RDP With AzureAD Accounts

In 2001 I purchased the Gateway desktop computer that I would be using for my certification journey. I had purchased seven classes from a training centre, and I now had two computers to study and prepare. One thing that I was thrilled to be able to do was to configure my server with Terminal Services, and then I could connect to the server from my office. At the time I considered it a form of magic! I was thrilled that I was able to use the same Active Directory account to connect to the server, and from there to my desktop PC as well.

Fast-Forward twenty-one years. Microsoft renamed Terminal Services to Remote Desktop Protocol; aside from that, not too much has changed. Okay, that is not entirely true… but the basic technology to ‘RDP’ into a remote computer – whether that computer is across the globe, in the cloud, or on the same desk. Why, you might ask, would I want to connect to a computer remotely if I was sitting right in front of it? Let me explain my situation:

I have a couple of computers at home. The first is my primary PC (a Surface Laptop 3), which I use for just about everything. All of my applications are installed on it, my accounts, external peripherals… everything. It is just over a year old, and it runs Windows 11. My second PC is my lab/teaching PC. If you read my articles you will remember my HP EliteBook. It is nine years old… but it has an i7 CPU with 32 GB of RAM, and it may be a workhorse… but owing to the older generation CPU (and the lack of Secure Boot technology), it is still running Windows 10. I use it to teach for a couple of reasons: 1) I do not want my students to see all of my clutter. 2) It allows me to have my primary PC available during class breaks, if I need to answer emails or look at a client issue, for example. As of last week both PCs have their own desk, camera, and multi-monitor configuration. The desks are side-by-side in an L-shape configuration, with my multi-function center in the elbow.

ADWhy would I want to RDP from one to the other, you may ask? My students might want to see a demonstration of Windows 11… or I might want to be able to monitor my students as they run labs, while doing my own thing on my computer. There are lots of reasons.

The problem is that I do not have an Active Directory domain running, so I cannot use ADDS accounts. For that matter, I also do not use local accounts on these machines either. Both are joined to my Azure Active Directory (AzureAD), and I use my Microsoft 365 credentials (also known as AAD account) to log on. Theoretically, this shouldn’t be a problem. Run the Remote Desktop Client, enter the account AzureAD\mitch@behike.ca, enter the correct password, and you are off. Right? Wrong. Here’s what happens when you do that:

image

Okay, Windows… I know for a fact that my credentials are correct, so what is going on here?

There are a few different levels of credentials support in Windows. We will be able to make this work… but we are going to have to take a couple of steps for it.

**NOTE: If you want to do this for your entire organization, these are not the correct steps. While they will work, you will be exposing your system to risks. Make sure you speak with your IT department and ensure they have a proper RD Gateway server provisioned.

Step 1: Allow RDP and Disable the NLA Requirement on the remote host

Don’t get me wrong. I love Network Level Authentication. Unfortunately, if you are using AzureAD accounts, it won’t work. Probably something to do with the fact that AzureAD does not use Kerberos. So on the Remote tab of the System Properties window of the remote computer, we are going to uncheck that NLA box.

The problem is, Microsoft has made it a little more difficult to get to that particular screen in later versions of Windows 10 (and of course Windows 11). So what you want to do:

In Windows 10:

  1. Right-click the Windows Icon (Start Menu), and click System.
  2. In the About screen, scroll to the bottom. One of the Related Settings listed will be System protection. Click that.
  3. In the System Properties window that comes up, click the Remote tab.
  4. Ensure the radio button Allow remote connections to this computer is selected.
  5. Ensure the Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) is unchecked.
  6. Click OK.

image

In Windows 11:

Most of this will be the same, but slight nuanced differences:

  1. Right-click the Windows Icon (Start Menu), and click Settings.
  2. In the System screen of the Settings window, scroll to the bottom and click About.
  3. Under the Device specifications there will be a series of Related links. Click Advanced system settings.
  4. Continue with Step 3 of the Windows 10 instructions.

image

Step 2: Create a new RDP file

This is where things start to diverge from using Kerberos accounts. On the computer you intend to connect from, open the Remote Desktop Connection client (either type Remote Desktop Connection in the Start Menu, or run the command mstsc.exe).

In the Remote Desktop Connection client click the arrow to Show Options.

image

In the General tab, enter the name or IP address of the remote computer, and then at the bottom click Save As…

image

My usual spot for these files would be on the desktop, so save it there. Now navigate to your desktop. Right-click the shortcut you just created, click Open with… and then select Notepad. If Notepad is not an option, click Choose another app. You might have to look for a bit, but find Notepad.exe.

image

The Notepad file should look something like this:

screen mode id:i:1
use multimon:i:0
desktopwidth:i:1920
desktopheight:i:1080
session bpp:i:32
winposstr:s:0,1,249,48,1529,1032
compression:i:1
keyboardhook:i:2
audiocapturemode:i:0
videoplaybackmode:i:1
connection type:i:7
networkautodetect:i:1
bandwidthautodetect:i:1
displayconnectionbar:i:1
enableworkspacereconnect:i:0
disable wallpaper:i:0
allow font smoothing:i:0
allow desktop composition:i:0
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:0
disable cursor setting:i:0
bitmapcachepersistenable:i:1
full address:s:RemoteHost
audiomode:i:0
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
redirectclipboard:i:1
redirectposdevices:i:0
autoreconnection enabled:i:1
authentication level:i:2
prompt for credentials:i:0
negotiate security layer:i:1
remoteapplicationmode:i:0
alternate shell:s:
shell working directory:s:
gatewayhostname:s:
gatewayusagemethod:i:4
gatewaycredentialssource:i:4
gatewayprofileusagemethod:i:0
promptcredentialonce:i:0
gatewaybrokeringtype:i:0
use redirection server name:i:0
rdgiskdcproxy:i:0
kdcproxyname:s:
redirectlocation:i:1
camerastoredirect:s:*;-\\?\usb#vid_045e&pid_0990&mi_00#6&db32c28&0&0000#{e5327773-f967-45fb-95bb-b99864b58a29}\global
devicestoredirect:s:*
drivestoredirect:s:*

You are going to add the following two lines at the end of the file:

enablecredsspsupport:i:0
authentication level:i:2

Save the file, and then close it.

Back on your desktop, double-click on the RDP shortcut. You should now be able to log on with your AzureAD credentials!

Conclusion

Microsoft wants your computers to be joined to your AzureAD tenant. They want you to be joining your on-premises AD with your AzureAD for the short term, and for the long term they are expecting your accounts to be fully in the cloud. They would not be pushing you towards these new credentials if all of the functionality was not there. Yes, there are changes that need to be made… all it takes is a Google search… or a free subscription to www.garvis.ca.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s