Difference between revisions of "OpenTC Development"
| Line 40: | Line 40: | ||
| − | =Certificate/publisher warning= | + | ===Certificate/publisher warning=== |
When there is no valid certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer or publisher cannot be verified.<br> | When there is no valid certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer or publisher cannot be verified.<br> | ||
This popup can be ignored to continue, however this would be an inconvenience to the end user and might give them a wrong impression.<br> | This popup can be ignored to continue, however this would be an inconvenience to the end user and might give them a wrong impression.<br> | ||
| Line 68: | Line 68: | ||
|} | |} | ||
Having none of these features selected will result in the data of 0, but still requires the existence of the value. Having them all selected makes it 231.<br> | Having none of these features selected will result in the data of 0, but still requires the existence of the value. Having them all selected makes it 231.<br> | ||
| − | EDIT: Latest test show Windows 10 always starts with the value of 8, making the maximum you can have 239. | + | EDIT: Latest test show Windows 10 always starts with the value of 8, making the maximum you can have 239.<br> |
| − | = | + | === Credentials === |
| − | + | [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey cmdkey.exe] was introduced in Windows Vista and up, and can be used to save credentials that Remote Desktop Connection can use to login automatically.<br> | |
| − | + | Before this, credentials could be saved inside the .rdp file (unsafe/slow), or else would have to be manually entered (annoying).<br> | |
| + | The OpenTC login form will save the entered credentials using cmdkey, and delete them after use.<br> | ||
| − | + | In order for this to work, "prompt for credentials" in the .rdp file must be set to 0 ("Allow me to save credentials" checked, or "Always ask for credentials" unchecked).<br> | |
| − | + | On the OpenTC computer, the "Prompt for credentials on the client computer" group policy must not be enabled.<br> | |
| − | + | On the remote computer, the "Always prompt for password upon connection" group policy must not be enabled.<br> | |
Revision as of 02:54, 7 May 2025
Contents
Automatic login
The Remote Desktop Connection (mstsc.exe) client has the ability to automatically login without promping for credentials, when these are previously saved.
Credentials also can be added by using cmdkey.exe, which OpenTC uses to 'pass down' the credentials entered in it's login form.
Official documentation states that the correct way to use cmdkey.exe to save credentials for "Remote Access" is to use the /generic parameter instead of /add.
However, the RDC client adds saved credentials as a "Windows Credential" (/add) and not a generic one. In practice runs there seems to be no difference in results.
The "TERMSRV/" prefix to the target name exists to distinguish between user or gateway credentials.
Not using this prefix will result in authentication failure in an uncommon scenario where these credentials are different on the same server.
For security reasons, the credentials need to be removed as soon as possible after the connection has been established.
Requirements
In order for this to work smoothly, the RDP file and remote computer need to be configured to allowed for saved credentials.
RDP File
"Allow me to save credentials" must be checked (when credentials are saved, this text will change to "Always ask for credentials", which in that case must be unchecked).
prompt for credentials:i:0
When a gateway is used, "Use my RD Gateway credentials for the remote computer" must be checked (located in Advanced > Settings).
This is so that Remote Desktop knows the credentials for the remote computer are the same as the credentials for the gateway, so it will not ask for them a second time.
promptcredentialonce:i:1
Client Computer
Make sure that the following Group Policy is not enabled on the client computer:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Prompt for credentials on the client computer"
Remote Computer
Make sure that the following Group Policy is not enabled on the remote computer:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > "Always prompt for password upon connection"
Notes
It is reported that the following registry value would overwrite the "Allow me to save credentials" option for RDP files, this has not been tested yet.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services] "fPromptForPassword"=dword:00000000
Certificate/publisher warning
When there is no valid certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer or publisher cannot be verified.
This popup can be ignored to continue, however this would be an inconvenience to the end user and might give them a wrong impression.
Years ago there used to be the ability to set a registry value telling the client to skip this check, however Microsoft patched this since they considered it a security risk.
We recommend that you setup your Remote Desktop Session Host, Connection Broker, Gateway, and RDP file the correct way.
Checking the "Don't ask me again for connections to this computer" box will create a value in the key "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices", with the name of the remote computer.
When using a custom RD Gateway server name, a different value will be created with both the computer name and server name separated by a semicolon (;).
The data of this value is an add up on what features in "Local Resources" are selected, here is a list of affected features;
| Setting | File Value | Data |
|---|---|---|
| Record from this computer | "audiocapturemode:i:1" | 128 |
| Printers | "redirectprinters:i:1" | 64 |
| Clipboard | "redirectclipboard:i:1" | 4 |
| Ports | "redirectcomports:i:1" | 2 |
| Drives | "drivestoredirect:s:" (anything but empty) | 1 |
| Other supported PnP devices | "devicestoredirect:s:*" | 32 |
Having none of these features selected will result in the data of 0, but still requires the existence of the value. Having them all selected makes it 231.
EDIT: Latest test show Windows 10 always starts with the value of 8, making the maximum you can have 239.
Credentials
cmdkey.exe was introduced in Windows Vista and up, and can be used to save credentials that Remote Desktop Connection can use to login automatically.
Before this, credentials could be saved inside the .rdp file (unsafe/slow), or else would have to be manually entered (annoying).
The OpenTC login form will save the entered credentials using cmdkey, and delete them after use.
In order for this to work, "prompt for credentials" in the .rdp file must be set to 0 ("Allow me to save credentials" checked, or "Always ask for credentials" unchecked).
On the OpenTC computer, the "Prompt for credentials on the client computer" group policy must not be enabled.
On the remote computer, the "Always prompt for password upon connection" group policy must not be enabled.
