2

I'm trying to configure a Windows Server 2012 R2 server which is joined to one domain but uses kerberos auth from a different realm.

The kerberos realm is 14 characters long (15 with the slash or at symbol) and by default the windows remote desktop clients all remember the fact that eventually they connected to the shorter 4 character domain so reconnections attempt to auth back to the domain (which doesn't do authentication and no one has passwords on that domain - it's all passwords via kerberos).

On windows server 2008 and 2008R2 we were able to work around the problem by specifying the setting "Always use the following logon information" in the Remote Desktop Services configuration, and specifying the domain as the 14 character kerberos realm, leaving everything else blank.

Anyway, long story short, Remote Desktop Services in 2012R2 (don't get me started on the whole "must be managed by this complicated role with gateways and brokers and other things configured - even for a single server" thing) doesn't seem to have this configuration option anywhere in it. I also can't seem to find an equivalent GPO.

So, any idea how we can save our users from either deleting the 4 character domain and typing the 15 characters out required to re-specify the kerberos realm every single time they want to log in, or worse forgetting and constantly getting password auth errors without figuring out why?

Jon Marnock
  • 264
  • 4
  • 12

1 Answers1

0

Are you looking for Computer Configuration-> Administrative Templates-> System/Logon-> Assign a default domain for logon?

Frane Borozan
  • 308
  • 2
  • 13
  • 1
    No, because that only provides a default if you're logging into the physical console. Remote desktop largely ignores this value. – Jon Marnock Feb 05 '14 at 23:55
  • Turns out windows changed something so this started working. Additionally, anyone who has previously connected to that host using RDP prior to setting this policy has to go and delete a key in their registry (can't remember where, but I remember once I knew I had to do this it wasn't too hard to find) where remote desktop has cached the previous domain before it starts working. – Jon Marnock Jun 17 '14 at 02:02
  • also, be aware that if the screen is locked due to screensaver or whatever it'll default back to the domain rather than the realm. to work around that you need to tell windows to not prompt for the current user when logging back in then. downside is you need to enter your username as well as password to reconnect from the lock screen to your session. upside is it redefaults back to the realm then as per policy above. – Jon Marnock Jun 17 '14 at 02:05
  • oh yeah, policy for that is: Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options -> Interactive Login: Display user information when session is locked -> Do not display user Information Combined with "Computer -> Administrative Templates -> System -> Logon -> Assign a default domain for logonValue" for the one frane suggested to get a workable system. – Jon Marnock Jun 17 '14 at 02:06
  • Thanks, @JonKloske. I just can't seem to find the local registry key I should remove for this to work. So if you'd be able to help me with that, a lot of gratitude will come your way. – Honoki Jun 17 '14 at 12:21
  • Pretty sure it was HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers - find the affected server and delete the whole subkey from memory. As always, back up the registry first if you don't have backups of your system :D – Jon Marnock Jun 18 '14 at 01:39