Virtualization

Use same domain login for production and lab

Labs are cool right?  We can use them for many use cases when it comes to testing and proof of concept mock ups.  If you have been tasked to spin up a copy of your production environment in a lab setting AND you have setup connectivity from production over to that lab environment, you may run into a few challenges when it comes to how to the ability to use same domain login for production and lab.  If the lab copy is fresh, then you will most likely have the same passwords for user accounts, however, as labs age and if passwords are setup differently for lab access, you will run into a few issues.  Let’s take a look at those and what methods you can use to get around these challenges.

Use same domain login for production and lab

With the newer versions of RDP with newer Windows OS’es, the way authentication works is that you are authenticated before you are actually connected to the target Windows system.  If you remember way back when – if you connected to an old Windows 2003 server, you would connect up to the desktop of the server and you enter your username and password as if you were at the console in the first place.

However, with RDP to newer OS’es you see the login box first:

rdplab01

This means that you “production” workstation will attempt to authenticate your credentials to your production domain controllers before it passes the traffic to the target of your RDP request.

As you can easily see the problem with this is that if you are passing different credentials for your lab environment, it will fail because your production DCs expect your real credentials and will treat it the same as any other invalid login attempt and fail accordingly.

Resolution/Workaround

To make sure you are able to login to your lab environment with different credentials, we need to set the RDP security layer down to the lowest level of RDP security so it doesn’t attempt to use TLS security.

To find the setting below run the command gpedit.msc from a run/search menu.  Navigate to Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Session Environment >> Security.  The settings we are looking for is the Set client connection encryption level.

rdplab02

Once you open the setting, you need to set it to Enabled and then set the Encryption Level to “Low Level” for the Option.

rdplab03

After you have set the setting, you should be able to test your RDP connectivity to your lab server.  Now, you will not be presented with the “pre login” box, but will make it to the desktop of the RDP server in question, which will authenticate you from the lab environment on the lab domain controllers.

Setting via Registry

If you want to enable the setting via a simple registry file or modification, you can do so easily.  Simply update the registry using the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]
"MinEncryptionLevel"=dword:00000001

The results of enabling the setting can be seen by now getting to the workstation before you authenticate.

rdplab04

Final Thoughts

This little trick comes in handy any time you need to authenticate between production, lab, or staging environments where you need to use same domain login for production and lab that have the same username but different passwords.

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.