Share via

RDWeb Remote Desktop is popping up a secuirty pop up and trying to use local computer creds

John Trovato 0 Reputation points
2025-12-03T00:27:37.85+00:00

I setup windows 2025 RDS farm and Azure Entra Connect.

I have all the users synced and the UPN is the same

Setup App Proxy and the users are now able to connect SSO to RDWEB after they MFA and sign into Microsoft online. That all works with KDC.

The issue is when the user click on the RDP icon outside the network to a non domain joined computer the hello/Security pop asks the user which account to use and ask for the local PIN.

i want to pass-through the creds from the RDWeb to the RDP client and sign them into the gateway server -> to the correct Sesison Host.

I know there will be more info needed. But i have been pulling my hair out and have not found a single article to explain the correct RDP settings, etc.

what else would be needed to help me in the right direction?

Windows for business | Windows Server | User experience | Remote desktop clients
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daphne Huynh (WICLOUD CORPORATION) 585 Reputation points Microsoft External Staff Moderator
    2025-12-03T02:30:51.8166667+00:00

    Welcome to the Microsoft Q&A Platform!

    Based on the issue you described, I would like to share a few general steps that may help

    1. Trusted Certificates

    Ensure the RD Gateway, RDWeb, and Connection Broker all use certificates from a trusted Certificate Authority (CA), and that these are imported into the client’s trusted store. Self-signed certificates will cause prompts and errors.

    Reference:

    Deploy your Remote Desktop environment | Microsoft Learn

    Use certificates in Remote Desktop Services | Microsoft Learn

    2. RDP Properties

    • The RDP file generated by RDWeb should include SSO and credential delegation properties, such as:
    • enablecredsspsupport:i:1
    • authentication level:i:2
    • Use my RD Gateway credentials for the remote computer (can be set in the RDP file or client settings).
    • For Azure AD/hybrid environments, you need to enablerdsaadauth:i:1.

    Reference: Sign in to a Windows virtual machine in Azure by using Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

    3. RD Gateway and SSO Settings

    • In RDMS, configure the gateway server name, authentication method, and enable gateway SSO.
    • Set deployment properties to bypass the gateway for local addresses and ensure the gateway is enabled.

    4. Group Policy and Registry

    • If possible, configure Group Policy for credential delegation.
    • For Azure AD-joined devices, enable PKU2U authentication and set registry keys (e.g., AllowOnlineID=1).

    Reference: Network security Allow PKU2U authentication requests to this computer to use online identities - Windows 10 | Microsoft Learn

    5. Avoiding Local PIN Prompts

    Local PIN prompts are triggered by Windows Hello or local security policies. Make sure the RDP client is set for password-based authentication and the gateway certificate is trusted.

    Since I don’t have full details about your setup or configuration, I can only provide broad guidance, but I hope these suggestions are still useful for your situation.

    Thank you for asking your question and I hope you have a great day.

    0 comments
  2. Q&A Assist
    2025-12-03T00:27:49.8366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To address the issue of the security prompt asking for local credentials when users attempt to connect to the RDP session from a non-domain joined computer, you may want to consider the following steps:

    1. Ensure Proper Configuration of Remote Desktop Services (RDS): Verify that your RDS farm is correctly configured to support Remote Desktop Gateway (RD Gateway) and that the appropriate policies are in place to allow for credential delegation.
    2. Check Group Policy Settings: Ensure that the Group Policy settings for Remote Desktop Services are configured to allow for credential delegation. You can check the following settings:
      • Require user authentication for remote connections by using Network Level Authentication: This should be set to Enabled.
      • Allow log on through Remote Desktop Services: Ensure that the users or groups are included in this policy.
    3. Configure RD Gateway: Make sure that your RD Gateway is set up to allow pass-through authentication. This includes ensuring that the RD Gateway is configured to use the correct authentication method that matches your Azure AD setup.
    4. Azure AD and RDP Client Configuration: Since you are using Azure Entra Connect, ensure that the RDP client is configured to use Azure AD credentials. The RDP client should be able to pass through the credentials from the RDWeb to the RDP session.
    5. Review App Proxy Configuration: Since you are using Application Proxy, ensure that it is correctly configured to handle the authentication flow and that it allows for the necessary headers to be passed through to the RDP client.
    6. Test with Different User Accounts: Sometimes, specific user accounts may have different settings or issues. Testing with different accounts can help identify if the problem is user-specific.
    7. Consult Documentation: Since you mentioned difficulty finding articles, consider reviewing the Microsoft documentation on RDP settings and Azure AD integration for Remote Desktop Services. This can provide insights into specific configurations that may be necessary.

    If the issue persists, gathering logs from the RD Gateway and RDP client can provide more insight into what might be causing the credential prompt.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.