This is a work from home situation. I have a desktop, which is not joined to domain and a domain joined laptop. When laptop boots up it does not have access to domain since it is not connected to VPN, so for logon cached credentials are used.
My problem is that regardless of VPN, I can only RDP from my desktop to my laptop after I logged in to the laptop locally. The RDP-ing keeps working until I reboot the laptop, after which I have to do the little local login dance again.
If I do not logon locally, this is what I'm seeing when trying to RDP:
Once I've logged in to the laptop locally the RDP connection goes smoothly.
On the laptop the RDP is configured as follows:
I have been through FIX: ‘Your Credentials Did Not Work’ For Remote Desktop Connection In Windows 10/8/7 to no avail.
I also tried enablecredsspsupport:i:0 as per Supported Remote Desktop RDP file settings, but it only half worked. It does allow me to connect this way, but it no longer saves the password, so I would have to type it out manually. This is only marginally better then logging in locally first, and this is not a solution I'm looking for.
Another fact is that is does work from Linux. I'm using on Linux, and there using the rdesktop option I can connect to my laptop with a saved password, no fuss and no need to logon locally first. Once I've done that I can also now connect from Windows until laptop reboot. Unfortunately this is not practical since I'm dual-booting windows and Linux, and normally work in Windows.
1 Answer
What you are describing is explained here:
Without a connection to the domain controller you can not connect to the laptop via RDP with network level authentication.
In your screenshot, it says the setting is managed by your organization. But the fact a Linux client, which does not support NLA, can connect tells us that your laptop is configured to accept connections from both NLA and non-NLA clients.
Now, I’m not going to get started on just how insecure this makes your laptop. But the key is to disable NLA on your windows RDP client. You do that by disabling CredSSP, as you have discovered, using enablecredsspsupport:i:0.
In addition, without CredSSP, Windows will not allow you to use saved passwords to connect to remote computers. That’s because the identity of the remote server cannot be verified and Windows could end up dumping your credentials to a device that is impersonating the remote server.
Again, I’m not going to go in to the details of just how vulnerable you are making your devices by doing this. But, you can tell Windows to use saved passwords over insecure protocols even when the remote identity can not be established. This policy is called Allow delegating saved credentials with NTLM-only server authentication.
To enable it, you can open the local group policy editor on your Remote Desktop client computer (gpedit.msc) and navigate to Computer Configuration -> Administrative Templates -> Credentials Delegation.
Enable the policy and then add the laptop to the servers list to authorize it to use stored credentials. You should specify whatever name/IP address you use in the RDP connection in the following form: TERMSRV/<computer name or IP>. For instance, if your laptop name is laptop1 you will add TERMSRV/laptop1. 'TERMSRV` must be in all caps.
Refresh your local group policy (gpupdate) to apply the changes.
If you have a home version of Windows without the local group policy editor you can make similar changes by modifying the registry (regedit).
- Path:
Software\Policies\Microsoft\Windows\CredentialsDelegation\Name:AllowSavedCredentialsWhenNTLMOnlyType:REG_DWORDValue:1 - Path:
Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnlyName:<an unused number>Type:REG_SZValue:TERMSRV/laptop1 - Path:
Software\Policies\Microsoft\Windows\CredentialsDelegationName:ConcatenateDefaults_AllowSavedNTLMOnlyType:REG_DWORDValue:1
A reboot may be required to apply these registry changes.
More info here:
And here:
2
