Windows Server thinks credentials are saved even though they're not

[dave-pollock]

• IAP Desktop 2.42.1561 (I don't think this was happening before this version)
• Connecting to a Windows server with the group policy "Always prompt for password upon connection" (In Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security) enabled
• Leaving all IAP Desktop connection settings blank. In particular there are no Username, Password or Domain settings configured in the Windows Credentials section)

When attempting to connect to the server, I see the credentials prompt as expected. The correct username and password are manually entered. I then get the following error:

Your server's authentication policy does not allow connection requests using saved credentials. Please enter new credentials.

I then re-enter the same credentials again and am able to successfully sign in.

It seems like the server thinks that IAP Desktop is using saved credentials on the first sign-in attempt, even though it is not.

[jpassing]

Hi Dave,

Yes, the password prompting behavior has changed a bit in 2.42. When you don't have saved credentials, then prior versions of IAP Desktop showed a task dialog that let you choose "Connect without saved credentials" (don't remember the exact wording), and then IAP Desktop would just open the RDP connection. In most cases, that would then cause a password prompt to appear, with no option to save credentials.

Now the behavior is that IAP Desktop shows a password prompt with a "Remember me" checkbox to (optionally) save credentials, and it then passes those credentials to the RDP control. In most cases, the net effect is the same -- you see a password prompt -- but now it's easier to save credentials if you want to.

However, the new behavior is indeed not ideal when using that group policy that you're using. The RDP control considers the credentials gathered by IAP Desktop's credential prompt as "saved credentials" (even tough they're not really saved) and therefore rejects them.

I think the new behavior is better in most cases, but I figure it might make sense to introduce a "Don't even offer me to save credentials" setting for VMs that use this group policy.

[dave-pollock]

Thanks for your response. Yes, some way to flag that credentials shouldn't be saved would be great for this use case.

[jpassing]

Here's a (signed) installer package of the latest development build, 2.43.1612. This build adds a new connection setting, Automatic logon:

If you set this to Disabled, then IAP Desktop...

• Ignores any saved credentials,
• Doesn't show a password prompt itself,
• Doesn't offer you to generate new credentials (in case you have permission to do so).

Instead, it lets the RDP control handle all password prompting itself.

For VMs that use the Always prompt for password upon connection group policy, that means you should see a password prompt, but only once.

If you have the time, it would be great if you could give that a try and let me know if it works as expected.