2012 RDS Receiving second prompt for password when launching Remote Desktop through RDWeb
I am stumped and need some assistance.
I have a simple 2012 R2 RDS server set up for remote access. The server holds all RDS roles.
The problem is, SSO is appears to be broken.
When a user logs in to RDWeb, they are presented with the Remote Desktop icon. Also, using IE the "Connected to RemoteApp and Desktop Connections" icon appears in the tray. When they click the app they are prompted for credentials again. They are getting the message shown in screenshot attached.
"The server's authentication policy does not allow connection requests using saved credentials. Please enter new credentials."
This only happens through RDWeb. If I try to connect through RD Gateway via RDP client, I do not get prompted again and do not get this message.
I have tried deleting and creating a new collection, still the same issue. I think there may be a local security policy in place, or a registry setting forcing this, but the fact that it only happens through RDWeb perplexes me.
I have run gpresult /h as an administrator and there are no group or local security policies related to passwords or credentials being saved. So, there is either a registry setting, OR something configured on the gateway or RDWeb is not allowing the credentials to pass. Possibly IIS?
Capture.JPG
I have a simple 2012 R2 RDS server set up for remote access. The server holds all RDS roles.
The problem is, SSO is appears to be broken.
When a user logs in to RDWeb, they are presented with the Remote Desktop icon. Also, using IE the "Connected to RemoteApp and Desktop Connections" icon appears in the tray. When they click the app they are prompted for credentials again. They are getting the message shown in screenshot attached.
"The server's authentication policy does not allow connection requests using saved credentials. Please enter new credentials."
This only happens through RDWeb. If I try to connect through RD Gateway via RDP client, I do not get prompted again and do not get this message.
I have tried deleting and creating a new collection, still the same issue. I think there may be a local security policy in place, or a registry setting forcing this, but the fact that it only happens through RDWeb perplexes me.
I have run gpresult /h as an administrator and there are no group or local security policies related to passwords or credentials being saved. So, there is either a registry setting, OR something configured on the gateway or RDWeb is not allowing the credentials to pass. Possibly IIS?
Capture.JPG
ASKER
Thank you Phillip. I have configured these settings and still get the same prompt. The message is indicating "The server's authentication policy " so I still am convinced it is something on the server side. Also, This RDS environment is stood up on our hosted services datacenter. We stand up these environments for many clients to connect to and remotely work off an RDS server in our environment. All of them are pretty much identical and SSO works fine on them, accept this client had requested some time ago that they should not be able to save credentials. We had a technician work on the server to try and force this, and now we can not figure out where the setting was put in to place. When I run gpresult I do not see anything related, so I believe it may be a registry setting?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We have SSO deployed pretty much anywhere RDS is set up. We do not touch this setting and SSO just works.
NOTE: By enabling that setting anyone that has access to the RDS externally via saved password set is now a huge security hole. Think about the possibilities.
NOTE: By enabling that setting anyone that has access to the RDS externally via saved password set is now a huge security hole. Think about the possibilities.
ASKER
We also have SSO configured at multiple clients using RDS and I have never had to change this setting before either, I'm not sure what was causing the prompt on this environment. What is the difference? Anyone with Internet Explorer, Chrome, or Firefox can access any publicly accessible RDWeb page and store their password in the browser.
The Default Domain Policy have edits made to it? The Default Domain Controllers Policy have changes made to it?
Are there GP settings that have an impact on saved credentials?
IE is not set to pass credentials forward in its security settings?
There are a number of avenues to SSO being broken.
The Event Logs on the affected machine/user account should have at least some clue as to the source of the problem or the RDS Event Logs too.
Are there GP settings that have an impact on saved credentials?
IE is not set to pass credentials forward in its security settings?
There are a number of avenues to SSO being broken.
The Event Logs on the affected machine/user account should have at least some clue as to the source of the problem or the RDS Event Logs too.
ASKER
this resolved the error.
For SSO to work correctly make sure you have TERMSRV/YourRDS and TERMSRV/*.domain.local (or whatever) set in your machine facing GPO for your RDS server(s): Computer Configuration\Administrati
Enable SSO for RDS and RD Gateway (MSDN).