Y
yfki
if you don't like that rdp prompt...
'Original Article...........Vista and RDP6.0's Remote Desktop Prompt -
Scott Forsyth's WebLog'
(http://weblogs.asp.net/owscott/arch...Prompt.aspx?CommentPosted=true#commentmessage)
-
I use Remote Desktop Client dozens of times per day to administer
remote servers. With Windows Vista, I get an ugly prompt when
connecting to Windows Server 2003 and Windows 2000 Server machines
saying:
Remote Desktop cannot verify the identity of the computer you want to
connect to. This problem can occur if:
1) The remote computer is running a version of Windows that is earlier
than Windows Vista.
2) The remote computer is configured to support only the RDP security
layer.
Contact your network administrator or the owner of the remote computer
for assistance.
Do you want to connect anyway?
I know that the remote server is good, it's in a memorized list of
servers. But it is Windows Server 2003 or Windows 2000 Server.
Although the prompt is correct, I don't want to have to acknowledge that
prompt over and over again.
Note: (added later) The obvious answer that I was alerted to from a
comment from Blandname is to do this per session: click on the advanced
tab in the Remote Desktop Connection tool and change the Authentication
options to "Always connection, even if authentication fails". If you
create your own RDP file, you can set it with "authentication
level:i:0."
If you want to set this at the server level or find out more about this
setting, read on.
I did some digging using Process Monitor from 'Microsoft TechNet:
Windows Sysinternals' (http://www.sysinternals.com) (recently acquired
by Microsoft) and found that the mstsc process was checking for some
particular keys in the registry. Two of them seemed possible candidates
and after testing I confirmed that AuthenticationLevelOverride is the
key that applies to this situation.
The registry key is a DWORD value at \\HKCU\Software\Microsoft\Terminal
Server Client\AuthenticationLevelOverride
I googled on AuthenticationLevelOverride and couldn't find very much
information. But one article had a fair bit of information: 'How to
configure a Windows Server 2003 terminal server to use TLS for server
authentication' (http://support.microsoft.com/kb/895433). Here are the
3 possible values, at least in Windows Server 2003:
Set the authentication level value to one of the following values:
• 0 This value corresponds to "No authentication."
• 1 This value corresponds to "Require authentication."
• 2 This value corresponds to "Attempt authentication."
I experimented and found that 2 is the default now. I tested the 3
modes and found that:
0 -> Doesn't prompt. Yah!
1 -> Gives a similar message but doesn't allow me to continue. This is
the strictest.
2 -> Gives the message but allows me to accept and continue.
In my case, I don't even want the prompt so I set
AuthenticationLevelOverride to 0 and I'm able to log into my Remote
Desktop sessions without that extra prompt.
Warning: this is a decrease in security so should only be changed if
you are aware of the what and why of this change.
In summary, if you want to remove the Authentication check on Windows
Vista that prompts you every time you connect to a pre-Vista machine,
add a DWORD registry entry called AuthenticationLevelOverride in the
\\HKLM\Software\Microsoft\Terminal Server Client\ key and ensure that
its value is set to 0.-
--
yfki
'Original Article...........Vista and RDP6.0's Remote Desktop Prompt -
Scott Forsyth's WebLog'
(http://weblogs.asp.net/owscott/arch...Prompt.aspx?CommentPosted=true#commentmessage)
-
I use Remote Desktop Client dozens of times per day to administer
remote servers. With Windows Vista, I get an ugly prompt when
connecting to Windows Server 2003 and Windows 2000 Server machines
saying:
Remote Desktop cannot verify the identity of the computer you want to
connect to. This problem can occur if:
1) The remote computer is running a version of Windows that is earlier
than Windows Vista.
2) The remote computer is configured to support only the RDP security
layer.
Contact your network administrator or the owner of the remote computer
for assistance.
Do you want to connect anyway?
I know that the remote server is good, it's in a memorized list of
servers. But it is Windows Server 2003 or Windows 2000 Server.
Although the prompt is correct, I don't want to have to acknowledge that
prompt over and over again.
Note: (added later) The obvious answer that I was alerted to from a
comment from Blandname is to do this per session: click on the advanced
tab in the Remote Desktop Connection tool and change the Authentication
options to "Always connection, even if authentication fails". If you
create your own RDP file, you can set it with "authentication
level:i:0."
If you want to set this at the server level or find out more about this
setting, read on.
I did some digging using Process Monitor from 'Microsoft TechNet:
Windows Sysinternals' (http://www.sysinternals.com) (recently acquired
by Microsoft) and found that the mstsc process was checking for some
particular keys in the registry. Two of them seemed possible candidates
and after testing I confirmed that AuthenticationLevelOverride is the
key that applies to this situation.
The registry key is a DWORD value at \\HKCU\Software\Microsoft\Terminal
Server Client\AuthenticationLevelOverride
I googled on AuthenticationLevelOverride and couldn't find very much
information. But one article had a fair bit of information: 'How to
configure a Windows Server 2003 terminal server to use TLS for server
authentication' (http://support.microsoft.com/kb/895433). Here are the
3 possible values, at least in Windows Server 2003:
Set the authentication level value to one of the following values:
• 0 This value corresponds to "No authentication."
• 1 This value corresponds to "Require authentication."
• 2 This value corresponds to "Attempt authentication."
I experimented and found that 2 is the default now. I tested the 3
modes and found that:
0 -> Doesn't prompt. Yah!
1 -> Gives a similar message but doesn't allow me to continue. This is
the strictest.
2 -> Gives the message but allows me to accept and continue.
In my case, I don't even want the prompt so I set
AuthenticationLevelOverride to 0 and I'm able to log into my Remote
Desktop sessions without that extra prompt.
Warning: this is a decrease in security so should only be changed if
you are aware of the what and why of this change.
In summary, if you want to remove the Authentication check on Windows
Vista that prompts you every time you connect to a pre-Vista machine,
add a DWORD registry entry called AuthenticationLevelOverride in the
\\HKLM\Software\Microsoft\Terminal Server Client\ key and ensure that
its value is set to 0.-
--
yfki