The built-in Windows Remote Desktop client (mstsc.exe) allows you to save the username and password used to connect to the remote computer. Using a saved RDP credentials, the user doesn’t need to enter the password each time to connect to the Remote Desktop. In this post, we will look at how to configure saved credentials for your RDP connections in Windows 10, Windows Server 2012 R2/2016 and what to do if passwords are not saved in spite of all settings (each time the remote system prompts you for password).
RDP Saved Credentials Delegation via Group Policy
By default, Windows allows users to save their passwords for RDP connections. To do it, a user must enter the name of the RDP computer, the username and check the box “Allow me to save credentials” in the RDP client window. After a user has clicked the “Connect” button, the RDP server asks for the password and the computer saves it to Windows Credential Manager (not to the .RDP file).
As a result, the next time you connect to an RDP server using the same username, the password will be automatically taken from the Credential Manager and used for RDP authentication.
As you can see, if there is a saved password for this computer, the following message appears in the RDP client window:
Saved credentials will be used to connect to this computer. You can edit or delete these credentials.
As an senior administrator, I usually don’t recommend users to save passwords. It is much better to use SSO in the domain for transparent RDP authentication.
If you connect from a domain computer to a computer/server in another domain or a workgroup, by default Windows doesn’t allows a user to use a saved credentials for the RDP connection. Despite the fact that the RDP connection password is saved in the Credentials Manager, the system won’t use it requiring the user to prompt the password. Also, Windows prevents you from using the saved RDP password if you connect with your local account instead of your domain one.
In this case, if you try to connect using the saved RDP password, this error message appears:
Your credentials did not work Your system administrator does not allow the use of saved credentials to log on to the remote computer CompName because its identity is not fully verified. Please enter new credentials.
Windows considers the connection insecure, since there is no trust between this computer and the remote computer in another domain (or a workgroup).
You can change these settings on the computer you are trying to establish RDP connection from:
- Open the Local Group Policy Editor by pressing
Win + R-> gpedit.msc; - In the GPO editor, go to Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. Find the policy named Allow delegating saved credentials with NTLM-only server authentication;
- Double-click the policy. Enable it and click Show;
- Specify the list of remote computers (servers) that are allowed to use saved credentials when accessed over RDP. The list of remote computers must be specified in the following format:
TERMSRV/server1— allow to use a saved credentials to access a specific computer/server over RDP;TERMSRV/*.contoso.com— allow to establish RDP connection with saved credentials to all computers in the contoso.com domain;TERMSRV/*— allow to use a saved password to connect to any remote computer.
Tip. TERMSRV must be written in uppercase, and the computer name must fully match the one you type in the RDP client connection host field.
- Save the changes and update GPO setting using this command:
gpupdate /force
Now, when connecting using RDP, the mstsc client will be able to use your saved credentials.
You can change the RDP saved credentials policy only on the local computer using the Local Group Policy Editor. If you want to apply these settings on multiple computers of the domain, use the domain GPO configured using the gpmc.msc (Group Policy Management) console. If the user is still asked for a password during an RDP connection, try to enable and configure the Allow delegating saved credentials policy in the same way. Also, make sure that the policy Deny delegation saved credentials is not enabled, since denying policies have higher priority.
Windows is not saving RDP credentials
If you have configured Windows following the instructions above, but your RDP client prompts you to enter your password each time you try to connect, it is worth to check the following:
- Click “Show Options” in the RDP connection window and make sure that “Always ask for credentials” option is not checked;
- If you are using the saved .RDP file for connection, make sure that the value of ‘prompt for credentials’ parameter is 0 (
prompt for credentials:i:0); - Open the GPO Editor (gpedit.msc) and go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client. ‘Do not allow passwords to be saved’ must be not set or disabled. Also make sure that this policy setting is disabled in the resulting Group Policy on your computer (you can create an HTML report with the applied GPO settings using the gpresult command);
- Delete all saved passwords from the Credential Manager. Type
control userpasswords2and in the User Accounts window go to the Advanced tab and click Manage Passwords; - In the next window select Windows Credentials. Find all saved RDP passwords and delete them (they start with
TERMRSV/…). In this window you can manually add credentials for RDP connections. Please note that the name of an RDP server/computer must be specified in theTERMRSV\server_name1format. Don’t forget to delete all saved passwords when you clear the RDP connection history on your computer. - You won’t be able to logon with the saved RDP credentials if the remote server has not been updated for a long time, and when trying to connect to it, you will see the error CredSSP encryption oracle remediation.
After that users will be able to use their saved passwords for RDP connections.
