Fixing Windows RDP Saved Credentials Rejection for EC2 Instances (NTLM/Authentication Issues)


2 views

When connecting to Windows Server 2012 R2 EC2 instances via RDP, many administrators encounter a frustrating behavior: despite having saved credentials in Windows Credential Manager, the connection requires manual password entry every time. The system briefly attempts authentication (visible in the connection dialog) before failing with generic "Your credentials did not work" and "The logon attempt failed" messages.

After troubleshooting numerous EC2 environments, I've identified these common culprits:

  • NTLM authentication policy mismatches between client and server
  • Credential Manager storing credentials in the wrong vault
  • Group Policy restrictions on credential delegation
  • EC2 instance security policies interfering with saved credentials

Solution 1: Force Credential Storage in Windows Vault
Run this PowerShell command to ensure credentials save properly:

cmdkey /generic:TERMSRV/your-ec2-public-dns /user:Administrator /pass:yourPassword

Solution 2: Modify Local Group Policy
Enable these specific settings:

Computer Configuration → Administrative Templates → System → Credentials Delegation
1. Enable "Allow Delegating Saved Credentials with NTLM-only Server Authentication"
2. Add "TERMSRV/*" to the server list

For AWS environments, additional steps are often needed:

# EC2 Launch Configuration Example
$userData = @"
<persist>true</persist>
<pluginRunOnce>
    schtasks /Change /TN "Microsoft\Windows\RemoteDesktop\RemoteDesktopAutoUpdate" /DISABLE
</pluginRunOnce>
"@

Enable these event logs to pinpoint the exact failure point:

# Client-side logging
wevtutil sl Microsoft-Windows-TerminalServices-RDPClient/Operational /e:true
wevtutil sl Microsoft-Windows-TerminalServices-RDPClient/Admin /e:true

# Server-side logging (via EC2 Run Command)
aws ssm send-command --document-name "AWS-RunPowerShellScript" --parameters commands='Enable-WSManCredSSP -Role Server -Force' --instance-ids i-1234567890abcdef0

When RDP credential caching proves stubborn, consider these workarounds:

# PowerShell Remoting with persisted sessions
$sessionOption = New-PSSessionOption -OutputBufferingMode Drop
Enter-PSSession -ComputerName ec2-instance -Credential (Get-Credential) -SessionOption $sessionOption -Authentication Negotiate

# RDP file with alternate credential handling
redirectclipboard:i:1
redirectprinters:i:0
devicestoredirect:s:*
drivestoredirect:s:*
credentialssource:i:1

When connecting to a Windows Server 2012 R2 EC2 instance via RDP, you'd expect saved credentials to work seamlessly. However, many administrators encounter this frustrating scenario:

  1. Credentials save successfully in Credential Manager
  2. The correct username auto-populates in the RDP dialog
  3. Brief authentication attempt occurs
  4. "Your credentials did not work" error appears
  5. Manually entering the same password works

The root cause typically stems from one of these technical factors:

1. NTLM vs. Kerberos authentication mismatch
2. CredSSP protocol restrictions
3. Group Policy settings interfering with credential delegation
4. Incorrect credential storage format in Windows Vault

Solution 1: Registry Fix for CredSSP

Run this PowerShell command on the client machine:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" 
-Name "AllowEncryptionOracle" -Value 2 -Type DWord

Solution 2: Group Policy Adjustment

On the client machine:

gpedit.msc → Computer Configuration → Administrative Templates → System → Credentials Delegation
→ "Allow Delegating Saved Credentials with NTLM-only Server Authentication" → Enabled
→ Add target servers as: TERMSRV/*

Solution 3: Credential Manager Cleanup

Delete and recreate credentials using PowerShell:

# Remove existing credentials
cmdkey /delete:TERMSRV/your-ec2-instance

# Add new credentials
cmdkey /generic:TERMSRV/your-ec2-instance /user:Administrator /pass:yourpassword

For particularly stubborn cases, enable RDP logging:

# On the client
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Terminal Server Client" 
-Name "Logging" -Value 1

# Logs will appear in:
%USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Trace

Check the server-side security logs (Event ID 4625) for authentication failure details.

For Amazon EC2 instances, additional steps may be needed:

1. Ensure the security group allows TCP 3389 from your IP
2. Verify the instance's IAM role has necessary permissions
3. Check if AWS Systems Manager is interfering with credential handling
4. Test with both instance DNS name and IP address

Remember that EC2 Windows instances often have password rotation policies that might affect saved credentials.

For administrators managing multiple instances, here's a remediation script:

# PowerShell remediation script
$servers = @("ec2-1", "ec2-2", "ec2-3")

foreach ($server in $servers) {
    # Remove old credential
    cmdkey /delete:TERMSRV/$server
    
    # Add new credential
    $cred = Get-Credential
    cmdkey /generic:TERMSRV/$server /user:$($cred.UserName) /pass:$($cred.GetNetworkCredential().Password)
    
    # Test connection
    mstsc /v:$server
}