72

At our office, all of our Windows 7 Clients get this error message when we try and RDP to a remote Windows 2008 Server outside of the office:

Your system administrator does not allow the user of saved credentials to log on to the remote computer XXX because its identity is not fully verified. Please enter new credentials

Screenshot

A quick google search leads to some posts they all suggest I edit group policy, etc.

I'm under the impression, that the common fix for this, is to follow those instructions on every Windows 7 machine.

Is there any way that I can do something via the Active Directory which could update all Windows 7 clients in the office LAN?

slayernoah
  • 1,650
  • 2
  • 13
  • 19
Pure.Krome
  • 6,508
  • 18
  • 73
  • 87
  • 4
    Group Policy IS the way to use Active Directory to fix this. You just need to edit that group policy through AD an not on your local machine. Careful experimenting on a live network, If you don't know what you are doing you can hose things up – uSlackr Jun 08 '12 at 11:18
  • I did that. Didn't work on my client :( I tried to the for force update -and- rebooted my client win 7 box. is there a way i can confirm that the client win 7 box has been 'updated' ? – Pure.Krome Jun 08 '12 at 12:52
  • 1
    Yes, two ways. Take a look at the gpresult command or run mmc and add the resultant set of policies snap-in. – uSlackr Jun 08 '12 at 12:54
  • gpresult command ?? – Pure.Krome Jun 08 '12 at 12:55
  • yes. Type it in at a command prompt – uSlackr Jun 08 '12 at 13:09
  • you may want to consider changing the accepted answer to @slayernoah one. The accepted one sometimes works, sometimes not - and the settings may be overwritten by a GPO. – WoJ Aug 31 '17 at 19:56
  • fixed @WoJ - ta! – Pure.Krome Sep 01 '17 at 05:13

4 Answers4

119

If you don't want to change local or server side GPOs:

Go to Control Panel -> Credential Manager on the local computer you are trying to connect from.
You will see three sections:

  1. Windows Credentials
  2. Certificate-Based Credentials
  3. Generic Credentials

Remove the credentials from Windows Credentials and add it to Generic Credentials.

nak
  • 268
  • 2
  • 5
slayernoah
  • 1,650
  • 2
  • 13
  • 19
  • 6
    Brilliant solution. Confirmed working with Win8.1 client and Server2012R2 remote host. – Chris Marisic Dec 02 '15 at 21:15
  • 10
    This should be the top answer, simple solution and I don't need to modify GPO (which gets overwritten at log on at my work) – neilsimp1 May 11 '16 at 18:11
  • 3
    Confirmed on Windows 10 with Windows Server 2012R2. – Tuinstoelen Jan 04 '17 at 08:47
  • 1
    This also works for my configuration (on Win8.1 and remote Azure server), unlike the accepted answer. – Jen-Ari Feb 21 '17 at 11:42
  • 1
    Worked perfectly for me in Win10 – drescherjm May 23 '17 at 15:44
  • For some reason my Win10 machine only shows 'Web Credentials' and 'Windows Credentials'. It does not show 'Generic' :| – Radderz Nov 17 '17 at 12:12
  • 4
    @Radderz click on Windows Credentials and in this if you scroll down, you will see 3 types of credentials within this (1) Windows Credentials (2) Certificate Based Credentials and (3) Generic Credentials. Next to the heading for Generic credentials, there should be a button to 'Add a generic credential' – slayernoah Nov 17 '17 at 15:46
  • 1
    Worked for me when trying to save credentials connecting AWS WorkSpaces to EC2 server. – Doug Knudsen Jul 07 '19 at 16:51
  • 1
    Works on Windows 10 Pro connecting to Windows Server 2019 Standard – Jacques May 08 '20 at 09:08
  • 1
    I ran into this today and it started working as soon as I added the Generic credential; I didn't even have to remove the Windows credential! – Neil Jul 27 '21 at 18:41
34

Here is a link on how to accomplish this: http://netport.org/?p=255

Update 4 setting in the group policy editor in Windows 7.

This security measure could frustrating when you connect and disconnect a lot to the same (or many) terminal server. To get rid of it and to be able to use saved credentials in this situation you need to configure the following:

Go to Start -> type: gpedit.msc -> in the console configure the following:

enter image description here

Enable the each shown policy and then click on the “Show” button to get to the server list and add TERMSRV/* (or alternatively just *) to the server. In my case it’s ‘*’ which indicates that cached credentials will be allowed to all servers.

enter image description here

The last thing to do is refreshing policy. To do that just go to command line (run as administrator) and type: gpupdate /force

That’s it. Now you can connect to your terminal servers by just clicking on .rdp files.

Adephx
  • 3
  • 4
Zak
  • 351
  • 4
  • 3
  • **This is a security issue.** Allowing NTLM session credential deletion to `*` enables an attacker to e-mail a user an .RDP connection configuration file, which configures mstsc to use session credentials and connect to the attacker's server on the internet. If the user clicks that file, their username and NTLM hash (which is a password equivalent on Windows networks - the attacker can use this hash to pose as the user anywhere on your network) will be sent to that server. To mitigate, list allowed servers explicitly, or even better, do not allow NTLM delegation at all. – cemper93 Oct 12 '22 at 11:42
2

For those who are willing to add it directly to the registry, save the following content in a *.reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowDefCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001
"AllowDefaultCredentials"=dword:00000001
"ConcatenateDefaults_AllowDefault"=dword:00000001
"AllowSavedCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000001
"AllowSavedCredentials"=dword:00000001
"ConcatenateDefaults_AllowSaved"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation]
"AllowDefCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001
"AllowDefaultCredentials"=dword:00000001
"ConcatenateDefaults_AllowDefault"=dword:00000001
"AllowSavedCredentialsWhenNTLMOnly"=dword:00000001
"ConcatenateDefaults_AllowSavedNTLMOnly"=dword:00000001
"AllowSavedCredentials"=dword:00000001
"ConcatenateDefaults_AllowSaved"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
"1"="TERMSRV/*"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
"1"="TERMSRV/*"

I got it by doing it manually and then searching the registry for TERMSRV.

MikeBeaton
  • 173
  • 1
  • 5
Oz Edri
  • 131
  • 6
0

If this has happened to you suddenly and unexpectedly, and the rest of your remote computers aren't having trouble, start with the solution @slayernoah presented (and was accepted), but before you start moving your credentials from Windows to Generic, find the credentials for the specific remote computer that is having the issue and verify that it's trying to connect with the right account.

In my case, I had previously tried to log in to the trouble remote computer using a service account for a different purpose, and the Credential Manager saved that login and hadn't changed to my working account.

W10 Pro build 19044.1706 connecting to W10 Pro build 19044.1766

RockiesMagicNumber
  • 123
  • 1
  • 5