question

BrianHart-9063 avatar image
0 Votes"
BrianHart-9063 asked TomRicca-2161 answered

Remote Desktop Gateway credential repeatedly deleted

I have been running RD Gateway connections to multiple clients for years. I always check the box to save credentials, and there has always been a persistent entry for gateway.MyCustomerDomain.com in Windows Credentials. I upgraded from Windows 7 to Windows 10 last week, and the saved credentials continued to work until there was a network interruption--and then it deleted those credentials.

I live in a rural area and lose my connection periodically when DSL renegotiates and IP address or otherwise has a hiccup. Things have always reconnected smoothly, though, until a couple of days ago.

Now, as soon as I am disconnected, the system still attempts to auto-reconnect, but if that fails because the connection is out long enough for it to time out, the next time i try to logon, the RD Gateway prompts me for credentials--with no option to save them. This has happened a half-dozen times since my upgrade to Windows 10 (and all post-upgrade updates) last week

So I went directly into the credential manager, and entered the gateway address and credentials. That worked for a day; I was no longer prompted for RDG credentials. But upon the next interrupted network connection, it again deleted the entry.

What in the world is auto-deleting credentials here? That should never happen. How can I prevent those credentials from being deleted like this?

remote-desktop-client
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Maybe I have a clue, though. the other RDG credentials for my other clients show Persistence: Local Computer, but this one shows Persistence: Enterprise. My computer is not a member of the client's domain.

Do I possibly need to find some way to change persistence to Local Computer? If so, how? I just have a feeling that the change from Windows 7 to 10 may have complicated my RD world.

0 Votes 0 ·
JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered

Hi,
1.the other RDG credentials for my other clients show Persistence: Local Computer, but this one shows Persistence: Enterprise
Could you please share the screenshot of the mentioned properties? Please also confirm how did you start the remote connection with RD gateway.

2.Please also check if the "RD Gateway authentication method" has been well configured.
User Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ RD Gateway

Set RD Gateway authentication method Enabled
Use locally logged-on credentials

Supposed to have screenshot like this if GPO has successfully applied when you open advanced via mstsc.
64403-image.png

3.Please also confirm if other credentials works well, otherwise check the suggestion below for credential manager doesn't save passwords.
https://social.technet.microsoft.com/Forums/azure/en-US/4cd4b767-416d-4268-aae9-a891f50e591d/credential-manager-wont-store-password-after-reboot?forum=w7itproui


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny



image.png (10.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianHart-9063 avatar image
0 Votes"
BrianHart-9063 answered

I should have clarified that I have been managing small business corporate networks for the last 20+ years, including ActiveDirectory domains and Remote Desktop (including Gateway) as those features became available. So my computer is not a member of any of my client's AD domains to which I am connecting, and I must use credentials of an AD account on the target domain (an account that I created but that does not exist on my computer). I have no option to use currently logged-on credentials, only "Ask for password" , "Allow me to select later", and "Smart Card or Windows Hello for Business". I have always used "Ask for password" for all my clients. See attached screen shot of how they look.

64289-rdg.png

The problem is not that the credential manager does not save passwords. It has been saving them for years. The credentials for each of the several RDGs at different domains were saved when I first logged onto the RD station via the RDG, some of them years ago. I was prompted for RDG credentials, I entered them, they were saved, and I have never had to enter them again. They all continued to work even after my upgrade from Windows 7 to Windows 10. And all the previously-saved ones indicate "Persistence: Local computer" in my Credential Manager.

64416-windowscredential.png

The problem began when I had a short internet outage that caused me to lose an open RDG connection after my Windows 7→10 upgrade. When I attempted to reconnect to that particular RDG, I was prompted to enter RDG credentials, with no option to save. I entered the credentials and connected.

But that made me curious, and I went here: Control Panel → User Accounts → Manage Your Credentials → Windows Credentials. For the record, I have never had to go here in all the years I used Windows 7 to manage these RDG connections; as noted above, I just ticked the box to save the password when I logged in the first time, and I never had to enter them again.

But this time, I could see that the particular domain RDG was no longer there, whereas the other domain RDGs were still there. So I added the missing one manually here. That is when I saw that the others all say Persistence: Local computer, but the newly-manually-recreated one shows Persistence: Enterprise. Then I have had inconsistent results the last couple of days. Sometimes, the saved credential allows me to connect to a computer/server behind the RDG without a problem, and sometimes I am prompted--and then find that the credential is one again missing from the Credential Manager.

So I tested my theory with one of my other clients. I had existing RDG credentials stored that looked like this:

Internet or network address: gateway.Client#1Domain.com
User name: MyClientADDomain\MyClientADUsername
Password: ** (password of AD user above)
Persistence: Local computer

I was connecting simply by double-clicking my .rdp file that also has a TERMSRV/ADComputerName credential saved for the AD workstation logon behind the RDG. I then deleted the credential for this domain. On next connection attempt, I was prompted for RDG credentials. After supplying them (no option to save), I was connected. I logged back off, then went and added it manually as above, except that Windows 10 automatically set Persistence: to Enterprise instead of Local computer. Next logon worked without asking for credentials, but after logoff, Windows deleted the just-entered saved credentials.

How do I get back my pre-Windows 10 ability to store domain-based RDG credentials on my non-domain computer? This is fairly critical, since I log on and off these systems all day every day, and it has already taken me several hours lost work time just trying to troubleshoot this and get it working properly again.



rdg.png (21.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered JiaYou-MSFT edited

HI
1.did you try to use "StoredCredential" related powershell command to change the "persist" type from enterprise to localmachine ?
we need to run powershell as admin and enter below powershell command.
for example:
(1)
Install-Module -Name CredentialManager
(2)
New-StoredCredential -Target Test -UserName u1 -Password u123456! -Comment "test" -Persist localmachine
the result picture like below

65119-9.png



9.png (138.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianHart-9063 avatar image
0 Votes"
BrianHart-9063 answered

I did try many different permutations of New-StoredCredential in PowerShell for several different servers, using both LocalComputer & Enterprise persistence. There is no difference; in each case, the newly-created credential does not allow me to log onto the Remote Desktop Gateway without manually entering my credentials at connection time, and the credential entered through PowerShell does not show up in the Credential Manager

I thought at first that it was simply failing to create the new credential, so I ran Remove-StoredCredential. That gave no error message, so I ran it again, and this time it notified me that I was trying to remove nonexistent credential.

So I know three things regarding creating credentials via PowerShell
1. It does save credentials somewhere
2. They do not work to avoid realtime manual entry
3. They do not show up in the Credential Manager



The only way I can get this to work is to add the credential manually in the Credential Manager, and that is always Enterprise persistence. Then the credentials work, allowing me to log on via RD Gateway without entering credentials, but the credentials are being auto-deleted under some circumstance; I think it may be when I lose my connection to to internet interruption.

I never had a credential be automatically deleted in the five or six years I have been using this computer on Windows 7; it is only upon upgrade to Windows 10 that this became a problem, and the problem appeared within two or three days of the time I upgraded. I have noticed before that at least some of my clients' various Windows 10 computers do not offer to save RD Gateway credentials when entered while connecting, but I have never tried to figure out why, and I am not sure if it is all or just some of them.

But I desperately need this to work correctly; I am losing too much work time trying to fix this, and it interferes heavily with my ability to do tech support for my clients when they call by slowing me down as I have to look up and re-enter credentials.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianHart-9063 avatar image
0 Votes"
BrianHart-9063 answered

Well, at least I have a bit more information now. I had been using .rdp files that were in existence from when this computer was a Windows 7 computer before upgrading to Windows 10. I started from scratch by running mstsc, then entering all the information. Oddly enough, it seemed that my RD Gateway credentials were still stored, and I eventually found another RD Gateway credential, along with a few others, under "Generic Credentials" when I scrolled down past my 100+ Windows Credentials to the Generic Credentials section. This one was marked persistence Local computer, not Enterprise

After some further experimentation, including comparing old & new .rdp files in a text editor, I found two things:

  1. RDP continued to recognize stored RD Gateway credentials even after Advanced → Settings and deleting the RD Gateway credentials until I deleted the Generic credential. Then Advanced → Settings showed no saved RD Gateway credentials. I still got no checkbox to save RD Gateway credentials, but when I re-entered them as Generic Credentials, I can at least connect without any prompt. It remains to be seen whether this credential also will be auto-deleted.

  2. The old .rdp file stores a line item with the RD workstation/server name, but the new one does not, and when I edited a copy of the old .rdp file to remove this, then it worked without prompting. The RD server credentials are stored in their own TERMSRV/ServerName generic credential.

I am not yet confident that I have found the complete answer, but I may have a workaround that will work for me by re-creating all my .rdp files manually in Windows 10.

However, the biggest question on behalf of my users still remains: why, unlike Windows 7, are they not presented with a checkbox to save RD Gateway credentials in Windows 10? If that is just Windows 10 behavior by design, it is a bad idea, but at least I can quit trying to fix it. If it takes some complex GPO, that is also a bad idea, since I have to explain this to 50+ remote users that all use RD Gateway connections from their non-domain home computers to office computers.

that the old .rdp file stores the



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered JennyYan-MSFT edited

Hi,
It seemed that users are not allowed to change the persistence of credential because it is related to account security. But per searching, someone suggested that to create new credentials with chosen persistence.

https://serverfault.com/questions/920048/change-persistence-type-of-windows-credentials-from-enterprise-to-local-compu

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BrianHart-9063 avatar image
0 Votes"
BrianHart-9063 answered TomRicca-2161 commented

That did not allow me to create Local computer credentials. It has now been almost three weeks since I first looked at all of this, and nothing allowed me to create Local computer credentials.

But the big question is this: what, very specifically, changed from Windows 7 to Windows 10? As I noted, I had been using the same saved credentials for some years, and two days after upgrading to Windows 10, Windows began deleting the credentials intermittently. For sure, the credentials are deleted if I lose my connection. I have a somewhat unstable DSL home/office connection, and perhaps once every day or two, I lost all my RD connections. Upon reconnect to at least a couple of the servers, I am prompted--with no option to save password--for the Remote Desktop Gateway username & password.

So I have no proof that this is even about persistence. It just seems that nobody--Microsoft included--understands what they have done to Windows in this regard. For the record, I have many clients that have the same problem; I set them up to work remotely, and they are prompted for RD Gateway credentials (but not the remote computer--those credentials are correctly saved) at each logon.

I seem to have to do something like this: after being prompted for RD Gateway credentials, enter them and log in. While logged in, go to the Credential Manager and manually add a Generic credential. It seems inconsistent, though.

Here should be a big clue: when I go to Advanced → Settings and click "delete" to delete the RD Gateway credentials, nothing happens. It used to immediately switch to user name "None specified" and offer the option to "use my RD Gateway credentials for the remote computer". But now it just keeps the logon settings. That has got to be some sort of bug. In fact, when I deleted the credential for one of my clients' RDG servers, the screen did not change, but when I then tried to connect, it brought up as a suggestion the username from a different client's RD Gateway server.

So I need specific information on exactly where in the registry or system this information is stored.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I believe I am having the same issue. Normally we do not recommend the users save their credentials, but we are deploying RemoteApps for certain customers and saving the credentials is the best option. We add them via the Control Panel RemoteApp section. We save the credentials and within a few days they no longer work and the user is prompted. They are still in the credential manager though. It seems when first setup there are 2 entries. TERMSRV/sub.domain.com and sub.domain.com. After the issue starts the sub.domain.com entry is gone but the TERMSRV remains. Removing and re-setting up the remoteapp works for the same period of time and the issue starts all over. I can't find anything out there about this issue. All of the credentials are set to Local Computer though not Enterprise.

0 Votes 0 ·
TomRicca-2161 avatar image
0 Votes"
TomRicca-2161 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.