Unable to connect to any RDM session that uses RD Gateway (Win11/RDM 2022.3.15.0 64-bit)

Hello Brandur,

Thank you for contacting us regarding this matter.

Would it be possible to disable the RDP API hooking to see if it helps with your issue? You can follow the steps in this KB: https://kb.devolutions.net/access_violation_exception_error_rdp_sessions.html

Best regards,

Hi Richard
Thank you for the quick response.
I tried turning off the option and restarting RDM. Unfortunately the same issue is persisting ☹️
I'm open to any suggestion.

Thank you.

Hi,

CredentialUIBroker.exe and Windows.UI.XamlHost.dll are Windows components, they're registered as an out-of-process login window which is used by the Microsoft RDP client. Looking at some of the links you've sent, one of them refers to https://serverfault.com/questions/758919/rdp-crashes-after-entering-password where different users found out that a third-party credential provider module was causing the crash.

Can you take a look at what is currently registered under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers? It should look like this:



Can you export everything under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers as a .reg file and post it here? At least we would have a list of GUIDs to search in relation to the crash you've been experiencing. One of the registered credential providers in that list is most likely causing trouble and should be disabled, the trouble is figuring out which one it is.

Hi
I deduced the same. But I dismissed it becouse I never even get a prompt. But I guess you must be right (it's certainly not magic 😁).
An export of the mentioned REG settings should be attaches to this forum post.

I olso did a quick search for the GUID in registry and found these entries (attached as reg exports).

Please let me know if I can provide anything else.
Thank you.

Minor update on this.
I updated RDM to version 2022.3.16.0 64-bit.
Unfortunately it did not change anything ☹️

And I submittet a ticket from inside RDM and wrote the URL to this forum post in the Message area of the ticket.

Hello Brandur,

We have received the ticket, I will verify the information with Marc-André and we will get back to you.

Best regards,

Hi,

It is unclear why the latest version of Remote Desktop Manager triggers this issue, since it is not in our code - the CredentialUIBroker.exe process is launched from the Microsoft RDP ActiveX which we use. Normally, this should still work, since we haven't done anything to change the RD Gateway connection process. This being said, I've looked at the list of credential provider IDs and which ones seemed problematic for other users in https://serverfault.com/questions/758919/rdp-crashes-after-entering-password and there are two of them you can try disabling to see if it fixes the issue:

# "FaceCredentialProvider"
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}" -Name "Disabled" -Type DWORD -Value 1 -Force

# "Smartcard Reader Selection Provider"
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{1b283861-754f-4022-ad47-a5eaaa618894}" -Name "Disabled" -Type DWORD -Value 1 -Force

One of the credential providers is causing the mysterious crash, we just need to figure out which one it is before we can have a better idea what to look for that could be causing this.

Best regards,

Hi,

In your case, you expect to be prompted for the RD Gateway credentials, right? Why not inject them from Remote Desktop Manager?

I found a similar issue here, where the user had old credentials in the Windows Credential manager that caused issues:
https://community.spiceworks.com/topic/2276360-what-is-causing-credentialuibroker-exe-nonappcontainerfailedmip-during-rdp-start

Can you check in the Windows credential manager and delete old entries that may still get picked up by the RDP ActiveX? It should look like this:



As for injecting RD Gateway credentials from RDM, here is how it can be done:

Becouse:


And I believe that we have some kind of GPO/security applied to all clients that does not allow to pass the saved credentials in RDM to a RDP session (we have a AD server Tiering setup. So everyone in IT has multiple accounts, depending on what server (in what Tier) you are connecting to.

I might be a bit bad at explaining this. But I don't think your suggestion can work in our AD Tierd setup + Client GPO's that restrict the input of saved credentials inside RDM into an RDP connect/session.
But let's enjopy the weekend and continue this on Monday 😁
Thank you very much for the help so far. I'm sure that we will figure this out sooner or later 😉

Hi Brandur,

We did make some changes for the target RDP server credentials, where we removed the option to manually store credentials locally the way same mstsc.exe would let you save passwords. However, dynamic credential injection with mstsc.exe out-of-process still works using a temporary credential entry in the Windows credential manager. We didn't touch the RD Gateway credential storage options - they can still be persisted outside of RDM as an entry in the Windows credential manager for now. However, with the embedded mode, the credentials are injected in-process, so it really shouldn't use the Windows credential manager. CredentialBrokerUI.exe is launched as an external process by CredUIPromptForWindowsCredentials() which we have no control over, but I suspect it could look for matching entries in the Windows credential manager as it loads and crash if it picks up something it doesn't like. At least that's just one theory.

You mentioned something very important - the client GPOs restricting the input of saved credentials. That last link (https://serverfault.com/questions/758919/rdp-crashes-after-entering-password) mentions similar GPOs, and I feel like we're onto something here. One thing the new RDP API hooking feature fixes is credential injection for the target server when the "Always prompt for password upon connection" group policy is enabled. However, if you had that GPO enabled previously, then you wouldn't have been able to use injected credentials with RDM 2022.2. One thing I didn't test is the behavior with the "Always prompt for password upon connection" GPO for RD Gateway credentials - AFAIK it only affects the target RDP server credentials, not the RD Gateway credentials.

I suspect the group policy you have in place is the key to reproducing the issue, and that it would be a group policy different from "Always prompt for password upon connection". If you can figure out what group policies are currently enforced to restrict the input of saved credentials for RDP, it would help pinpoint the root cause of the problem.

Best regards,

If I run RDM (2022.3.16.0 64-bit) from the same AD user from a Windows 10 Enterprise (10.0-19044). It works without any issue and the OS/laptop has the exact same GPO's applied to it.

But I just figured out a way to make it work (without asking me for my password, but using my User Vault that has been set on a higher level with "User Specific Settings").
I removed/unchecked the to option "Use same RD Gateway credentials as remote computer" and set the Credentials option in the bottom to "Inherited".


This looks like it has resolved my issue.
I'm going to try/test this out for the rest of the week. Then I'll be confident enough to view this as a permanent fix (for my use case at least 😉).
I'll confirm here early next week.

Hi Brandur,

Just following up - was the issue fixed permanently after the last change you did?

Best regards,