built-in Windows Remote Desktop client (mstsc.exe) Allows you to save the username and password used to connect to the remote computer. Thanks to this, the user does not need to enter a password every time he wants to connect to a known remote desktop host. In this article, we will see how to allow the saved credentials to be used for RDP connections in Windows, and what to do if users cannot use the saved passwords for Remote Desktop Connections (the password is entered every time). is requested)
Allow saved credential delegation for RDP connections via GPO
By default, Windows allows users to save their password for RDP connections. To do this, a user must enter the RDP computer name, username, and check the box “Allow me to save credentials” In the Remote Desktop Connection (mstsc.exe) client window. After the user clicks “connectbutton, the RDP server asks for the password and Windows saves it in the Credential Manager (not in the RDP file).
The next time you connect to a remote RDP host under the same user, the client will automatically retrieve the saved password from Windows Credential Manager and use it for RDP authentication.
If there is a saved password for this computer, the following message will appear in the RDP client window:
Saved credentials will be used to connect to this computer. You can edit or delete these credentials.
By default, Windows does not allow a user to use a saved RDP password (credentials) from an Active Directory domain joined computer to a host in another domain or workgroup. Although the connection password is stored in the Credential Manager, Windows does not allow it to be used and requires the user to enter the password each time. Also, Windows prevents you from using the saved RDP password if you connect with your local account instead of your domain account.
In this situation, if you try to connect by using the saved RDP password, this error message appears:
Your credentials did not work Your system administrator does not allow the use of saved credentials to log on to the remote computer CompName because its identity is not fully verified. Please enter new credentials.
Windows considers the connection to be insecure because there is no trust between this computer and a remote computer in another domain (or workgroup).
You can change these settings on the computer you’re trying to establish an RDP connection to:
- Open the Local Group Policy Editor by pressing
Win + R, gpedit.msc, - In GPO Editor, go to Computer Configuration -> Administrative Templates -> System -> Credential Delegation, Search Designated Policy Allow handing over of saved credentials with NTLM-only server authentication,
- Enable the policy and click performance,
- Specify a list of remote hosts that are allowed to access over RDP using the saved credentials. The list of remote computers must be specified in the following format:
- Similarly, enable and add your TERMSRV/ values to Allow handing over saved credentials Policy;
The following registry settings correspond to the above GPO options:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation] "AllowSavedCredentialsWhenNTLMOnly"=dword:00000001 “AllowSavedCredentials”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly] "1"="TERMSRV/*" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials] "1"="TERMSRV/*" [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation] “AllowSavedCredentialsWhenNTLMOnly”=dword:00000001 “AllowSavedCredentials”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly] "1"="TERMSRV/*" [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials] "1"="TERMSRV/*"
- Check if the following option is disabled Network Access: Do not allow storage of passwords and credentials for network authentication (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). If this setting is enabled, the user will receive an error when attempting to save a password to the Credential Manager vault:
Credential Manager Error Unable to save credentials. To save credentials in this vault, check your computer configuration. Error code: 0x80070520 Error Message: A specified logon session does not exist. It may already have been terminated.
- check that Refuse to delegate saved credentials The policy is disabled (or not configured). Give preference to Do not allow GPO policies;
- Save changes and update GPO settings using this command:
gpupdate /force
Now, when connected to the RDP host, the mstsc client will be able to use your saved credentials.
You can list saved passwords for RDP connections with the command:cmdkey /list ^| findstr "target=TERMSRV"
Run command to clear saved connection passwords:
For /F "tokens=1,2 delims= " %G in ('cmdkey /list ^| findstr "target=TERMSRV"') do cmdkey /delete %H
You can only change the RDP saved credential policy on the local computer using the Local Group Policy Editor. If you want to apply these settings to multiple computers in the domain, use the domain GPO configured using gpmc.msc (Group Policy Management) Console.
Why doesn’t Windows Remote Desktop save credentials?
If you’ve configured Windows following the instructions above, but your RDP client still prompts you to enter a password every time you try to connect, it’s worth checking the following:
- Click “show options” In the Remote Desktop Connection window and make sure that “Always ask for credentials” option is not checked;
- If you are using .RDP file for connection, make sure that the value of ‘credit signal‘parameter is 0 (
prompt for credentials:i:0,
- Open the Local GPO Editor (
gpedit.msc) and go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client. Do not allow saving passwords And Prompt for credentials on the client computerThe options should not be set or disabled. Also, make sure that this policy setting is disabled in the resulting Group Policy on your computer (you can create an HTML report with the GPO settings applied by using the gpresult command);
- Delete all saved passwords from Windows Credential Manager. type
control userpasswords2and in the user accounts go to window advanced tab and click manage password,
- In the next window, choose windows credentials, Find and delete all saved RDP passwords (they start with
TERMRSV/…,
In this window you can manually add the credentials for the RDP connection. Please note that the RDP server/computer name must be specified inTERMRSV\server_name1draft. Don’t forget to delete saved passwords when you clear the RDP connection history on your computer.
- If the remote server has not been updated for a long time, and the CredSSP encryption oracle fix error appears when you try to connect to it, you will not be able to logon with the saved RDP credentials.
After that, users will be able to use their saved passwords for RDP connections.
The server’s authentication policy does not allow connections with saved credentials
When connecting to an RDP host or RDS farm using saved credentials, an error may appear:
Windows Security Your credentials did not work The server’s authentication policy does not allow connection requests using saved credentials. Please enter new credentials.
In this case, you must disable the GPO option “Always prompt for password on connection”on the remote server (Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security).
If this policy is enabled, the RDP host always prompts clients for a password to connect.
You can disable this option via the registry:
REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fPromptForPassword /t REG_DWORD /d 0 /f
Windows Defender Credential Guard does not allow saved credentials
After updating to Windows 11 22H2, users started complaining that they can no longer use saved passwords for RDP connections:
Windows Security: Your credentials did not work Windows Defender Credential Guard does not allow using saved credentials. Please enter your credentials.
Windows Defender Remote Credential Guard (which appeared on Windows 10 1607) is supposed to protect your credentials for RDP connections. By default, Windows 11/10 22H2 only allows saved credentials to be used when using Kerberos authentication on the RDP host. If you cannot use Kerberos (the domain controller is not available, or you are connecting to a host in a workgroup), Remote Credential Guard blocks NTLM authentication.
You can resolve this issue by disabling Credential Guard through the registry:
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\LSA" -Name "LsaCfgFlags" -PropertyType "DWORD" -Value 0 -Force
Leave a Comment