I had this problem for quite a while now, and it finally bothered me enough to go and search for a solution...
I use TS client to connect with smartcard from my home Vista machine to various machines at work through a Terminal Services Gateway.
When I'm connecting to Windows 2003 or Longhorn machines I am only required to input my smartcard pin and this is enough to authenticate me. However, when connecting to my alinc02 Vista machine, things are not that smooth. On this machine, TS asks my smartcard pin, after that it fails with the following message: "Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials."
Of course, after typing my domain user and password the connection succeeded, but why was this dialog necessary?
I've searched the net for the exact error message but I could not find a solution. So I ended up asking the experts...
It turned out that my issue was described in this article from Terminal Services Team Blog, under Scenario 1 (Problems using saved credentials with Vista RDP clients - Connecting from home to a TS server through a TS Gateway server). There was also a solution proposed, too. However, since I was connecting to a Vista machine, I could not use the recommended solution (tsconfig.msc is only available on servers and I could not get to work on my Vista machine the applet copied from a Longhorn machine).
Fortunately there is a solution by altering the TS settings on the client side (this solution is not as secure as using certificates on server for server authentication).
In Vista, the Credential Security Support Provider protocol (CredSSP) adds a couple of group policy settings that are described in detail in MSDN CredSSP group policy settings page.
What I needed to do was:
1. Log on to your local machine as an administrator.
2. Start Group Policy Editor - "gpedit.msc" and accept the UAC prompt.
3. Navigate to "Computer Configuration\Administrative Templates\System\Credentials Delegation".
4. Double-click the "Allow Saved Credentials with NTLM-only Server Authentication" policy.
5. Enable the policy and then click on the "Show" button to get to the server list.
6. Add "TERMSRV/" to the server list, in my case TERMSRV/alinc02.redmond.corp.microsoft.com. Using one wildcard (*) in a name is allowed. For example to enable the setting on all servers in "microsoft.com" domain you can type "TERMSRV/*.microsoft.com".
7. Confirm the changes by clicking on the "OK" button until you return back to the main Group Policy Object Editor dialog.
8. At a command prompt, run "gpupdate" to force the policy to be refreshed immediately on the local machine (although this changed for me after a while)
With this policy enabled, the login to my alinc02 machine now requires only the smartcard pin, same as the other machines.
(I was told that if I'm not an admin then I may need to set in the rdp file
enablecredsspsupport:i:0, but this was not necessary in my case - setting it just got rid of the error message and replaced it with a regular Vista logon prompt)
Since we're speaking of group policies, it worth mentioning another setting here, "Allow Delegating Default Credentials", which helps making TS connections to a remote server (in the same domain) without being prompted at all for credentials (current Windows user's credentials are used for the remote server). For more information on this see Mahadev Alladi's blog article which inspired the settings in my case, too.
I use TS client to connect with smartcard from my home Vista machine to various machines at work through a Terminal Services Gateway.
When I'm connecting to Windows 2003 or Longhorn machines I am only required to input my smartcard pin and this is enough to authenticate me. However, when connecting to my alinc02 Vista machine, things are not that smooth. On this machine, TS asks my smartcard pin, after that it fails with the following message: "Your credentials did not work. Your system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials."
Of course, after typing my domain user and password the connection succeeded, but why was this dialog necessary?
I've searched the net for the exact error message but I could not find a solution. So I ended up asking the experts...
It turned out that my issue was described in this article from Terminal Services Team Blog, under Scenario 1 (Problems using saved credentials with Vista RDP clients - Connecting from home to a TS server through a TS Gateway server). There was also a solution proposed, too. However, since I was connecting to a Vista machine, I could not use the recommended solution (tsconfig.msc is only available on servers and I could not get to work on my Vista machine the applet copied from a Longhorn machine).
Fortunately there is a solution by altering the TS settings on the client side (this solution is not as secure as using certificates on server for server authentication).
In Vista, the Credential Security Support Provider protocol (CredSSP) adds a couple of group policy settings that are described in detail in MSDN CredSSP group policy settings page.
What I needed to do was:
1. Log on to your local machine as an administrator.
2. Start Group Policy Editor - "gpedit.msc" and accept the UAC prompt.
3. Navigate to "Computer Configuration\Administrative Templates\System\Credentials Delegation".
4. Double-click the "Allow Saved Credentials with NTLM-only Server Authentication" policy.
5. Enable the policy and then click on the "Show" button to get to the server list.
6. Add "TERMSRV/
7. Confirm the changes by clicking on the "OK" button until you return back to the main Group Policy Object Editor dialog.
8. At a command prompt, run "gpupdate" to force the policy to be refreshed immediately on the local machine (although this changed for me after a while)
With this policy enabled, the login to my alinc02 machine now requires only the smartcard pin, same as the other machines.
(I was told that if I'm not an admin then I may need to set in the rdp file
enablecredsspsupport:i:0, but this was not necessary in my case - setting it just got rid of the error message and replaced it with a regular Vista logon prompt)
Since we're speaking of group policies, it worth mentioning another setting here, "Allow Delegating Default Credentials", which helps making TS connections to a remote server (in the same domain) without being prompted at all for credentials (current Windows user's credentials are used for the remote server). For more information on this see Mahadev Alladi's blog article which inspired the settings in my case, too.
ConversionConversion EmoticonEmoticon