I'm trying to configure a Windows Server 2012 R2 server which is joined to one domain but uses kerberos auth from a different realm.
The kerberos realm is 14 characters long (15 with the slash or at symbol) and by default the windows remote desktop clients all remember the fact that eventually they connected to the shorter 4 character domain so reconnections attempt to auth back to the domain (which doesn't do authentication and no one has passwords on that domain – it's all passwords via kerberos).
On windows server 2008 and 2008R2 we were able to work around the problem by specifying the setting "Always use the following logon information" in the Remote Desktop Services configuration, and specifying the domain as the 14 character kerberos realm, leaving everything else blank.
Anyway, long story short, Remote Desktop Services in 2012R2 (don't get me started on the whole "must be managed by this complicated role with gateways and brokers and other things configured – even for a single server" thing) doesn't seem to have this configuration option anywhere in it. I also can't seem to find an equivalent GPO.
So, any idea how we can save our users from either deleting the 4 character domain and typing the 15 characters out required to re-specify the kerberos realm every single time they want to log in, or worse forgetting and constantly getting password auth errors without figuring out why?
Best Answer
Are you looking for Computer Configuration-> Administrative Templates-> System/Logon-> Assign a default domain for logon?