Vista and RDP6.0's Remote Desktop Prompt
I use Remote Desktop Client dozens of times per day to administer remote servers. With Windows Vista, I get an ugly prompt when connecting to Windows Server 2003 and Windows 2000 Server machines saying:
Remote Desktop cannot verify the identity of the computer you want to connect to. This problem can occur if:
1) The remote computer is running a version of Windows that is earlier than Windows Vista.
2) The remote computer is configured to support only the RDP security layer.
Contact your network administrator or the owner of the remote computer for assistance.
Do you want to connect anyway?
I know that the remote server is good, it's in a memorized list of servers. But it is Windows Server 2003 or Windows 2000 Server. Although the prompt is correct, I don't want to have to acknowledge that prompt over and over again.
Note: (added later) The obvious answer that I was alerted to from a comment from Blandname is to do this per session: click on the advanced tab in the Remote Desktop Connection tool and change the Authentication options to "Always connection, even if authentication fails". If you create your own RDP file, you can set it with "authentication level:i:0."
If you want to set this at the server level or find out more about this setting, read on.
I did some digging using Process Monitor from www.sysinternals.com (recently acquired by Microsoft) and found that the mstsc process was checking for some particular keys in the registry. Two of them seemed possible candidates and after testing I confirmed that AuthenticationLevelOverride is the key that applies to this situation.
The registry key is a DWORD value at \\HKCU\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride
I googled on AuthenticationLevelOverride and couldn't find very much information. But one article had a fair bit of information: http://support.microsoft.com/kb/895433. Here are the 3 possible values, at least in Windows Server 2003:
Set the authentication level value to one of the following values:
• | 0 This value corresponds to "No authentication." |
• | 1 This value corresponds to "Require authentication." |
• | 2 This value corresponds to "Attempt authentication." |
I experimented and found that 2 is the default now. I tested the 3 modes and found that:
0 -> Doesn't prompt. Yah!
1 -> Gives a similar message but doesn't allow me to continue. This is the strictest.
2 -> Gives the message but allows me to accept and continue.
In my case, I don't even want the prompt so I set AuthenticationLevelOverride to 0 and I'm able to log into my Remote Desktop sessions without that extra prompt.
Warning: this is a decrease in security so should only be changed if you are aware of the what and why of this change.
In summary, if you want to remove the Authentication check on Windows Vista that prompts you every time you connect to a pre-Vista machine, add a DWORD registry entry called AuthenticationLevelOverride in the \\HKLM\Software\Microsoft\Terminal Server Client\ key and ensure that its value is set to 0.