 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows XP / Remote Desktop / December 2006Terminal Services Client 6.0 Authentication
I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use the MCE system to connect to the Pro system via RDP. So far, all I've noticed in TSC 6.0 are new annoyances. For example, I have always used RDP by running the command line "mstsc.exe [file name].rdp". This always used to make the connection, and then go right to a "Log On to Windows" dialog. But with TSC 6.0, I always get a "Remote Desktop Connection" dialog first, and then still have to enter the (same) credentials again on the "Log On to Windows" dialog. What is the point to the "Remote Desktop Connection" dialog? Also, on the "Remote Desktop Connection" dialog: Sometimes, the user name is pre-filled as simply "User". Other times, it shows up as "x.x.x.x\User", where x.x.x.x is the IP address. Still other times, it appears as "User@x.x.x.x". This last case is especially irritating, because the "User@x.x.x.x" carries over onto the "Log On to Windows" dialog, where it causes authentication failure. So, whenever this happens (which seems to be randomly, but often), I have to manually edit the user name field on the "Log On to Windows" dialog, changing it from "User@x.x.x.x" to "User". Annoying. Very. Any info would be appreciated. > with TSC 6.0, I always > get a "Remote Desktop Connection" dialog first, and then still have > to enter the (same) credentials again on the "Log On to Windows" > dialog. What is the point to the "Remote Desktop Connection" dialog? I've found the answer to this part, at least. This behavior was the result of having a Group Policy setting enabled: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Always prompt client for password upon connection (I wish it were buried a few levels deeper.) With the above setting "Not Configured", I get right to the remote desktop after filling in the credentials on the "Remote Desktop Connection" dialog. I've had that Group Policy setting that way for years (which is why I had forgotten about it). Why it behaved differently with the previous TSC I don't know. >> with TSC 6.0, I always >> get a "Remote Desktop Connection" dialog first, and then still have [quoted text clipped - 17 lines] > had forgotten about it). Why it behaved differently with the previous > TSC I don't know. Actually, (duh...), this was not the "answer" to anything. What I did by changing the setting mentioned above was eliminate one prompt, but the wrong one. The correct solution (for this part of my problem) is to use the enablecredsspsupport:i:0 setting in the .RDP file (as pointed out by "workinghard" in the other reply). Hello, try and use the "Do not use authentication" option in the Advanced Tab sheet of option. This does not persist however so if you want to make it permanent add following line to the default.rdp file (or any other saved .rdp file):enablecredsspsupport:i:0 That will take care of it. Cheers >I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use the >MCE system to connect to the Pro system via RDP. [quoted text clipped - 18 lines] > > Any info would be appreciated. Thanks. I actually *have* to use that option, otherwise it will not work at all. It tells me that it can't authenticate... Therefore, I have no choice. > Hello, > [quoted text clipped - 28 lines] >> >> Any info would be appreciated. Thanks, but now there's another (albeit minor) problem. Using enablecredsspsupport:i:0 eliminates the RDC dialog, but when I get to the server's login dialog, the user name is no longer remembered (as it always used to be). > Hello, > [quoted text clipped - 28 lines] >> >> Any info would be appreciated. The new client can give roughly the same auth behavior as the old client, it just works a little different on the front end. You do not need the enablecredsspsupport option that I discussed in a prior post: http://groups.google.com/group/microsoft.public.windows.terminal_services/browse _frm/thread/7048672478cf3141/ I recommended that option because the poster specifically asked for the old behavior and because he is using the Novell client. What behavior would you prefer, exactly? When you run "mstsc [filename].rdp", would you like it to: 1.) Connect and log you in to your XP Pro machine, without prompting for username/password at all? 2.) Connect to your XP Pro machine, but stop at the Log On to Windows prompt, with your user name pre-filled and the password box blank? 3.) Another option? I am guessing you want option 2 above, please correct me if I am wrong. Remove the enablecredsspsupport that you added before. In order to do this, you need to open up the client (manually, not specifiying .rdp file) and connect to your XP Pro machine using the same computer name stored in your .rdp file. When prompted for your credentials, enter them exactly as you would if you were entering them on your XP Pro machine, and check the save password box. After you have successfully connected, disconnect from your XP Pro machine. Open up the client again, make sure the computer name is still set to your XP Pro machine as used above, and then click the edit credentials hyperlink. The credentials screen should have your username as entered above, with the password box blank. Click the OK button to save your credentials, do *not* enter a password in the box. Uncheck "Always ask for credentials". Optionally set all of your connection preferences and then click the Save As button to make a fresh .rdp file for this connection. Click the Connect button. This time it should connect to your XP Pro machine, but stop at the Log On to Windows screen with the user name field pre-filled and the password blank. You should have the same behavior if you use the rdp file as well. Username and password are no longer stored in the .rdp file. Please let me know if you have any questions. -TP > I just installed TSC 6.0 on my WinXP Pro and WinXP MCE systems. I use > the MCE system to connect to the Pro system via RDP. [quoted text clipped - 18 lines] > > Any info would be appreciated. Thank you! Your guess was a good onee; it was "option 2" that I was after. Your instructions worked perfectly. I don't think I would have figured that out on my own. (I very nearly removed TSC 6.0.) The only caveat was that I had to temporarily disabled the "Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Client > Do not allow passwords to be saved" setting on the client. (Otherwise, no "Save password" option appears at all.) Thanks again. > The new client can give roughly the same auth behavior as > the old client, it just works a little different on the front [quoted text clipped - 77 lines] >> >> Any info would be appreciated. You are welcome. Thank you for posting your results. I did not think to have you disable the policy setting because you mentioned in an earlier post that you had set it to Not Configured. -TP > Thank you! Your guess was a good onee; it was "option 2" that I was > after. Your instructions worked perfectly. I don't think I would [quoted text clipped - 7 lines] > > Thanks again. Sorry--I've been playing with so many settings I can't keep track of them all. I've noticed that enabling the "require FIPS" setting in either one of my two clients prevents me from being able to connect to the other. Weird, given they're both XP systems. (I know I probably don't need hardcore 3-DES but hey...) > You are welcome. Thank you for posting your > results. [quoted text clipped - 16 lines] >> >> Thanks again. Windows XP does not support FIPS encryption for *incoming* Remote Desktop connections. So, when you require FIPS the Remote Desktop Client will only connect if it can successfully negotiate FIPS encryption with the destination machine. It can't, because in your case the destination machine is XP. -TP > Sorry--I've been playing with so many settings I can't keep track of > them all. [quoted text clipped - 3 lines] > Weird, given they're both XP systems. (I know I probably don't need > hardcore 3-DES but hey...) That sucks, but thanks again for the response. > Windows XP does not support FIPS encryption for *incoming* > Remote Desktop connections. [quoted text clipped - 13 lines] >> other. Weird, given they're both XP systems. (I know I probably >> don't need hardcore 3-DES but hey...) TP, I have a question about the saved credentials. The credentials seem to be saved by *machine* not by RDP file. In other words, if I want to create two RDP files to connect to the same machine with two different sets of credentials it does not work. Every time I changed the saved credentials in the one RDP file, it changes them in the other file. This used to work. What am I doing wrong? > The new client can give roughly the same auth behavior as > the old client, it just works a little different on the front [quoted text clipped - 77 lines] > > > > Any info would be appreciated. You are not doing anything wrong. I am drafting a response to Rob Leitman regarding a different issue where I plan to bring this up. The credentials are stored on a per-name basis, and not only that they do not take into account custom ports. So, for example, you can have several TS servers/XP Pro machines addressable through one ip address, like so: ts.contoso.com ts.contoso.com:6000 ts.contoso.com:6001 ts.contoso.com:6002 Each one is a unique machine, and as such the client should allow you to save a set of credentials for each. Instead it only allows *one* set of credentials, because they all have the same name: ts.contoso.com. Credentials are not stored in the rdp file any more. Of course it would be possible for MS to modify the client so that it could store a unique credential set for each unique rdp file. You can run the 5.2.3790.x client version alongside the 6.x version if you want without problems. The new version will use credentials that were stored in the .rdp file by the old version. Keep in mind that the primary reason the new client exists is to allow you to use the new features when connecting to Vista and Longhorn server. It is an optional update. Also, saving credentials in a text file is not considered secure, even though the password is encrypted. Even the new method of storing them is a security risk and there is a Group Policy to disable the feature. -TP > TP, I have a question about the saved credentials. The credentials > seem to be saved by *machine* not by RDP file. [quoted text clipped - 4 lines] > changes them in the other file. This used to work. What am I doing > wrong? Thanks for the tips, I have another question. The problem we are having is that the username that is being cached is not correct. The first time I login to ts.mydomain.com I use username password The next time I login it cached ts.mydomain.com\username The correct username would be mydomain.com\username This is annoying and worst of all users don't know what is wrong. Is there a way to make the machine cache the correct username? Thanks Ben > You are not doing anything wrong. I am drafting a response > to Rob Leitman regarding a different issue where I plan to [quoted text clipped - 43 lines] > > changes them in the other file. This used to work. What am I doing > > wrong? There is a bug in the UsernameHint functionality of the new client. UsernameHint pre-fills the user name field when the client prompts the user for credentials in the case where no previously-saved credentials exist for the server name specified. This bug will cause an incorrect value to be pre-filled in the user name field when connecting to a legacy server (2003, XP, 2000, etc.). If the user does not manually correct the user name, then the incorrect value will be sent to the server. You can work around the bug by having your users save credentials when connecting. They don't have to save both user name and password, simply saving their username with an empty password is enough. Then make sure that "Always ask for credentials" is unchecked so that they will not be prompted each time. Naturally, if they save a blank password they will have to enter their password at the server logon screen. Another work around is to "break" the UsernameHint capability by denying permissions on its registry key. The key is for each user: HKCU\Software\Microsoft\Terminal Server Client\UsernameHint Set the permissions to Deny Full Control for each user. -TP > Thanks for the tips, I have another question. > [quoted text clipped - 17 lines] > Thanks > Ben |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.