nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-03T13:19:22Z
I've turned on the option to save password. It seems to save them in my favorites and when I connect to Win2k3 servers I am not prompted for a password. However, when I connect to a Win2k8 server I am prompted for a password. I am connecting from Vista 32-bit. Thanks!
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-03T16:29:17Z
Two possibilities here...

1. The 2008 servers have the "always prompt for client password upon connection" setting/policy enabled. No matter what credentials are passed in ahead of time, it will always prompt you for the password.

2. The 2008 server require Network Level Authentication (NLA). If so, RD Tabs will not able to do password management for you. To save and use saved passwords under that scenario, you need to use password management built into Windows. To enable NLA for your connection, go to the Advanced tab of the connection properties.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-04T15:18:07Z
Thank you for providing such great support!

I fall into #2 (the server requires NLA). I went to Control Panel, Users Accounts, Manage Your Network Passwords, and added TERMSRV/<server-name> and TERMSRV/<fqdn-of-server>. Interestingly I was told by Remote Desktop that credentials were incorrect when connecting to <fqdn-of-server>. I went back and edited the saved password a few times to make sure I wasn't making a typo but RD continued to tell me I had an incorrect password and prompted me to enter credentials. I did that and checked off the box to save the credentials. Now RD no longer prompts me for connecting to the <fqdn-of-server>. I restarted RD Tabs (version = 2.1.21), but continue to be prompted for a password.

Should that have worked or am I missing something?

Thanks!
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-06T09:54:45Z
Did you go to the advanced tab of the connection (in RD Tabs) and enable NLA there? Otherwise RD Tabs will not activate the NLA feature and it will prompt for password.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-06T11:37:55Z
I did. It set it up that way in my favorites and I tried it from making a new connection (new tab) and making sure that NLA was checked off in the Advanced tab. I double checked that the RD client let me know via <server-name> and <fqdn-of-server>; it still does w/o prompting for password.

Thanks!
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-06T20:53:30Z
What do you mean "without prompting for password?"

I just tested NLA on a test server (Server 2008) and it worked fine for me...
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-07T12:16:01Z
I can use the Windows Remote Desktop client and connect to the server without being prompted for a password. However, with NLA checked off in RD Tabs and ensuring that I'm connecting using the same server name, I am prompted for a password by RD Tabs.
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-08T11:26:33Z
Check one other setting. Go into Tools->Options then make sure you are on the General tab. Check "Cache connection properties" and see if that helps.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-08T12:01:37Z
Hmm, unfortunately that was already checked off.
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-08T14:55:42Z
Hmmm... I'm running out of ideas. I can't reproduce this problem on my end. Can you tell me exactly how your remote server is set up? Any GPOs applied that determine how NLA works? I might be missing a property/setting in RD Tabs. On my servers, NLA works fine, but maybe that's due to a server requirement you have that I don't. I need as much detailed information about the server's RDP connections as possible.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-08T21:23:38Z
I've been trying to connect from a Vista SP2 x86 Business and a Vista SP2 x64 Enterprise machine. All the servers I've been trying to connect to have been Windows 2008 SP2 x64 Enterprise, although I have a x86 Standard server I could try connecting to tomorrow. The domain I'm in is functional level 2003. I checked with our AD guy and he can't think of any (of the very few) GPOs we have implemented that would possibly affect NLA.

When I connect via the Windows client (and I get the password wrong), there is a box to check off to remember password. That box isn't present in RD Tabs (version = 2.1.21) - not sure if that matters.

In the relatively near future I'll be putting up a dev domain environment from scratch so I can test it without having any GPOs in the dev domain.

Thanks for all your time.
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-09T08:59:16Z
Not a problem. I wish I could reproduce. I have noticed that RD Tabs doesn't present the "save password" checkbox and I'm not sure how to get it to appear (or if its possible). Looking forward to any more insight you can provide.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2009-07-28T14:29:19Z
No difference trying to connect to the servers in a brand new development domain. I'll write back if I find the issue.

Thanks!
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2009-07-28T15:18:04Z
Thanks for the update. I'll continue to investigate on my end.
Spad
  • Spad
  • 55.4% (Neutral)
  • Nestling
2009-08-10T09:49:19Z
I'm having a similar problem with Windows 7 x64 - if I connect via the RDP client then NLA works fine, but if I connect via RDTabs then it always prompts me for credentials when connecting to 2008 machines.
bwquestion
2011-05-13T15:42:41Z
I also had this problem just now.

The problem was the Server setting was set to allow any connection and my RDTab setting had the box checked to use NLA.

When I unchecked the box for NLA the problem went away.
Mamba
  • Mamba
  • 51.8% (Neutral)
  • Nestling
2012-04-04T09:23:46Z
I realize that this is an old thread, but for us it still applies. Same problem, being prompted for password even when NLA box is checked in RDTabs. We've had to enable NLA (as being required) across our site in our Server 2008/Win7 environment to meet security standards. "Use password management built into Windows" does not help and would not be feasible with 300+ nodes even if it did. While RDTabs offers many advantages, one of the most useful (for us) is the auto-logon feature...which now won't work.
nablaodel
  • nablaodel
  • 57.2% (Neutral)
  • Fledgling Topic Starter
2012-04-07T16:58:07Z
I'm still very interested in this issue after starting this thread 2.5 years ago. I use RD tabs everyday and at this point 95% of the servers I log into are Win2k8+. Timothy, do you have any interest in allowing others to look at the source code for RD Tabs and see if we can come up with improvements?
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2012-04-09T07:58:57Z
Enabling NLA offloads the password management entirely to Windows (which is part of why it is slightly more secure). If you log onto your remote server using the same account as the one you are currently running RD Tabs as and have Kerberos enabled, I believe it may be able to pass through the token without prompting, but otherwise you have to set up your passwords in the Windows Credential Manager. And, yes, that is unwieldy if you have hundreds of potential remote computers you need to access. You will have to disable one of RD Tabs' security features, which is under Options -> General -> ENABLE Cache Connection Properties. This allows Windows to automatically cache various remote desktop properties used by RD Tabs and also changes some of the prompting behavior.

I'm open to the idea of limited third party involvement in development for issues like this, but since RD Tabs uses the Microsoft APIs, it's limited to the restrictions that MS has put on the APIs. And this is one area where MS has really put a restriction on it. There is no function to set credentials when in NLA mode. It's entirely offloaded to Windows.

I haven't checked the Server 2008 R2 version of the remote desktop library, maybe they added something new, but I wouldn't get my hopes up.

I dont' know what sorts of security requirements your organization has, but NLA is not really that much more secure than classic logon. The main benefit it gains you is that a remote desktop channel is never established until the user is authenticated. This may potentially help mitigate a DOS attack since it reduces bandwidth during the logon procedure. But that's about all it buys you, as far as I understand it. (I could be wrong, there might be more to it, but that's all I rememeber reading about it.)
Timothy
  • Timothy
  • 100% (Exalted)
  • Flock Leader
2012-04-09T13:49:58Z
I did a little more investigating on this today. It seems it must be possible because the RDCMan application that MS made actually does this and it works, and they are shelling out to the same ActiveX control that RD Tabs does. I stepped through the decompiled code (uh-oh, I guess I shouldn't have said that!) and as far as I can tell, they are doing it exactly the same way that RD Tabs is doing it. I even rearranged the code in RD Tabs connection code to go through the same order of the code as the RDCMan and it still didn't work. I'm not really sure what's different.

Well, I'm a little more motivated on this front now because it seems it is more possible than it did a few years ago. If any of you want to mess around with source code, I can send over a NDA and I'm happy to work with you. Sorry for the hoops, RD Tabs is not open source and I'm actually considering going commercial in the next year. Don't worry, RD Tabs will continue to have a free version. I'm tossing around the commercial version idea specifically for use with a server product that would enforce policies, allow shared favorites, and other features useful to larger help desks and support departments.

EDIT: I should add that there will always be a restriction, even if this starts working, that RD Tabs can only pass the logon information of the currently logged on user (or the RunAs user if you ran RD Tabs as another user). There is no way with NLA to specify alternate credentials from within the RD Tabs GUI.
full film