Home / server / Questions / 396722
Accepted
Pure.Krome
Asked: 2012-06-08 19:02:23 +0800 CST

Your system administrator does not allow the use of saved credentials to log on to the remote computer

  • 772

At our office, all of our Windows 7 Clients get this error message when we try and RDP to a remote Windows 2008 Server outside of the office:

Your system administrator does not allow the user of saved credentials to log on to the remote computer XXX because its identity is not fully verified. Please enter new credentials

Screenshot

A quick google search leads to some posts they all suggest I edit group policy, etc.

I'm under the impression, that the common fix for this, is to follow those instructions on every Windows 7 machine.

Is there any way that I can do something via the Active Directory which could update all Windows 7 clients in the office LAN?

windows-server-2008 remote-desktop active-directory rdp credentials

4 Answers

  1. Best Answer

    If you don't want to change local or server side GPOs:

    Go to Control Panel -> Credential Manager on the local computer you are trying to connect from.
    You will see three sections:

    1. Windows Credentials
    2. Certificate-Based Credentials
    3. Generic Credentials

    Remove the credentials from Windows Credentials and add it to Generic Credentials.

    • 112

  2. Here is a link on how to accomplish this: http://netport.org/?p=255

    Update 4 setting in the group policy editor in Windows 7.

    This security measure could frustrating when you connect and disconnect a lot to the same (or many) terminal server. To get rid of it and to be able to use saved credentials in this situation you need to configure the following:

    Go to Start -> type: gpedit.msc -> in the console configure the following:

    enter image description here

    Enable the each shown policy and then click on the “Show” button to get to the server list and add TERMSRV/* (or alternatively just *) to the server. In my case it’s ‘*’ which indicates that cached credentials will be allowed to all servers.

    enter image description here

    The last thing to do is refreshing policy. To do that just go to command line (run as administrator) and type: gpupdate /force

    That’s it. Now you can connect to your terminal servers by just clicking on .rdp files.

    • 33

  3. For those who are willing to add it directly to the registry, save the following content in a *.reg file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation] "AllowDefCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001 "AllowDefaultCredentials"=dword:00000001 "ConcatenateDefaults_AllowDefault"=dword:00000001 "AllowSavedCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000001 "AllowSavedCredentials"=dword:00000001 "ConcatenateDefaults_AllowSaved"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation] "AllowDefCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001 "AllowDefaultCredentials"=dword:00000001 "ConcatenateDefaults_AllowDefault"=dword:00000001 "AllowSavedCredentialsWhenNTLMOnly"=dword:00000001 "ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000001 "AllowSavedCredentials"=dword:00000001 "ConcatenateDefaults_AllowSaved"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials] "1"="TERMSRV/*"

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly] "1"="TERMSRV/*"

    I got it by doing it manually and then searching the registry for TERMSRV.

    • 0

  4. If this has happened to you suddenly and unexpectedly, and the rest of your remote computers aren't having trouble, start with the solution @slayernoah presented (and was accepted), but before you start moving your credentials from Windows to Generic, find the credentials for the specific remote computer that is having the issue and verify that it's trying to connect with the right account.

    In my case, I had previously tried to log in to the trouble remote computer using a service account for a different purpose, and the Credential Manager saved that login and hadn't changed to my working account.

    W10 Pro build 19044.1706 connecting to W10 Pro build 19044.1766

    • 0