Labs are cool right? We can use them for many use cases when it comes to testing and proof of concept mock ups. If you have been tasked to spin up a copy of your production environment in a lab setting AND you have setup connectivity from production over to that lab environment, you may run into a few challenges when it comes to how to the ability to use same domain login for production and lab. If the lab copy is fresh, then you will most likely have the same passwords for user accounts, however, as labs age and if passwords are setup differently for lab access, you will run into a few issues. Let’s take a look at those and what methods you can use to get around these challenges.
Use same domain login for production and lab
With the newer versions of RDP with newer Windows OS’es, the way authentication works is that you are authenticated before you are actually connected to the target Windows system. If you remember way back when – if you connected to an old Windows 2003 server, you would connect up to the desktop of the server and you enter your username and password as if you were at the console in the first place.
However, with RDP to newer OS’es you see the login box first:
This means that you “production” workstation will attempt to authenticate your credentials to your production domain controllers before it passes the traffic to the target of your RDP request.
As you can easily see the problem with this is that if you are passing different credentials for your lab environment, it will fail because your production DCs expect your real credentials and will treat it the same as any other invalid login attempt and fail accordingly.
To make sure you are able to login to your lab environment with different credentials, we need to set the RDP security layer down to the lowest level of RDP security so it doesn’t attempt to use TLS security.
To find the setting below run the command gpedit.msc from a run/search menu. Navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Session Environment >> Security. The settings we are looking for is the Set client connection encryption level.
After you have set the setting, you should be able to test your RDP connectivity to your lab server. Now, you will not be presented with the “pre login” box, but will make it to the desktop of the RDP server in question, which will authenticate you from the lab environment on the lab domain controllers.
Setting via Registry
If you want to enable the setting via a simple registry file or modification, you can do so easily. Simply update the registry using the following:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp] "MinEncryptionLevel"=dword:00000001
The results of enabling the setting can be seen by now getting to the workstation before you authenticate.
This little trick comes in handy any time you need to authenticate between production, lab, or staging environments where you need to use same domain login for production and lab that have the same username but different passwords.