The problem
When I’ve to connect to the same development machine over and over again using RDP I store the credentials.
But when I later connect again I’ve to still provide a password.
After entering my password 1387 times in the last year I started searching for the reason why it doesn’t use my stored credentials. As it turns out this is because of a local policy.
The solution
- Start GPEdit.msc and navigate to
Computer Configuration\Administrative Templates\System\Credentials Delegation - Open the policy
Allow Saved Credentials with NTLM-only Server Authentication(orAllow Delegating Saved Credentials with NTLM-only Server Authenticationfor Windows 7) - Select
Enabledand click on Show - Enter the server where you want to connect to with the stored credentials. You’re allowed to use wildcards, so I choose
TERMSRV/*.int(my development machines are always in a domain ending with.int) - Close the screens and run gpupdate
Now it’s possible to connect to the server without providing the same password over and over again.
Thanks. Worked on Windows 8 Enterprise box to a Windows 7 Pro box.
Thanks for this post. Unfortunately it is not working for me. I followed your steps, and then I put in the server name. Which is "furman". So I put it in just like that, do I need anything else in there? I even tried the IP address. I noticed you had a /* in there. What is that for?
Hi James. The "/*" is there to match "any" computer name we'd like to connect to. In your case, i believe "TERMSRV/furman" should be enough, if you REALLY only want to skip the password for just that particular server. The usual "lazy" value for this is "termsrv/*", which matches connecting anywhere, but a more secure variant is like Michaël used: "termsrv/*.". My hunch is that the TermSrv prefix specifies that the credential policy you're editing should be applied to all requests by "Terminal Services" (Remote Desktop).
Hi C,
I place my post under James´s post, because I am in same category(aint working for me). I´ve followed described steps, no error meggages occured - all seems correct. But still, once I try log with no matter what user Windows Security pops out and asks me for credentials.
I am using Win 8 Pro, server is 2008R2.
I´ve been trying value:
TERMSRV/*
TERMSRV/*.ip address
TERMSRV/*.server name
(updated GP with each attempt ..)
I belive it must be something else that is breaking me or I have set up, but still dont know what it is.
Thanks!
Hoo.
L1 tech support
Many thanks for this. This causing quite a bit of frustration.
thanks mate, worked nicely for me. just adding that this should be done on the client, the machine that is initiating connection. seems obvious but like a dummy i did it on the server first.
We had this problem despite above and determined the terminal server session host manager ssl certificate that was selected automatically was not the correct certificate. Selecting the certificate manually resolved the problem.
Hi Kevin,
Can you explain how, where and which SSL certificate we need to select. We are having the issue even after implementing the proposed fixe. Thanks.
This can be set on the server side, but it would need to be in a GPO for a container of the client computers that you want to do it from. I used TERMSRV/*.mydomainname.com as the setting and then when the GPO is next refreshed the client machines will receive the setting.
Thanks for this solution. It saved my lot of time.
Even this help me keep the password hidden but my team member can access server in my absence.
I don't need to provide the password anyone.
Many thanks for this - setting TERMSRV/hostname and then gpupdate worked perfectly for me.
Many thanks to you man, this issue bothering me several weeks!
It's do help~~
Thanks again.
Many thanks wonderful solution - works on win10pro 64bit + WServer, will save me a X-times to repeat the PWD 😉
I wish I'd seen this years ago.
This is great! thank you for posting this (even if it was many years ago). Works on Windows 10.
It worked for me. Windows 7 Client Machine
Thanks, it worked well with TERMSRV/* Thanks!
Thanks!!! Working on Windows 10 Pro
Thanks! Worked on Win 7 Pro to Win Server 2012
To allow all servers, just enter a single *
Thanks for the info.
After nine years I finally googled this! Why not earlier!?
I also put * which allows all servers.
Worked perfectly. Awesomeness!
This can also be done via registry - example reg file contents below to allow all servers. You can add additional items to the list by incrementing the quoted number if you want to allow specific domains/machines. Format should be (in theory) "TERMSRV/hostname.domain.suffix" such as "TERMSRV/*.contoso.local". I work on hundreds of client domains so I use "TERMSRV/*"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowSavedCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"
Thanks. Worked well on Win10 EE and solved a nasty issue
Worked perfect on windows 10 pro in AD, thank you 🙂