Vista and RDP6.0's Remote Desktop Prompt

I use Remote Desktop Client dozens of times per day to administer remote servers.  With Windows Vista, I get an ugly prompt when connecting to Windows Server 2003 and Windows 2000 Server machines saying:


Remote Desktop cannot verify the identity of the computer you want to connect to.  This problem can occur if:

1) The remote computer is running a version of Windows that is earlier than Windows Vista.
2) The remote computer is configured to support only the RDP security layer.

Contact your network administrator or the owner of the remote computer for assistance.

Do you want to connect anyway?


I know that the remote server is good, it's in a memorized list of servers.  But it is Windows Server 2003 or Windows 2000 Server.  Although the prompt is correct, I don't want to have to acknowledge that prompt over and over again. 

Note: (added later)  The obvious answer that I was alerted to from a comment from Blandname is to do this per session: click on the advanced tab in the Remote Desktop Connection tool and change the Authentication options to "Always connection, even if authentication fails".  If you create your own RDP file, you can set it with "authentication level:i:0."

If you want to set this at the server level or find out more about this setting, read on.

I did some digging using Process Monitor from www.sysinternals.com (recently acquired by Microsoft) and found that the mstsc process was checking for some particular keys in the registry.  Two of them seemed possible candidates and after testing I confirmed that AuthenticationLevelOverride is the key that applies to this situation.

The registry key is a DWORD value at \\HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride

I googled on AuthenticationLevelOverride and couldn't find very much information.  But one article had a fair bit of information: http://support.microsoft.com/kb/895433.  Here are the 3 possible values, at least in Windows Server 2003:

Set the authentication level value to one of the following values:

0 This value corresponds to "No authentication."
1 This value corresponds to "Require authentication."
2 This value corresponds to "Attempt authentication."

I experimented and found that 2 is the default now.  I tested the 3 modes and found that:

0 -> Doesn't prompt.  Yah!
1 -> Gives a similar message but doesn't allow me to continue.  This is the strictest.
2 -> Gives the message but allows me to accept and continue.

In my case, I don't even want the prompt so I set AuthenticationLevelOverride to 0 and I'm able to log into my Remote Desktop sessions without that extra prompt.

Warning: this is a decrease in security so should only be changed if you are aware of the what and why of this change. 

In summary, if you want to remove the Authentication check on Windows Vista that prompts you every time you connect to a pre-Vista machine, add a DWORD registry entry called AuthenticationLevelOverride in the \\HKLM\Software\Microsoft\Terminal Server Client\ key and ensure that its value is set to 0.

 

21 Comments

  • Nice pull, Scott - thanks!

  • nice tip - very annoying message

  • Great stuff! Thanks for the info!

  • Thanks, got tired of that prompt as I use RD all day! First google-result for an obvious reason!

  • Awesome -- thanks! This was driving me nuts! :)

  • Hi blandname,

    Thanks for the pointer! I hadn't discovered that yet. . . right before my eyes. I've updated the blog post to mention that and also the command to put in the RDP file directly.

  • Hi Adi,

    My guess is that it is your windows or a 3rd party firewall. Can you ping the server that you are trying to to connect to? My suggestion is to look at the settings for your firewall. Windows has one and it's possible that you have a 3rd party firewall. Make sure that it is allowing RDP/Remote Desktop (port 3389) through.

  • Adi:

    You could have trouble using Remote Desktop depending on your versions of Win.

    From the Windows help site:
    * You cannot use Remote Desktop Connection to connect to computers running Windows Vista Starter, Windows Vista Home Basic, Windows Vista Home Basic N, or Windows Vista Home Premium, and you can only create outgoing connections from those editions of Windows Vista.
    * You cannot use Remote Desktop Connection to connect to computers running Windows XP Home Edition.

  • I have noticed that the new RDC does not allow you to enter the Domain Name, which is a source of great frustration for me. Is this the case, or can someone point out where to set this?

    My client adds the address as the domain when logging in. I need to log into the local domain name, not the server's IP.

  • hi scott, i need sm help regarding remote desktop. i was trying to do a voice chat through remote desktop when i found that the machine i m connecting to, cant accept audio inputs from my microphone on local machine. if i connect to a machine through remote desktop, then i can hear all songs that i play on the remote machine. but if i want to use my mic also, it wont accept. can u help me out in here please. my requirement is that my chat s/w is running on a remote machine and sitting in my room i have to do voice chat. remote desktop is not working and i cant find neo ther VNC s.w either for the job.
    please help me out.
    thanks,
    champu

  • Hi David,

    Do you mean that you are using a domain name instead of the IP address, but it's not allowing you to do this to connect to a Vista or Longhorn machine? That shouldn't be a problem. If you ping the domain name from you computer, are you sure that it resolves to the correct IP address?

  • Hi Justin,

    Good question. What you have there should work. My suggestion to troubleshoot is to log back in using the non-console (since you can get in) and check Event Viewer. Hopefully something was logged there that should give you a clue to the issue.

  • Hi Champu,

    If you go to the Remote Desktop client too and the Local Resources tab, at the bottom you can select the Local devices and resourcees and click More. In there, it will let you select some of your applications. If your microphone is a plug and play device, it will let it be shared through RDP. That may do the trick.

  • I know this is a little off topic, but I need some help. We do not have a whole lot of experience with Vista where I work, so I have no one to ask. I am using Windows Vista Business at home. I have set up a VPN to my work network and I am trying to Remote Desktop my PC in my office running XP Pro SP2. I seem to be having a couple of issues.

    1: When I connect to the VPN, it seems to disconnect my interent activity, like it is making that my primary connection to the internet.

    2: It is not allowing the Remote Desktop session. When I was using XP Pro SP2 from home it worked without any issues.

    Any help is greatly appreciated.

  • Excellent post, many thanks.

  • Just my 2c: If you happen to have the reg key active (no matter with what value), you simply can't modify the authentication option on the "Advanced" tab. It's greyed out, so you must delete that reg key for the options to be active.

  • Very helpful! I've searched for this quite a while now. Thank you!

  • Hello All. I have a problem that I hope you can help me with. I am trying to use a audio chat program on my remote computer but the remote system cant access the built in microphone on the laptop that I am using to connect. The laptop is running Vita Home Premium and the server is running XP.

  • AMAZING!!! Exactly what I was looking for!!!!

  • I am using Remote Desktop from Vista Home Premium to XP Pro, Server 2003 and Server 2003 SBS, and in all cases even though I check "allow access to the local disk drives", it does not allow access to local disk drives. Also it wil not let me use a smartcard on the Vista PC with an application on the XP pro machine.

  • Rob: Drive mapping may be restricted via Group Policy

Comments have been disabled for this content.