This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello,
We have an intermittent problem when users try to connect to an RDS RemoteApp, they receive the message "Your Credentials did not work". When the issue occurs on a users' computer, it does not matter who's credentials you enter, it will keep failing.
Here's what is strange. When the error occurs, if they were to remote into the RDS Server (we have a single server hosting services: RD Connection Broker, RD Session host, RDLicensing, RD Web Access) their credentials work fine. Likewise, authentication to all other resources e.g. VPN, File Shares, SQL etc.. is absolutely fine. They can even authenticate when logging into the RDS Web Access URL.
As mentioned, this is very intermittent with no pattern I can identify. Some days it works for some people, others it does not. When the issue occurs, sometimes a reboot cures it, other times it does not.
As part of the troubleshooting process, I have tried the below (then once tested, I revert back to original setting)
I have added TERMSRV[FQDN of RDS server} into the following policies
Allow Delegating default credentials with NTLM-only server authentication
Allow delegating default credentials
Allow delegating fresh credentials
Allow delegating fresh credentials with NTLM-only server authentication
Allow delegating saved credentials
Allow delegating saves credentials with NTLM-only server authentication
I have also disabled UDP via regkey
fClientDisableUDP SET TO 1.
However, the issue still keep cropping up intermittently for users.
I'm at a total loss why this is happening.
I know the client has line of sight with Active Directory, so Kerberos will be handling the authentication. I know Kerberos works as access to file shares is fine. DNS also works fine as when testing, they can resolve the hostname of the RDS server.
As I understand, if Kerberos fails for whatever reason, it will fall back to NTLM. The RDS server has direct line of sight to a Domain controller, so there's no reason why NTLM won't authenticate. But as I mentioned, when the RDS App issue occurs, users can remote into the RDS server fine. So whether its Kerberos or NTLM, it works fine.
I can see events when I open the RDS App: EventID 1041 . This event states "There is no stored credential used for single sign on", which is correct, there are no stored credential for single sign on. During the times when the authentication is successful, I see the same eventID but with additional events saying connection is successful. However, during the time when authenticate fails, there are no events after 1041, therefore I'm struggling to see why authentication is failing
Has anyone experienced this before?
Any help is greatly appreciated and thank you for your time,
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Hi
Commander Shepherd,
Thank you for posting on the Microsoft Community Forum.
I made an error in judgment, the problem you're having should be related to UEX(User experience), you can choose to re-post your question under the UEX tag and they should be able to help you out.
All the best
Neuvi Jiang
