Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.

Vista and RDP6.0's Remote Desktop Prompt

I use Remote Desktop Client dozens of times per day to administer remote servers.  With Windows Vista, I get an ugly prompt when connecting to Windows Server 2003 and Windows 2000 Server machines saying:

Remote Desktop cannot verify the identity of the computer you want to connect to.  This problem can occur if:

1) The remote computer is running a version of Windows that is earlier than Windows Vista.
2) The remote computer is configured to support only the RDP security layer.

Contact your network administrator or the owner of the remote computer for assistance.

Do you want to connect anyway?

I know that the remote server is good, it's in a memorized list of servers.  But it is Windows Server 2003 or Windows 2000 Server.  Although the prompt is correct, I don't want to have to acknowledge that prompt over and over again. 

Note: (added later)  The obvious answer that I was alerted to from a comment from Blandname is to do this per session: click on the advanced tab in the Remote Desktop Connection tool and change the Authentication options to "Always connection, even if authentication fails".  If you create your own RDP file, you can set it with "authentication level:i:0."

If you want to set this at the server level or find out more about this setting, read on.

I did some digging using Process Monitor from www.sysinternals.com (recently acquired by Microsoft) and found that the mstsc process was checking for some particular keys in the registry.  Two of them seemed possible candidates and after testing I confirmed that AuthenticationLevelOverride is the key that applies to this situation.

The registry key is a DWORD value at \\HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride

I googled on AuthenticationLevelOverride and couldn't find very much information.  But one article had a fair bit of information: http://support.microsoft.com/kb/895433.  Here are the 3 possible values, at least in Windows Server 2003:

Set the authentication level value to one of the following values:

0 This value corresponds to "No authentication."
1 This value corresponds to "Require authentication."
2 This value corresponds to "Attempt authentication."

I experimented and found that 2 is the default now.  I tested the 3 modes and found that:

0 -> Doesn't prompt.  Yah!
1 -> Gives a similar message but doesn't allow me to continue.  This is the strictest.
2 -> Gives the message but allows me to accept and continue.

In my case, I don't even want the prompt so I set AuthenticationLevelOverride to 0 and I'm able to log into my Remote Desktop sessions without that extra prompt.

Warning: this is a decrease in security so should only be changed if you are aware of the what and why of this change. 

In summary, if you want to remove the Authentication check on Windows Vista that prompts you every time you connect to a pre-Vista machine, add a DWORD registry entry called AuthenticationLevelOverride in the \\HKLM\Software\Microsoft\Terminal Server Client\ key and ensure that its value is set to 0.

 

Posted: Nov 10 2006, 06:50 AM by OWScott | with 35 comment(s)
Filed under: ,

Comments

Dan Kahler said:

Nice pull, Scott - thanks!

# November 10, 2006 11:46 AM

alschy said:

nice tip - very annoying message

# November 12, 2006 8:24 AM

blandname said:

Hey Scott,

Good sleuthing tracking that down in the registry, but it's a simple mouseclick away!

Here's an overview of the RDP 6 client options:

http://blandname.com/2006/09/30/microsoft-rdp-6-client-screenshots/

The feature you are looking for is in the advanced tab, and you just need to tell it not to worry about the authentication, and save this as your default.rdp file.

When Windows Server Codename Longhorn goes gold   we'll have Gateway Terminal Servers, and this will come in handy, but until then it's somewhat useless.

# November 13, 2006 2:38 PM

Adi said:

I am trying to connect to my office from home using Remote Desktop to either a Windows XP sp2 or a Windows server 2003.. but I cant with Vista...

The interesting is that I do the same connection all the time from a Windows XP w/sp2 and it connects just fine so I know everything is correct on the office side and my side, Vista has an issue here...

Vista refuses to even find the computers.. I have turned off all firewalls, etc...

Any idea?

The message I get is:

"Remote Desktop Disconnected"

"Remote Desktop cannot find the remote computer. Type the computer name or IP address again....etc"

I am using the IP address, same as I use it on WIndows XP and it works..

This trick fix the authentication error, mine is just different...

any suggestions?

Thanks

Adi

# November 20, 2006 1:11 PM

Jeremy said:

Great stuff! Thanks for the info!

# November 27, 2006 5:17 PM

Thomas said:

Thanks, got tired of that prompt as I use RD all day! First google-result for an obvious reason!

# November 28, 2006 5:39 AM

bassie` said:

Hey scott, good article, pingback from my site at http://www.tweakvista.eu/show_tweak.php?tweak=82

However RDP 6.0 is released on 29 nov 2006, couple of day's ago, which will support authentication so secured and no msg anymore...

Thanks !

Bassie`

# December 2, 2006 4:01 AM

Angela said:

Awesome -- thanks!  This was driving me nuts!  :)

# December 6, 2006 12:16 PM

OWScott said:

Hi blandname,

Thanks for the pointer!  I hadn't discovered that yet. . . right before my eyes.  I've updated the blog post to mention that and also the command to put in the RDP file directly.

# December 13, 2006 11:45 PM

OWScott said:

Hi Adi,

My guess is that it is your windows or a 3rd party firewall.  Can you ping the server that you are trying to to connect to?  My suggestion is to look at the settings for your firewall.  Windows has one and it's possible that you have a 3rd party firewall.  Make sure that it is allowing RDP/Remote Desktop (port 3389) through.

# December 13, 2006 11:47 PM

Gavin said:

Thanks so much for this! I was struggling to connect to my office over Christmas and it saved me going in.

# December 27, 2006 9:51 AM

Strobe said:

Adi:

You could have trouble using Remote Desktop depending on your versions of Win.

From the Windows help site:<i>

* You cannot use Remote Desktop Connection to connect to computers running Windows Vista Starter, Windows Vista Home Basic, Windows Vista Home Basic N, or Windows Vista Home Premium, and you can only create outgoing connections from those editions of Windows Vista.

* You cannot use Remote Desktop Connection to connect to computers running Windows XP Home Edition.</i>

# January 1, 2007 9:00 PM

David Tessler said:

I have noticed that the new RDC does not allow you to enter the Domain Name, which is a source of great frustration for me. Is this the case, or can someone point out where to set this?

My client adds the address as the domain when logging in. I need to log into the local domain name, not the server's IP.

# January 6, 2007 9:30 AM

Justin said:

Hi all !

Sorry for asking you, knowing that this is a very specific issue that you are referring to, but you also seems to know very much about RDP, that's why I would like to know your point of view with something that is happening to me:

I have a virtual dedicated server that accepts remote desktop connections with no problem, but I need to install an application that when the installation proccess starts pops a message telling me that it cannot install via remote desktop, that it has to be console mode.

So when I try to connect using:

mstsc -v:xxx.xxx.xxx.xxx -console    

the connection proccess starts, the win 2003 server login screen opens up, I type my username and password

(administrator credential), the server attempts to authenticate, then the screen just goes

away, desappears, without any message or warning (like "your not allow to login", or any other message) telling me what the problem is.

So I have no clue as why I can log in with remote desktop, but can't access in console mode and no error message or warning at all.

Suggestions?

Thanks!

# January 6, 2007 12:17 PM

fursati said:

hi scott, i need sm help regarding remote desktop. i was trying to do a voice chat through remote desktop when i found that the machine i m connecting to, cant accept audio inputs from my microphone on local machine. if i connect to a machine through remote desktop, then i can hear all songs that i play on the remote machine. but if i want to use my mic also, it wont accept. can u help me out in here please. my requirement is that my chat s/w is running on a remote machine and sitting in my room i have to do voice chat. remote desktop is not working and i cant find neo ther VNC s.w either for the job.

please help me out.

thanks,

champu

# January 17, 2007 12:08 PM

OWScott said:

Hi David,

Do you mean that you are using a domain name instead of the IP address, but it's not allowing you to do this to connect to a Vista or Longhorn machine?  That shouldn't be a problem.  If you ping the domain name from you computer, are you sure that it resolves to the correct IP address?  

# February 3, 2007 2:59 PM

OWScott said:

Hi Justin,

Good question.  What you have there should work.  My suggestion to troubleshoot is to log back in using the non-console (since you can get in) and check Event Viewer.  Hopefully something was logged there that should give you a clue to the issue.

# February 3, 2007 3:03 PM

OWScott said:

Hi Champu,

If you go to the Remote Desktop client too and the Local Resources tab, at the bottom you can select the Local devices and resourcees and click More.  In there, it will let you select some of your applications.  If your microphone is a plug and play device, it will let it be shared through RDP.  That may do the trick.  

# February 3, 2007 3:10 PM

Davor said:

When to use the “enablecredsspsupport:i:0” RDP file option.

Several other forums on the internet have suggested placing “enablecredsspsupport:i:0” in the RDP file used by the Remote Desktop client.

Answer: This option does disable the new credential prompting behavior, but it also disables support for Network Level Authentication for Vista (and Longhorn Server) RDP connections; Network Level Authentication requires credentials to be provided by the client before a session is created on the server side.

This option is meant for dealing with unexpected failures on connections using Network Level Authentication.

We strongly recommend users avoid using this flag unless none of other fixes described in this post work and no other alternative is available.  If this setting is used try to limit its scope as much as possible by using it only those RDP files meant for connections to specific servers (i.e. avoid setting it in your Default.rdp file).

Deploying this configuration option widely will cause hard to diagnose issues when connecting to Vista and Longhorn Server computers that require Network Level Authentication.

Published Monday, January 22, 2007 6:51 PM by termserv

Filed under: TS Client, Authentication, Author: Zardosht Kasheff

reference: http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx#_When_to_use

# February 15, 2007 5:37 PM

Nick said:

I know this is a little off topic, but I need some help.  We do not have a whole lot of experience with Vista where I work, so I have no one to ask.  I am using Windows Vista Business at home.  I have set up a VPN to my work network and I am trying to Remote Desktop my PC in my office running XP Pro SP2.  I seem to be having a couple of issues.

1: When I connect to the VPN, it seems to disconnect my interent activity, like it is making that my primary connection to the internet.

2: It is not allowing the Remote Desktop session.  When I was using XP Pro SP2 from home it worked without any issues.

Any help is greatly appreciated.

# March 8, 2007 8:42 AM

Matt said:

Excellent post, many thanks.

# March 22, 2007 3:06 AM

Chad said:

I have had this message with the remote desktop client when connecting from my vista home premium machine back to my xp machine.  It's not the message itself that bothers me becuase it allows me to continue, BUT when i connect I get two mouse pointers and they don't always line up with each other. there's noticable lag and this is very disconcerting.

Connecting to my other vista machine this is not an issue at all.

Any ideas or suggestions?

Chad

# April 18, 2007 10:02 PM

pgrasha said:

Awesome, thanks!

# June 1, 2007 1:08 PM

m42 said:

Just my 2c: If you happen to have the reg key active (no matter with what value), you simply can't modify the authentication option on the "Advanced" tab. It's greyed out, so you must delete that reg key for the options to be active.

# June 8, 2007 10:03 AM

treaschf said:

This was really helpful, thanks. :)

# June 28, 2007 4:07 AM

TK said:

Very helpful! I've searched for this quite a while now. Thank you!

# July 5, 2007 3:53 AM

Matt said:

This may be a little off the topic but it's about a mic - whenever I plugged in my mic to my laptop with vista on, a prompt came up, I clicked microphone every time, then the other day, to stop this question, I clicked mic then clicked 'don't ask again' I assumed that it would proceed to recognise the mic but on the contrary I am no longer prompted but the mic seems to no longer be recognised as anything and fails to work - any ideas, I thought it would be a simple control panel setting but can't find anything.

I would appreciate any insight you can offer.

Matt

# July 12, 2007 7:42 AM

Peter said:

Hello All. I have a problem that I hope you can help me with. I am trying to use a audio chat program on my remote computer but the remote system cant access the built in microphone on the laptop that I am using to connect. The laptop is running Vita Home Premium and the server is running XP.

# July 12, 2007 3:29 PM

david said:

AMAZING!!! Exactly what I was looking for!!!!

# July 13, 2007 8:54 PM

AuthenticationLevelOverride - Vista x64 Forums said:

Pingback from  AuthenticationLevelOverride - Vista x64 Forums

# July 13, 2007 9:22 PM

Generating RDP Files using VBSCRIPT « telnet 127.0.0.1 25 said:

Pingback from  Generating RDP Files using VBSCRIPT &laquo; telnet 127.0.0.1 25

# July 25, 2007 4:10 PM

Rob said:

I am using Remote Desktop from Vista Home Premium to XP Pro, Server 2003 and Server 2003 SBS, and in all cases even though I check "allow access to the local disk drives", it does not allow access to local disk drives. Also it wil not let me use a smartcard on the Vista PC with an application on the XP pro machine.

# July 30, 2007 6:23 AM

mds32767 said:

Rob: Drive mapping may be restricted via Group Policy

# July 31, 2007 6:12 PM

Terminal Server Client annoyances | RemkoWeijnen.nl said:

Pingback from  Terminal Server Client annoyances | RemkoWeijnen.nl

# November 9, 2007 2:41 PM

vista desktop error said:

Pingback from  vista desktop error

# June 23, 2008 3:53 AM