Disable AAF for specific remote desktop session

  • Document ID:7023830
  • Creation Date:19-Apr-2019
  • Modified Date:24-May-2019
    • Micro Focus Products:
      Advanced Authentication

Environment


Advanced Authentication 6.x
AAF Windows client 6.x

Situation

Users can't connect with RDP to different domain when AAF Client 6.x is installed.

Invalid credetials error when attempting RDP session to a host that is not in the Advanced Authentication repository 


Customer has their own production domain. Users login through AAF via the Windows login to their desktop with password and token. This all works as expected.

 

Now they have other RDP hosts that they access. The users on the other computers they are accessing are not part of their domain but of the remote domain.

 

So they login to their workstation as domain1\userx

Then when they attempt the remote session they specify domain2\usery

 

When the AAF client intercepts the RDP session it attempts to login with the domain1\userx account instead of the credentials that were stored/initiated with the RDP session.

 

In the case of the domain2 they are prompted for the password of the account builtin/builtin

They click the <- to go back and then enter the proper name again of domain2\usery

 

Now it attempts the connection but fails.

 

 

 

Resolution

Create a shortcut  that disables AAF for the specific RDP connection.

Open Remote Desktop Connection (mstsc.exe)

Click the Show Options button in the bottom left of the Remote Desktop Connection window.
Configure the RDP session to connect to the desired computer.
Click Save or Save As and create an RDP file for this host. 

Now edit the newly created RDP file
at the bottom of the file add the following line:
enablecredsspsupport:i:0

With this line in place MSTSC will not call the AAF Windows Client when accessing the specified host. 

Cause

By default the AAF Windows client will be called by the Microsoft Windows credential provider. 
For more information see this document from Microsoft: