2012 RDS Receiving second prompt for password when launching Remote Desktop through RDWeb

I am stumped and need some assistance.
I have a simple 2012 R2 RDS server set up for remote access. The server holds all RDS roles.

The problem is, SSO is appears to be broken.
When a user logs in to RDWeb, they are presented with the Remote Desktop icon. Also, using IE the "Connected to RemoteApp and Desktop Connections" icon appears in the tray. When they click the app they are prompted for credentials again. They are getting the message shown in screenshot attached.

"The server's authentication policy does not allow connection requests using saved credentials. Please enter new credentials."

This only happens through RDWeb. If I try to connect through RD Gateway via RDP client, I do not get prompted again and do not get this message.

I have tried deleting and creating a new collection, still the same issue. I think there may be a local security policy in place, or a registry setting forcing this, but the fact that it only happens through RDWeb perplexes me.

I have run gpresult /h as an administrator and there are no group or local security policies related to passwords or credentials being saved. So, there is either a registry setting, OR something configured on the gateway or RDWeb is not allowing the credentials to pass. Possibly IIS?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
That is expected behaviour out of the box. Credentials do not get stored on the remote machines. It's a huge hole in security to allow users to do so.

For SSO to work correctly make sure you have TERMSRV/YourRDS and TERMSRV/*.domain.local (or whatever) set in your machine facing GPO for your RDS server(s): Computer Configuration\Administrative Templates\System\Credentials Delegation\Allow Delegating Default Credentials (ENABLED + above).

Enable SSO for RDS and RD Gateway (MSDN).
CCtechAuthor Commented:
Thank you Phillip. I have configured these settings and still get the same prompt. The message is indicating "The server's authentication policy " so I still am convinced it is something on the server side. Also, This RDS environment is stood up on our hosted services datacenter. We stand up these environments for many clients to connect to and remotely work off an RDS server in our environment. All of them are pretty much identical and SSO works fine on them, accept this client had requested some time ago that they should not be able to save credentials. We had a technician work on the server to try and force this, and now we can not figure out where the setting was put in to place. When I run gpresult I do not see anything related, so I believe it may be a registry setting?
CCtechAuthor Commented:
Found Solution. On the RDS Server:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.

Set  ‘Always prompt for password upon connection‘ to disabled.

This was set to "Not Configured" but it was still causing an issue until I changed it to "disabled".

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
We have SSO deployed pretty much anywhere RDS is set up. We do not touch this setting and SSO just works.

NOTE: By enabling that setting anyone that has access to the RDS externally via saved password set is now a huge security hole. Think about the possibilities.
CCtechAuthor Commented:
We also have SSO configured at multiple clients using RDS and I have never had to change this setting before either, I'm not sure what was causing the prompt on this environment. What is the difference? Anyone with Internet Explorer, Chrome, or Firefox can access any publicly accessible RDWeb page and store their password in the browser.
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
The Default Domain Policy have edits made to it? The Default Domain Controllers Policy have changes made to it?

Are there GP settings that have an impact on saved credentials?

IE is not set to pass credentials forward in its security settings?

There are a number of avenues to SSO being broken.

The Event Logs on the affected machine/user account should have at least some clue as to the source of the problem or the RDS Event Logs too.
CCtechAuthor Commented:
this resolved the error.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.