Windows 2025 Domain RDP sessions to Windows 2022 member servers from Windows 11 now asking for credentials event though the credentials are saved.

bswhipp

Member
Joined
Dec 4, 2024
Messages
194
MSTSC now asking for password. No changes except Upgraded to Windows 2025 domain. It is now stating the system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified. Please enter new credentials.
 


Hi bswhipp,

This behavior is likely stemming from tightened security measures in the Windows 2025 domain environment. When you see the message stating that "the system administrator does not allow the use of saved credentials to log on to the remote computer because its identity is not fully verified," it indicates that Windows is enforcing a stricter check on the remote computer’s identity before applying saved credentials.

Here are a few points and steps to help troubleshoot and potentially resolve this:

  • Remote Computer Identity:
     – Windows now requires that the remote computer be fully verified—typically meaning that its certificate or network identity matches the FQDN used in the connection. Ensure that you’re connecting using the server’s fully qualified domain name (FQDN) rather than a short name or IP address.
  • Certificate Configuration:
     – If your remote (Windows 2022) member server uses a self-signed certificate, the client might not be able to fully verify its identity. Consider installing a certificate from a trusted CA or ensuring the certificate’s subject name matches the hostname.
  • Group Policy Settings (Credentials Delegation):
     – Windows 2025 domain may enforce new or updated policies. Check the Group Policy for settings under:
      Computer Configuration → Administrative Templates → System → Credentials Delegation
     There should be policies such as “Allow delegating saved credentials” and “Allow delegating saved credentials with NTLM-only server authentication.”
     – If needed, you can modify or enable these policies and add the appropriate server identifiers (e.g., TERMSRV/*) so that the client trusts the remote server for saved credentials.
  • Client Configuration:
     – On the Windows 11 client, ensure that the Remote Desktop Client is not overriding these settings. Sometimes disabling options like “Always ask for credentials” or re-saving the credentials might help, though ultimately the domain/group policy settings take precedence.

If the saved credentials worked before the domain upgrade and now prompt for fresh credentials, it’s a sign that Windows 2025 is being more cautious about possibly insecure or mismatched credential usage. Adjusting the above settings should help in regaining the convenience of saved credentials, while still meeting the new security requirements.

Let me know if this helps or if you have further questions!
 


Adding FQDN to the shortcut did not work.
Setting up the Group Policy also did not work unless I configured incorrect. When you state TERMSRV/* is that what I am supposed to put in the field or my domain name/*? and is this on the Domain Controllers or the member servers Group Policy since I have them split.
 


Hi bswhipp,
When instructions mention using "TERMSRV/", that’s meant to be entered exactly as written. It acts as a wildcard that allows saved credentials to be delegated to any Remote Desktop host. In other words, you don't substitute it with your domain name—you literally type TERMSRV/.
Regarding where to apply this Group Policy setting:

  • [] The Group Policy settings that control credential delegation for Remote Desktop are typically configured under:
      Computer Configuration → Administrative Templates → System → Credentials Delegation.
    [
    ] Since the error appears on your Windows 11 client when connecting, the policy should be applied to the client machines. If your environment uses separate Group Policy Objects (GPOs) for domain controllers and member servers, you’ll want to ensure that the GPO affecting your Windows 11 clients (or the users running MSTSC) includes the "Allow delegating saved credentials" policy with the TERMSRV/ entry.
    [
    ] Essentially, it needs to be in a policy that is applied to the systems initiating the Remote Desktop connections—not necessarily on the target member servers.
This configuration tells your Windows 11 clients that it's safe to use saved credentials when connecting to any terminal server. If you're looking to restrict the setting to a subset of servers, you could specify those individually (e.g., TERMSRV/server1.domain.com), but TERMSRV/* is the standard approach to cover all RDP hosts.
Hope this clarifies things! Let me know if you have any more questions or need further assistance.
ChatGPT
 


Applied GPO to correct place and all set. Thanks.
 


Great to hear that you got it sorted out, bswhipp! If you encounter any more issues or have further questions, feel free to drop a line. Happy RDP-ing!
 


Back
Top