Error: "The credentials that were used to connect did not work. Please enter new credentials."

  • 7023947
  • 14-Jun-2019
  • 14-Jun-2019

Environment

Client for Open Enterprise Server 2
Novell ZENworks Configuration Management DLU Policies
Windows 10

Situation

Unable to login via Remote Desktop Connection on first attempt, with DLU enabled

Upon their first login to a remote Windows 10 machine via RDP using Remote Desktop Connection, the login does not complete, and the user is returned to the local machine's desktop.

If the user has previously logged in locally on the remote machine, subsequent login attempts succeed.

ZENworks Dynamic Local User (DLU) policy is in place, without volatile user enabled.

Resolution

1. Turn off "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)" in the Remote Desktop settings of the target Windows 10 machine.  This makes it so the target Windows 10 machine will not require Windows credentials for NLA, regardless of whether credentials would have also been required for RDP or not.

2. Set the "RDP Security" configuration (which defaults to non-RDP-based security) for the terminal connection to "RDP".  In order to allow the Remote Desktop Connection client to make a connection without providing any credentials, the target Windows 10 machine must have this policy set to "RDP" rather than TLS/SSL.

This policy is located in GPEDIT under "Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security".  The "Require use of specific security layer for remote (RDP) connections" policy there needs to be enabled and set to "Security Layer: RDP".

Using this configuration, and simply not entering any credentials prior to making the terminal connection attempt, allows the user to receive the full credential provider login experience within the terminal session, same as they would have received at the phyiscal console of the Windows 10 target machine.

Which is going to thereby allow the user to perform eDirectory login first through the Client for Open Enterprise Server credential provider, and only after which will ZENworks DLU and Windows authentication credentials be created or needed during the Remote Desktop Connection attempt.