editor. Open Command prompt and apply current Group Policy settings by running:
gpupdate /force
Now you should connect to Remote Desktop with saved credentials without providing password over and over again.
So, we allowed to save the login credentials only on one particular computer using Local Group Policy. For multiple computers it will be better to create a separate domain OU and attach to it appropriate domain policy. Hope this was useful!
Awesome! Thank you…
We are glad that you like it!
Very helpful, thank you!
Thanks!
I have tries this on several computers, and it still will not let me save credentials. Anything else I should try.
I had the same problem, but using these instructions went back in and also amended “Allow delegating saved credentials with NTLM-only server authentication.” and now it works 🙂
I followed the instructions as well as editing the entry specified by Leroy Bagwell but gpudpate /force fails because the computers I am doing this to are located in a remote office away from the domain controller so I get an error about not having network connectivity to the domain controller. Is there any way around this?
“Allow delegating saved credentials with NTLM-only server authentication.” work for me also
thanks Leroy for comment on IT Brothers Post
It doesn’t appear to work under Windows 10.
@ Dirk
For Windows 10, this did not work. What did work was going to Credential Manager, deleting the entry from the section Windows Credentials and adding it to Generic Credentials.
Thanks its working for me.