Troubleshooting MED-V V2 Workspace Authentication
One feature introduced into MED-V v2 is the option to allow a seamless authentication experience for the user if desired. While MED-V v1 allowed for the synchronization of the MED-V Client credentials with the user account inside the MED-V guest workspace operation system, some users wanted a more seamless experience that allowed a single sign-on process between the Windows logon to the host workstation all the way through the guest workspace authentication process. In essence, a user would only need to type his or her password only once. This was not possible in the first release of MED-V.
To facilitate this requires workspaces to be joined to the same domain as the MED-V host. This is a requirement for MED-V v2. In MED-V v2, authentication in MED-V occurs twice. W a user starts the MED-V host either credentials must be entered or saved credentials can be used. These will then need to be refreshed when a user changes their password. The first time a published application is triggered or a workspace is started via the host agent, the user will be prompted for credentials.
There are several aspects of end-user authentication that you can control, including the following:
- Caching the credentials thus storing in the Windows Credential Manager (on the host.)
- Not caching the credentials: This means every time a user starts the workspace through the host agent or triggers the workspace through a published application, the user will be required to supply a username and password.
By default, credential storing is disabled, but you can change this setting through one of the following methods:
- While you are creating the MED-V workspace package.
- After you have deployed the MED-V workspace. Edit the MED-V cmdlet parameter UxCredentialCacheEnabled to set the DisablePasswordSaving registry value.
- Modifying the DisablePasswordSaving registry value directly. This value controls whether the password saving check box appears on the MED-V (actually RDP) client dialog window and whether the MED-V credential prompt is displayed.
The DisablePasswordSaving Registry Value
This value (also a group policy option) is stored in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Policies\
The value DisablePasswordSaving is either 0 or 1. If the value is 0, the MED-V prompt is presented and a check box to accept is available and cleared. If the end user selects the check box, credentials are cached for subsequent use. The end user also has the benefit of only being prompted when the password expires. If the end user does not select the check box, the Remote Desktop Connection (RDC) Client prompt is presented instead of the MED-V prompt, and the check box to accept is cleared. If the end user selects the check box, the RDC Client credential is stored for later use.
If the value is 1, the Remote Desktop Client does not validate the credentials when the end user enters them. If the end user caches the credentials through the RDC prompt, there is a risk that incorrect credentials might be stored. In this case, the incorrect credentials must be deleted in the Windows Credential Manager.
The Windows Credential Manager
Stored credentials are found in the Credential Manager control panel item on the Windows 7 host. When passwords fall out of sync, one of the first steps will be to remove any stored credentials in this item. Look for credentials beginning with the TERMSRV prefix. While caching the end user’s credentials provides the best user experience, it does pose some risks. When credential caching is enabled, the end user’s domain credential is stored in a reversible format within the Windows Credential Manager. As a result, an attacker could write a tool that runs as either a system level process or an end user process and that retrieves the end user's credentials. You can only lessen this risk by setting DisablePasswordSaving to Enabled. This same concern exists when MED-V authentication is disabled but the Terminal Services policy setting is enabled.
Password Expiration
By default, the MED-V installation sets a registry key in the guest to suppress the "password about to expire" prompt. The end user is only prompted for a password change on the host. Credentials that are updated on the host are passed to the guest.
If you use Group Policy in your environment, know that it can override the registry key causing the password prompts from the guest to reappear.
Username Hints
Username Hints for connections to the MED-V workspaces will also be stored on the host. If credentials are prompting and your policies do not allow for any credential caching, you still will have username hints. They can be purged by removing them from HKEY_CURRENTUSER\Software\Microsoft\Virtual PC\Servers.
Split Domain Authentication
It is not recommended to use Split Domain Authentication scenarios for MED-V v2. This is a scenario where both the user name and user domain credentials differ between workspace and host. This also includes a local authentication to either the host or workspace. To verify the user name and domain for the MED-V workspace, launch a published command prompt and run the following commands:
Echo %USERDOMAIN%\%USERNAME%
Workspace Virtual PC’s joined to Different Domain
Scenarios where the workspace operating system is joined to a different domain than the host computer are not supported.