How to Allow Saved Credentials for RDP Connection?

When you are connecting to the remote Windows host using a native Microsoft RDP client (mstsc.exe), you can save your login credentials in order to not to enter them each time. You just need to tick the “Remember me” option in the RDP connection window. In this case, Windows will save your Remote Desktop password to the Windows Credentials Manager.

Also, there is one more important thing. If you are trying to establish an RDP connection from a domain computer to a remote computer in a workgroup or another domain, it is not allowed to use saved credentials to access the remote RDP/RDS host. Remote Desktop client refuses usage of saved credentials, each time forcing you to re-enter your password with the following error message: Your system administrator does not allow the use of saved credentials.

Remote Desktop Doesn’t Allow Saved Credentials

In some cases, when you try to connect to the Remote Desktop, you may receive the following error message:

Your Credentials did not work

Your system administrator does not allow the use of saved credentials to log on to the remote computer server_name because its identity is not fully verified. Please enter new credentials.

The logon attempt failed

your system administrator does not allow the use of saved credentials

Your System Administrator Does Not Allow the Use of Saved Credentials: What Does This Mean?

You cannot use saved credentials to connect to a remote computer if there are no trust relationships between your computer and the host in a remote domain (or workgroup). This is defined by the default Windows security policy settings.

Configure Group Policy to Allow the Use of Saved Remote Desktop Credentials

Run the Local Group Policy Editor on a computer from which you are establishing the Remote Desktop connection. Press Win + R, type the following command and then click OK.

gpedit.msc

Additionally, you may need to enter an Administrator password or confirm the elevation (depending on the UAC policy settings).

the server's authentication policy does not allow connection requests using saved credentials

In the Local Group Policy Editor console go to the section Local Computer Policy > Computer Configuration > Administrative Templates > System > Credentials Delegation. Find the policy named “Allow delegating saved credentials with NTLM-only server authentication”.

the server's authentication policy does not allow saved credentials

Open the policy item and enable it, then click the Show button.

In the new window, you need to add the list of servers/computers that are explicitly allowed to use the saved credentials when connecting over RDP.

The list of allowed systems must be specified in one of the following formats:

  • TERMSRV/remote_pc — allow saving login credentials for a specific computer;
  • TERMSRV/*.theitbros.com — allow using the saved credentials for all computers in the domain theitbros.com;
  • TERMSRV/* — allow using of saved RDP credentials for all computers, without exception.

Note. Use TERMSRV in uppercase, as in the example. If you specify a specific computer, remote_pc value must exactly match the name entered in the “Computer” field of the RDP client.

your system administrator does not allow the use of saved credentials to log on the remote computer

Find and enable the policy “Allow delegating saved credentials” in the same Credentials Delegation GPO section. Add the same TERMSRV/ values to the policy setting as mentioned above.

server authentication policy does not allow saved credentials

Press OK to save changes and then close the Group Policy Editor. Open Command prompt and update the Group Policy settings by running:

gpupdate /force

the servers authentication policy does not allow connection requests using saved credentials

Now you should connect to the Remote Desktop with saved credentials without providing a password over and over again.

allow saved credentials remote desktop

So, we allowed saving the login credentials only on one particular computer using Local Group Policy.

In order to allow saved RDP credentials usage for multiple domain computers, it will be better to create a separate domain GPO. You can use the Group Policy Management Console (GPMC.msc) to create and link the new GPO with the settings above to the computers’ OU.

Server Authentication Policy Does Not Allow Saved Credentials

In some cases, you may see the following error message when try to use the saved RDP credentials:

Windows Security

Your credentials did not work

The server’s authentication policy does not allow connection requests using saved credentials. Please enter new credentials.

system administrator does not allow the use of saved credentials

This error message indicates the remote server does not allow the use of saved RD credentials to connect. To fix this error, you need to make changes to the settings of the remote computer/RDS host:

  1. On the remote computer, run the local GPO editor – gpedit.msc;
  2. Go to the GPO section Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security;
  3. Locate and change the policy value ‘Always prompt for password upon connection‘ to Disabled;
    rdp allow saved credentials
  4. Reboot your server.

If this policy is enabled, Remote Desktop Services must always prompt a client for passwords upon RDP connection.

You can also change this parameter on the RDS server with one command in the elevated cmd:

REG add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fPromptForPassword /t REG_DWORD /d 0 /f

Saved Credentials Didn’t Work in Remote Desktop Connection

In some cases, you will not be able to connect to remote hosts using the saved RDP credentials even after configuring the above Group Policy settings.

If you can’t connect to the remote computer using saved RDP credentials, try to delete all old saved credentials in the Windows Credential Manager (Control Panel\All Control Panel Items\Credential Manager\Windows Credentials).

Delete all the saved entries from the Windows Credentials and Generic Credentials lists.

the server authentication policy does not allow connection requests using saved credentials

Then you can manually add your RDP credentials under Generic Credentials.

  1. Click the Add a generic credential link;
  2. Put the prefix “TERMSRV/” in the Internet or Network Address before your Remote Desktop host name or IP address;
  3. Set RDP user name and password;
  4. Click OK.
    your system administrator does not allow the use of saved credentials to log on to the remote computer

Also, you can add a credential to the Credential Manager from the command prompt using the built-in cmdkey tool:

cmdkey /generic:termsrv/sql01.theitbros.com /user:jbrown /pass:RDP_SupPassw0rd2

CMDKEY: Credential added successfully.

You can display information about the stored credentials for the specific host:

cmdkey /list:TERMSRV/sql01.theitbros.com

Currently stored credentials for TERMSRV/sql01.theitbros.com:

Target: termsrv/sql01.theitbros.com
Type: Generic
User: jbrown

the system administrator does not allow the use of saved credentials

Hint. All stored passwords in the Windows Credential Manager store are SHA encrypted with the current user’s login password.

Then you should check the following policies that may prevent Windows from saving passwords. To get the current GPO parameter settings on your computer, use the gpresult tool or rsop.msc

  • Network access: Do not allow storage of passwords and credentials for network authentication (Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options). Make sure this policy is disabled. This policy corresponds to the registry parameter DisableDomainCreds under the reg key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\. Change its value from 1 to 0;
  • Deny delegation saved credentials (Computer Configuration > Administrative Templates > System > Credentials Delegation). Disable the policy. Check the value of the ConcatenateDefaults_DenySaved registry entry (HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation). Change the value to 0;
  • Do not allow passwords to be saved (Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Connection Client). Disable the policy.

Hope this was useful!

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

24 comments

  1. I have tries this on several computers, and it still will not let me save credentials. Anything else I should try.

    1. I had the same problem, but using these instructions went back in and also amended “Allow delegating saved credentials with NTLM-only server authentication.” and now it works :)

  2. I followed the instructions as well as editing the entry specified by Leroy Bagwell but gpudpate /force fails because the computers I am doing this to are located in a remote office away from the domain controller so I get an error about not having network connectivity to the domain controller. Is there any way around this?

  3. “Allow delegating saved credentials with NTLM-only server authentication.” work for me also

    thanks Leroy for comment on IT Brothers Post

    1. @ Dirk

      For Windows 10, this did not work. What did work was going to Credential Manager, deleting the entry from the section Windows Credentials and adding it to Generic Credentials.

      1. This is exactly what I needed to do, as well. If you’re part of a domain and the system you’re connecting to is not on the same domain (or not on a domain at all), then you have to go to the Credential Manager to remove the saved credentials from the Windows Credential group and manually add the credential to the Generic Credential group (confusingly, these are both located in the Windows tab).

        One other note: don’t forget to add TERMSRV/ before the address of the computer you’re trying to RDP to.

  4. The one I needed was ‘Allow delegating saved credentials with NTLM-only server authentication’.

    Windows 10, domain PC to non domain pc.

  5. If you are trying to make this work with saved credentials, then you need to update the GPO for SAVED CREDENTIALS, not DEFAULT.

  6. Did work for me at all. Instead I had to use the GP that says Allow delegating ***SAVED*** credentials with NTLM-only server authentication.

  7. I have this problem
    client is not on the domain (workgroup) windows 10
    client i try to connect to is on a domain. also a windows 10 machine

    still i does not save the password

  8. For those who are willing to add it directly to the registry, save the following content in a *.reg file, which I got it by doing the modification manually and then searching the registry for TERMSRV:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
    “AllowDefCredentialsWhenNTLMOnly”=dword:00000001
    “ConcatenateDefaults_AllowDefNTLMOnly”=dword:00000001
    “AllowDefaultCredentials”=dword:00000001
    “ConcatenateDefaults_AllowDefault”=dword:00000001
    “AllowSavedCredentialsWhenNTLMOnly”=dword:00000001
    “ConcatenateDefaults_AllowSavedNTLMOnly”=dword:00000001
    “AllowSavedCredentials”=dword:00000001
    “ConcatenateDefaults_AllowSaved”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation]
    “AllowDefCredentialsWhenNTLMOnly”=dword:00000001
    “ConcatenateDefaults_AllowDefNTLMOnly”=dword:00000001
    “AllowDefaultCredentials”=dword:00000001
    “ConcatenateDefaults_AllowDefault”=dword:00000001
    “AllowSavedCredentialsWhenNTLMOnly”=dword:00000001
    “ConcatenateDefaults_AllowSavedNTLMOnly”=dword:00000001
    “AllowSavedCredentials”=dword:00000001
    “ConcatenateDefaults_AllowSaved”=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentials]
    “1”=”TERMSRV/*”

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CredentialsDelegation\AllowSavedCredentialsWhenNTLMOnly]
    “1”=”TERMSRV/*”

  9. Thanks a lot for pulling all RDP issues and their solution under one post. Thanks a lot :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.