Need to enter username/password twice

[SixFive7]

Hi,

When using the credentialprovider on a remote desktop 2016 server using AD credentials we need to enter the username and password inside the mstsc client in order to connect to the session host. Once connected we need to enter the username and password again, this time together with a token.
Is this a misconfiguration on our side? Or is it a limitation of the credentialprovider?
A perfect solution would be if the username and password could be pre-populated from the RDP session or not shown at all. Resulting in a window just asking for the OTP.
Any suggestions?

Kind regards (and thanks for the work on this important project!)

[arcadejust]

That is standard behawior of the RDP client. There is a way to disable it on older rdp client version by disabling secure connection (but not anymore). Now Microsoft ensures the privacy of your data after securing the connection with the first credentials that you provide (but only if you use third party credential provider). My CP does not obtain yours credentials from the Microsoft framework, so I cannot fill them up for your convenience. I could do that if I would somehow store them - but that is something that I would never recommend.

[SixFive7]

I understand the need to enter the credentials at the RDP client level. This is the new future and perfectly fine. However, if we use the normal sign in, the credentials on the client are used on the server. As a result the user is not asked for his/her credentials inside of the terminal session. It is only when enabling the credential provider that the user is asked twice for his credentials. Once on the client side (mstsc.exe) as usual, but now also inside the terminal session. Expected behaviour would be for the credential provider to only ask for the second factor. Is there anything we can do on the credential provider side? I understand the CP does not have access to the creds anymore. Another good thing :-) But maybe the CP doesn't need to even know about the credentials?
I know the DUO credential provider allows for just showing the window where we can enter the token. So it has to be possible right?
Maybe the CP can get just the username from the PrincipleSecurity context of the RDP session? Any thoughts?

Kind regards!

[arcadejust]

That was my plan from the start but my CP is called by the LogonUI and as I remember LogonUI never provided me with required data (GetSerialization/SetSerialization) so the CP has no idea what was the credentials that you used to secure the RDP. That's why I even gather some info manually (the port and IP address of RDP session). Only solution I've seen is to store somehow your credentials and later use them in semi-secure way to authorize you in the system. But still I only know the last active user and not the user that is connecting via the RDP so you would have to give me your logon name and at this point you can add password as well - so the effort is pointless. If someone would get this Serialization to work the rest of the code is in the comment of SetSerialization.

[SixFive7]

Thanks for the feedback. I might take a stab at it!