Saved RDP Credentials Didn't Work in Windows

Windows

The built-in Windows Remote Desktop client (mstsc.exe) allows us to save the username and password used to connect to the remote computer.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related windows queries.

In this context, we shall look into how to fix this Windows error.

RDP Saved Credentials Delegation via Group Policy

Here, you will learn how to configure saved credentials for RDP connections in Windows 10, Windows Server 2012 R2/2016.

By default, Windows allows users to save their passwords for RDP connections.

To do it, a user must enter the name of the RDP computer, the username and check the box "Allow me to save credentials" in the RDP client window.

After a user has clicked the "Connect" button, the RDP server asks for the password and the computer saves it to Windows Credential Manager (not to the .RDP file).

Next time when we connect using same username and password, it will automatically take from Credential Manager and used for RDP authentication.

The following message appears in the RDP client window:

~~
Saved credentials will be used to connect to this computer. You can edit or delete these credentials.
~~

What trigger Saved RDP Credentials Didn't Work in Windows?

If we connect from a domain computer to a computer/server in another domain or a workgroup, by default Windows does not allow a user to use a saved credentials for the RDP connection.

Despite the fact that the RDP connection password is saved in the Credentials Manager, the system will not use it requiring the user to prompt the password.

Also, Windows prevents us from using the saved RDP password if we connect with our local account instead of our domain one.

In this case, if we try to connect using the saved RDP password, this error message appears:

Windows Security
Your Credentials Did not Work

This issue can happen as a result of:

Username change: Such issues occur when we freshly install Windows or rename current user account.
Windows Policy: In some cases, the error message is because of a Windows Security Policy which prevents non-admin users from signing in.

How to fix saved RDP Credentials Didn't Work in Windows?

To fix this issue, try the following tips.

1. Reverting Username

The error message is sometimes occur because the user we are trying to connect from does not exist on the Remote Desktop server.

This happens when we try to change our username or install a fresh copy of Windows.

Changing username does not necessarily change it for Remote Desktop Connection.

Hence, we will have to revert to the username that we had been using prior to the appearance of the error message.

2. Editing Windows Security Policy

There is a Windows Security Policy for Remote Desktop Connection that does not allow non-Admin users to log in using RDP.

Thus, if we want to login using a non-admin user account, we will have to grant the remote desktop users access.

To grant users access, follow the steps below:

Type 'secpol.msc' in Run prompt and press Enter. This will open up the Local Security Policy window.
Expand Local Policies and then select User Rights Assignment.
On the right-hand side, locate and double-click either 'Allow log on through Remote Desktop Services' or 'Allow log on through Terminal Services'.
Click Add User or Group and then type in Remote Desktop Users.
Click OK, hit Apply and then click OK again.
Restart the system for the change to take effect.

3. Editing Local Group Policy

Basically what we will have to do is give a set of Credential Delegation policies a specific value which will most likely fix the issue.

To do this, follow the steps given below:

i. Firstly, open the Local Group Policy Editor by executing gpedit.msc in Run prompt.

ii. In the GPO editor, go to Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. Find the policy named Allow delegating saved credentials with NTLM-only server authentication.

iii. Then, double-click the policy. Enable it and click Show.

iv. Finally, specify the list of remote computers (servers) that are allowed to use saved credentials when accessed over RDP. The list of remote computers must be specified in the following format:

TERMSRV/server1 — allow to use a saved credentials to access a specific computer/server over RDP.

TERMSRV/*.linuxapt.com — allow to establish RDP connection with saved credentials to all computers in the linuxapt.com domain.

TERMSRV/* — allow to use a saved password to connect to any remote computer.termsrv record to use rdp delegation credentials

TERMSRV must be written in uppercase and the computer name must fully match the one we type in the RDP client connection host filed.

v. Do the same for the following policies as well:

Allow delegating default credentials, saved credentials and saved credentials with NTLM-only server authentication

Also, make sure that the policy Deny delegation saved credentials is not enabled, since denying policies have higher priority.

vi. Save the changes and update GPO settings using this command:

gpupdate /force

We can change the RDP saved credentials policy only on the local computer using the Local Group Policy Editor. If we want to apply this settings on multiple computers of the domain, use the domain GPO configured using the gpmc.msc (Group Policy Management) console.

4. Editing Registry.

In some cases, making some changes in the registry might get rid of the error.

Here, we will be changing some configurations in the registry.

To implement this:

i. Type "Regedit" in Run prompt and press "Enter".

ii. Navigate to the following address:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

iii. Click on the "LsaCompatiblityLevel" option.

iv. Double-click on the "REG_DWORD" option and change the Value to "1".

Also make sure that we are logging in locally and not through a Remote Desktop Connection because it might not work with Two factor Authentication enabled.

5. Disabling Windows Hello sign-in (If applicable)

In this step, we will be replacing the Windows Hello sign-in with the normal Password.

Try this:

i. Press and hold the "Windows" + "I" keys together to open the Settings app.

ii. Once the Settings app is opened, navigate to "Accounts > Sign-in options". Now Disable Windows Hello sign-in.

iii. Now we will set a normal password, for doing that click on the "Password" option then click on "Add".

iv. Once we press the "Add" button, we will get a pop-up asking for new "Password" and a Hint for that password.

v. Now simply put the new password and the hint for it and we should be good to go.

To further troubleshoot Windows is not saving RDP credentials:

If we have configured Windows following the instructions above, but RDP client prompts to enter the password each time we try to connect, it is worth to check the following:

1. Firstly, click "Show Options" in the RDP connection window and make sure that "Always ask for credentials" option is not checked.

2. If we are using the saved .RDP file for connection, make sure that the value of ‘prompt for credentials’ parameter is 0 (prompt for credentials:i:0).

3.Then, open the GPO Editor (gpedit.msc) and go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client. 'Do not allow passwords to be saved' must be not set or disabled. Also make sure that this policy setting is disabled in the resulting Group Policy on our computer (we can create an HTML report with the applied GPO settings using the gpresult command).

4. Next, delete all saved passwords from the Credential Manager. Type control userpasswords2 and in the User Accounts window, go to the Advanced tab and click Manage Passwords.

5. In the next window, select Windows Credentials. Find all saved RDP passwords and delete them (they start with TERMRSV/…).