?
Solved

2008 R2 RDP Password Prompt - iPad App

Posted on 2014-03-04
4
Medium Priority
?
621 Views
Last Modified: 2014-05-23
Hi,

I have a terminal server setup behind a RD Gateway instance and all is working normally with one exception.  Thru group policy I have "Always prompt for password on connection set". This option works perfectly well from any PC on the LAN or thru the RD Gateway.  My issue happens when a user is setup on their iPad using the MS Remote Desktop Connection app.  When the user creates a connection and saves the password, they are then able to connect without the prompt to enter their password.  This present a security flaw as users are allowed to use their own personal devices so we cannot enforce a screen pin unless they setup email.  I have looked at various settings to try and force the prompt and or prevent the pass thru from RD Gateway to the RD server but no success yet.
0
Comment
Question by:Minot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 30

Expert Comment

by:serialband
ID: 39904352
There isn't a way that I know of on the new iPad & OSX RDP client.  It's quite an obnoxious thing they've done.  You might be able to ask Microsoft to change the program so that it doesn't do it that way on the iPad.  Other than that, I don't know if there's anything you can do to block it on the iPad itself.

Maybe change the client to the free 2X Client instead and tell them not to use the Microsoft RDC.
0
 

Author Comment

by:Minot
ID: 39905183
I guess a fundamental question for someone is why does the reg key on the server side fPromptForPassword only work on Windows Clients?  It would seem that if there is a server setting it should apply no matter what client is making the connection. I do agree that this is obnoxious and worse, it really becomes a compliance issue.  With this flaw rdgateway and rdp itself (on the lan) is really unacceptable in the eyes almost any audit if there is no way to enforce being prompted for a password.  MS needs to fix this, now if we can only get their attention.
0
 
LVL 30

Accepted Solution

by:
serialband earned 1500 total points
ID: 39905245
I believe that Microsoft programmed it to save the password.  It must be saved either as plain text or, if encrypted, it's reversible.  I used it once to connect to one Server 2012 VM from a Mac, because CoRD and the old Microsoft RDC wouldn't work.  I normally use CoRD and it doesn't save passwords.  The old Mircrosoft RDP doesn't save passords unless you hard code it in the preferences, but the new one basically forces it.  I can't leave it blank to have it prompt me.  I have to delete the entry to have it clear my password from the cache.  It's their broken programming, probably done by some fresh out of college intern.
0
 

Author Closing Comment

by:Minot
ID: 40087148
No solutions have been found, I agree that the programming is suspect at best.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question