Open dave-pollock opened 2 weeks ago
Hi Dave,
Yes, the password prompting behavior has changed a bit in 2.42. When you don't have saved credentials, then prior versions of IAP Desktop showed a task dialog that let you choose "Connect without saved credentials" (don't remember the exact wording), and then IAP Desktop would just open the RDP connection. In most cases, that would then cause a password prompt to appear, with no option to save credentials.
Now the behavior is that IAP Desktop shows a password prompt with a "Remember me" checkbox to (optionally) save credentials, and it then passes those credentials to the RDP control. In most cases, the net effect is the same -- you see a password prompt -- but now it's easier to save credentials if you want to.
However, the new behavior is indeed not ideal when using that group policy that you're using. The RDP control considers the credentials gathered by IAP Desktop's credential prompt as "saved credentials" (even tough they're not really saved) and therefore rejects them.
I think the new behavior is better in most cases, but I figure it might make sense to introduce a "Don't even offer me to save credentials" setting for VMs that use this group policy.
Thanks for your response. Yes, some way to flag that credentials shouldn't be saved would be great for this use case.
Here's a (signed) installer package of the latest development build, 2.43.1612
. This build adds a new connection setting, Automatic logon:
If you set this to Disabled, then IAP Desktop...
Instead, it lets the RDP control handle all password prompting itself.
For VMs that use the Always prompt for password upon connection group policy, that means you should see a password prompt, but only once.
If you have the time, it would be great if you could give that a try and let me know if it works as expected.
When attempting to connect to the server, I see the credentials prompt as expected. The correct username and password are manually entered. I then get the following error:
I then re-enter the same credentials again and am able to successfully sign in.
It seems like the server thinks that IAP Desktop is using saved credentials on the first sign-in attempt, even though it is not.