Skip to main content

RDP to a Azure AD Joined Device

After setting up a local schools office to use Azure AD for user, device management, I was having trouble trying to RDP from one domain joined machine to another.

Problem#

firing up stock standard RDP session :

RDP start

We get asked for login details, which we choose "other" and then have fun trying to get the login format right

is it "[email protected]", or "AzureDomain\username"?

RDP bad login

The problem is when initiating the connection RDP sets up the authentication between us and the remote host and something goes screwy (technical term).

So how do we prevent this setup going off-track from the jump?

Solution#

After seeing a few forum posts saying to add AzureAD users to the 'Remote Desktop Allowed' groups and a resignation to just use teamviewer

I found the following hack/workaround:

  • Start an RDP session
  • Enter the IP/hostname of the remote PC you want to connect to.
  • Click 'Save As' and save the *.rdp file somewhere.
  • Open the .rdp file you just saved with notepad/notepad++
  • Add the following two lines at the bottom of the config:
enablecredsspsupport:i:0 # disables _"use the Credential Security Support Provider (CredSSP) for authentication"_authentication level:i:2 # sets authentication level to 2 (0 and connection doesn't work, 1 and it shows you remote pc cert and then dies).
  • save your rdp file.
  • double-click your rdp file and you should get the following screens

first connection: RDP first login

remote pc shows us their cert: RDP first login

SUCCESS! RDP first login

Conclusion#

The main takeaway here is to stop RDP caking the connection setup by disabling the enablecredsspsupport from starting us down a bad authentication pathway and just get out of the way and show us the remote PC login screen. The remote login screen understands the authentication bits we're working with in line with AzureAD.

Troubleshooting#

Make sure: RDP Settings

  • Allow remote connections to this computer : CHECKED
  • Allow connections only from computers running Remote Desktop with Network Level Authentication : NOT CHECKED

References#

Appendix#

Full working RDP file used in this post:

Just change the full address:s:192.168.1.3 part the IP of the PC you want to connect to, copy and paste this into a txt file and save it as an .rdp file.

screen mode id:i:2use multimon:i:0desktopwidth:i:1366desktopheight:i:768session bpp:i:32winposstr:s:0,3,0,0,800,600compression:i:1keyboardhook:i:2audiocapturemode:i:0videoplaybackmode:i:1connection type:i:7networkautodetect:i:1bandwidthautodetect:i:1displayconnectionbar:i:1enableworkspacereconnect:i:0disable wallpaper:i:0allow font smoothing:i:0allow desktop composition:i:0disable full window drag:i:1disable menu anims:i:1disable themes:i:0disable cursor setting:i:0bitmapcachepersistenable:i:1full address:s:192.168.1.3audiomode:i:0redirectprinters:i:1redirectcomports:i:0redirectsmartcards:i:1redirectclipboard:i:1redirectposdevices:i:0autoreconnection enabled:i:1authentication level:i:2prompt for credentials:i:0negotiate security layer:i:1remoteapplicationmode:i:0alternate shell:s:shell working directory:s:gatewayhostname:s:gatewayusagemethod:i:4gatewaycredentialssource:i:4gatewayprofileusagemethod:i:0promptcredentialonce:i:0gatewaybrokeringtype:i:0use redirection server name:i:0rdgiskdcproxy:i:0kdcproxyname:s:enablecredsspsupport:i:0