Where are remote desktop credentials stored?

Remote Desktop Protocol, or just RDP, is a special network protocol which allows a user to establish a connection between two computers and access the Desktop of a remote host. It is used by Remote Desktop Connection. The local computer is often referred to as the "client". In this article, we'll see how to remove saved credentials for an RDP connection in Windows 10.

Before we continue, here are some details about how RDP works. While any edition of Windows 10 can act as the Remote Desktop Client, to host a remote session, you need to be running Windows 10 Pro or Enterprise. You can connect to a Windows 10 Remote Desktop host from another PC running Windows 10, or from an earlier Windows version like Windows 7 or Windows 8.1, or Linux. Windows 10 comes with both client and server software out-of-the-box, so you don't need any extra software installed. I will use Windows 10 "Fall Creators Update" version 1709 as the Remote Desktop client.

If you enabled the option Allow me to save credentials in the Remote Desktop client app, you will be prompted to save the password.

The next time you connect to the same remote PC, you will be logged in automatically. Windows will store your credentials for the remote host. Here is how to delete them.

To remove the saved RDP credentials in Windows 10, do the following.

1. Run the Remote Desktop app [mstsc.exe].
2. Select the computer you want to delete the saved credentials for.
3. Click on the delete link below the drop-down list.

This will remove your saved credentials. In the screenshot above, the credentials will be removed for the computer with the address 192.168.2.93.

Alternatively, you can use the Credential Manager applet of the classic Control Panel. Let's review how it can be done.

Delete the Saved RDP Credentials using Credential Manager

1. Open the Control Panel.
2. Go to Control Panel\User Accounts\Credential Manager.
3. Click on the Windows Credentials icon.
4. Under the Windows Credentials section, click on the TERMSRV entry related to the desired remote host and click the link Remove.

That's it.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

OlenMatronov-3552 asked • Nov 11, '20 | DeepakRao-7832 answered • Dec 15, '21

I made mistake- deleted fresh created password on my RDP, but I saved it in the Microsoft Remote Desktop and can login in my RDP. How can I see password in the soft? If I go to the "Preferences"then "User account" I see only only bold points and can't see password.

I use mac os.

remote-desktop-servicesremote-desktop-client

Comment

• Article
• 09/24/2021
• 2 minutes to read

This article provides a workaround for the issue that Remote Desktop Connection 6.0 prompts you for credentials, before you establish a remote desktop connection.

Applies to:   Windows Server 2012 R2
Original KB number:   941641

Symptoms

After you install the Remote Desktop Connection 6.0 client update [update 925876], you may experience one or more of the following symptoms:

• Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection.
• Remote Desktop Connection 6.0 prompts you to accept the identity of the server if the identity of the server cannot be verified.
• You may be unable to use a smart card to log on to Remote Desktop Connection 6.0, even though you could use a smart card to log on to Remote Desktop Connection 5.x.

For more information about the Remote Desktop Connection 6.0 client update, click the following article number to view the article in the Microsoft Knowledge Base:

925876 Remote Desktop Connection [Terminal Services Client 6.0]

Workaround

To work around this problem, turn off the new features in Remote Desktop Connection 6.0 to revert to the features in Remote Desktop Connection 5.x. To implement this workaround, follow these steps:

1. Click Start, click Run, type mstsc.exe, and then click OK.

2. Click Options, and then click the General tab.

3. Click Save As, and then type a file name in the File name box.

4. Select the location where you want to save the remote desktop file, click Save, and then click Cancel.

   Note

   The saved file has the .rdp file name extension.

5. Click Start, click Run, type notepad, and then click OK.

6. On the File menu, click Open.

7. In the Files of type list, click All Files.

8. In the Look in list, locate and then click the file that you saved in step 4. Then, click Open.

9. Locate the line that resembles as: authentication level: i: n

   Note

   The n placeholder represents the current authentication level.

10. Change the authentication level to 0 so that the line becomes:
    authentication level:i:0

    Note

    When you set the authentication level to 0 , RDP 6.0 does not check for server authentication.

11. Add the following line to the end of the file:enablecredsspsupport:i:0

    Note

    When this line is present, you do not have to provide credentials before you establish a remote desktop connection.

12. On the File menu, click Save.

To connect by using Remote Desktop Connection, run the file that you saved in step 12.

Note

After you follow these steps, the new security features that Remote Desktop Connection 6.0 provides are removed. Additionally, Remote Desktop Connection 6.0 becomes incompatible with Windows Vista-based computers that have the Allow connections only from computers running Remote Desktop with Network Level Authentication option enabled in the system properties.

The built-in Windows Remote Desktop client [mstsc.exe] allows you to save the username and password used to connect to the remote computer. Using a saved RDP credentials, the user doesn’t need to enter the password each time to connect to the Remote Desktop. In this article, we will look at how to configure saved credentials for your RDP connections in Windows 10, Windows Server 2012 R2/2016 and what to do if passwords are not saved in spite of all settings [each time the remote system prompts you for password].

RDP Saved Credentials Delegation via Group Policy

By default, Windows allows users to save their passwords for RDP connections. To do it, a user must enter the name of the RDP computer, the username and check the box “Allow me to save credentials” in the RDP client window. After a user has clicked the “Connect” button, the RDP server asks for the password and the computer saves it to Windows Credential Manager [not to the .RDP file].

As a result, the next time you connect to an RDP server using the same username, the password will be automatically taken from the Credential Manager and used for RDP authentication.

As you can see, if there is a saved password for this computer, the following message appears in the RDP client window:

Saved credentials will be used to connect to this computer. You can edit or delete these credentials.

If you connect from a domain computer to a computer/server in another domain or a workgroup, by default Windows doesn’t allows a user to use a saved credentials for the RDP connection. Despite the fact that the RDP connection password is saved in the Credentials Manager, the system won’t use it requiring the user to prompt the password. Also, Windows prevents you from using the saved RDP password if you connect with your local account instead of your domain one.

In this case, if you try to connect using the saved RDP password, this error message appears:

Your credentials did not work Your system administrator does not allow the use of saved credentials to log on to the remote computer CompName because its identity is not fully verified. Please enter new credentials.

Windows considers the connection insecure, since there is no trust between this computer and the remote computer in another domain [or a workgroup].

You can change these settings on the computer you are trying to establish RDP connection from:

1. Open the Local Group Policy Editor by pressing Win + R -> gpedit.msc;
2. In the GPO editor, go to Computer Configuration –> Administrative Templates –> System –> Credentials Delegation. Find the policy named Allow delegating saved credentials with NTLM-only server authentication;
3. Double-click the policy. Enable it and click Show;
4. Specify the list of remote computers [servers] that are allowed to use saved credentials when accessed over RDP. The list of remote computers must be specified in the following format:
   • TERMSRV/server1 — allow to use a saved credentials to access a specific computer/server over RDP;
   • TERMSRV/*.woshub.com — allow to establish RDP connection with saved credentials to all computers in the woshub.com domain;
   • TERMSRV/* — allow to use a saved password to connect to any remote computer.
5. Save the changes and update GPO settings using this command:gpupdate /force

Now, when connecting using RDP, the mstsc client will be able to use your saved credentials.

You can change the RDP saved credentials policy only on the local computer using the Local Group Policy Editor. If you want to apply this settings on multiple computers of the domain, use the domain GPO configured using the gpmc.msc [Group Policy Management] console.

Windows is not saving RDP credentials

If you have configured Windows following the instructions above, but your RDP client prompts you to enter your password each time you try to connect, it is worth to check the following:

1. Click “Show Options” in the RDP connection window and make sure that “Always ask for credentials” option is not checked;
2. If you are using the saved .RDP file for connection, make sure that the value of ‘prompt for credentials’ parameter is 0 [prompt for credentials:i:0];
3. Open the GPO Editor [gpedit.msc] and go to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client. ‘Do not allow passwords to be saved’ must be not set or disabled. Also make sure that this policy setting is disabled in the resulting Group Policy on your computer [you can create an HTML report with the applied GPO settings using the gpresult command];
4. Delete all saved passwords from the Credential Manager. Type control userpasswords2 and in the User Accounts window go to the Advanced tab and click Manage Passwords;
5. In the next window select Windows Credentials. Find all saved RDP passwords and delete them [they start with TERMRSV/…].
6. You won’t be able to logon with the saved RDP credentials if the remote server has not been updated for a long time, and when trying to connect to it, you will see the error CredSSP encryption oracle remediation.

After that users will be able to use their saved passwords for RDP connections.