Difference between revisions of "OpenTC Development"

From DanIT
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Automatic login==
 
The login screen where the credentials must be entered is a custom made form and is not related to any native Windows Remote Desktop functions.<br>
 
Therefore, the credentials entered in the form must somehow be passed down to establish a Remote Desktop connection without having to fill in it's own credentials form.<br>
 
  
There are two ways to do this, one of them is to make your own Remote Desktop client by using some Remote Desktop DLL's inside your project. This option has not been chosen for OpenTC, since in order to make all it's features available you would have to completely rewrite the client like the native one.<br>
 
  
The other option is to fool Windows that the user has logged in before and used the "Remember me" option, causing it to automatically login without having to enter any credentials.<br>
 
Before this can happen the credentials must be loaded into the current user, this can be done by using the built-in application cmdkey<br>
 
===Load credentials===
 
Example on how Remote Desktop credentials would be saved:<br>
 
cmdkey.exe /add:TERMSRV/<computername> /user:<username> /pass:<password>
 
It's important that "TERMSRV/" is placed before the computer or farm name, so Windows knows its destined for that connection.<br>
 
When using a Remote Desktop Gateway (RD Gateway) the credentials must also be loaded separately for it, by using the gateway name;<br>
 
cmdkey.exe /add:<gatewayname> /user:<username> /pass:<password>
 
The computernames and gatewaynames must be identical to the ones in the RDP-file, otherwise it will not work.<br>
 
  
When the Remote Desktop connection has been established, it would be ideal to remove the saved credentials as soon as possible. OpenTC is being run under one local user account and therefore shares the same saved credentials database for anyone that uses the client computer.<br>
+
 
While the following has not been reported as a bug in OpenTC, other Remote Desktop portal products who share this same method have incidentally experienced users being suddenly able to login to other users their account. We therefore take precaution and remove the credentials as soon as possible:
+
=Automatic login=
cmdkey.exe /delete:TERMSRV/<computername>
+
The Remote Desktop Connection (mstsc.exe) client has the ability to automatically login without promping for credentials, when these are previously saved.<br>
cmdkey.exe /delete:<gatewayname>
+
Credentials also can be added by using [https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey cmdkey.exe], which OpenTC uses to 'pass down' the credentials entered in it's login form.<br>
 +
 
 +
Official documentation states that the correct way to use cmdkey.exe to save credentials for "Remote Access" is to use the /generic parameter instead of /add.<br>
 +
However, the RDC client adds saved credentials as a "Windows Credential" (/add) and not a generic one. In practice runs there seems to be no difference in results.<br>
 +
 
 +
The "TERMSRV/" prefix to the target name exists to distinguish between user or gateway credentials.<br>
 +
Not using this prefix will result in authentication failure in an uncommon scenario where these credentials are different on the same server.<br>
 +
 
 +
For security reasons, the credentials need to be removed as soon as possible after the connection has been established.
  
 
===Requirements===
 
===Requirements===
In order for this to work, the RDP-file would need to have the  "Allow me to save credentials" option checked, which inside the file would look like this:
+
In order for this to work smoothly, the RDP file and remote computer need to be configured to allowed for saved credentials.<br>
 +
 
 +
====RDP File====
 +
"Allow me to save credentials" must be checked (when credentials are saved, this text will change to "Always ask for credentials", which in that case must be unchecked).
 
  prompt for credentials:i:0
 
  prompt for credentials:i:0
 +
When a gateway is used, "Use my RD Gateway credentials for the remote computer" must be checked (located in Advanced > Settings).<br>
 +
This is so that Remote Desktop knows the credentials for the remote computer are the same as the credentials for the gateway, so it will not ask for them a second time.
 +
promptcredentialonce:i:1
  
Some Group Policies must also be set correctly (by default this is already correct), on the client the following must be set:
+
====Client Computer====
  Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Prompt for credentials on the client computer": Not Configured / Disabled
+
Make sure that the following Group Policy is not enabled on the client computer:
And on the host server:
+
  Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Prompt for credentials on the client computer"
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > "Always prompt for password upon connection": Not Configured / Disabled
 
  
 +
====Remote Computer====
 +
Make sure that the following Group Policy is not enabled on the remote computer:
 +
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > "Always prompt for password upon connection"
  
 
===Notes===
 
===Notes===
It is reported that the following registry value would overwrite the "Allow me to save credentials" option for RDP files:
+
It is reported that the following registry value would overwrite the "Allow me to save credentials" option for RDP files, this has not been tested yet.
 
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
 
  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
 
  "fPromptForPassword"=dword:00000000
 
  "fPromptForPassword"=dword:00000000
 +
 +
===Trusted Connection===
 +
When there is no valid certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer or publisher cannot be verified.<br>
 +
Checking the "Don't ask me again for connections to this computer" box will create a value in the registry key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\LocalDevices", with the name of the remote computer.<br>
 +
 +
When using a custom RD Gateway server name, a different value will be created with both the computer name and server name separated by a semicolon (;).<br>
 +
The data of this value is an add up on what features in "Local Resources" of the .rdp-file are selected, see the list of affected features and their value.<br>
 +
De default value is '8' when none of these features are selected. Having all features enabled makes it 239.<br>
 +
 +
{| class="wikitable"
 +
|-
 +
! Feature !! File Reference !! Trigger !! Value
 +
|-
 +
| Record from this computer || "audiocapturemode" || anything but '0' || 128
 +
|-
 +
| Printers || "redirectprinters" || anything but '0' || 64
 +
|-
 +
| Clipboard || "redirectclipboard" || anything but '0' || 4
 +
|-
 +
| Ports || "redirectcomports" || anything but '0' || 2
 +
|-
 +
| Drives || "drivestoredirect" || anything but empty || 1
 +
|-
 +
| Other supported PnP devices || "devicestoredirect" || anything but empty || 32
 +
|}
 +
 +
=== Credentials ===
 +
[https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey cmdkey.exe] was introduced in Windows Vista and up, and can be used to save credentials that Remote Desktop Connection can use to login automatically.<br>
 +
Before this, credentials could be saved inside the .rdp file (unsafe/slow), or else would have to be manually entered (annoying).<br>
 +
The OpenTC login form will save the entered credentials using cmdkey, and delete them after use.<br>
 +
 +
In the .rdp file "prompt for credentials" must be '0' ("Allow me to save credentials" checked, or "Always ask for credentials" unchecked).<br>
 +
When using a gateway with the same credentials, "promptcredentialonce" must be '1' ("Use my RD Gateway credentials for the remote computer" checked).<br>
 +
On the OpenTC computer, the "Prompt for credentials on the client computer" group policy must not be enabled.<br>
 +
On the remote computer, the "Always prompt for password upon connection" group policy must not be enabled.<br>
 +
 +
The credentials can not be natively verified beforehand. So if the entered credentials are wrong, the user will then see the original Remote Desktop Connection credential login form.<br>

Latest revision as of 03:20, 7 May 2025



Automatic login

The Remote Desktop Connection (mstsc.exe) client has the ability to automatically login without promping for credentials, when these are previously saved.
Credentials also can be added by using cmdkey.exe, which OpenTC uses to 'pass down' the credentials entered in it's login form.

Official documentation states that the correct way to use cmdkey.exe to save credentials for "Remote Access" is to use the /generic parameter instead of /add.
However, the RDC client adds saved credentials as a "Windows Credential" (/add) and not a generic one. In practice runs there seems to be no difference in results.

The "TERMSRV/" prefix to the target name exists to distinguish between user or gateway credentials.
Not using this prefix will result in authentication failure in an uncommon scenario where these credentials are different on the same server.

For security reasons, the credentials need to be removed as soon as possible after the connection has been established.

Requirements

In order for this to work smoothly, the RDP file and remote computer need to be configured to allowed for saved credentials.

RDP File

"Allow me to save credentials" must be checked (when credentials are saved, this text will change to "Always ask for credentials", which in that case must be unchecked). 

prompt for credentials:i:0

When a gateway is used, "Use my RD Gateway credentials for the remote computer" must be checked (located in Advanced > Settings).
This is so that Remote Desktop knows the credentials for the remote computer are the same as the credentials for the gateway, so it will not ask for them a second time. 

promptcredentialonce:i:1

Client Computer

Make sure that the following Group Policy is not enabled on the client computer: 

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client > "Prompt for credentials on the client computer"

Remote Computer

Make sure that the following Group Policy is not enabled on the remote computer: 

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > "Always prompt for password upon connection"

Notes

It is reported that the following registry value would overwrite the "Allow me to save credentials" option for RDP files, this has not been tested yet. 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fPromptForPassword"=dword:00000000

Trusted Connection

When there is no valid certificate, the Remote Desktop client will show a popup before connecting telling the user the identity of the remote computer or publisher cannot be verified.
Checking the "Don't ask me again for connections to this computer" box will create a value in the registry key "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\LocalDevices", with the name of the remote computer.

When using a custom RD Gateway server name, a different value will be created with both the computer name and server name separated by a semicolon (;).
The data of this value is an add up on what features in "Local Resources" of the .rdp-file are selected, see the list of affected features and their value.
De default value is '8' when none of these features are selected. Having all features enabled makes it 239.

Feature File Reference Trigger Value
Record from this computer "audiocapturemode" anything but '0' 128
Printers "redirectprinters" anything but '0' 64
Clipboard "redirectclipboard" anything but '0' 4
Ports "redirectcomports" anything but '0' 2
Drives "drivestoredirect" anything but empty 1
Other supported PnP devices "devicestoredirect" anything but empty 32

Credentials

cmdkey.exe was introduced in Windows Vista and up, and can be used to save credentials that Remote Desktop Connection can use to login automatically.
Before this, credentials could be saved inside the .rdp file (unsafe/slow), or else would have to be manually entered (annoying).
The OpenTC login form will save the entered credentials using cmdkey, and delete them after use.

In the .rdp file "prompt for credentials" must be '0' ("Allow me to save credentials" checked, or "Always ask for credentials" unchecked).
When using a gateway with the same credentials, "promptcredentialonce" must be '1' ("Use my RD Gateway credentials for the remote computer" checked).
On the OpenTC computer, the "Prompt for credentials on the client computer" group policy must not be enabled.
On the remote computer, the "Always prompt for password upon connection" group policy must not be enabled.

The credentials can not be natively verified beforehand. So if the entered credentials are wrong, the user will then see the original Remote Desktop Connection credential login form.

Retrieved from "http://wiki.danit.nl/index.php?title=OpenTC_Development&oldid=211"