Mac Microsoft Remote Desktop Negotiating Credentials

Feb 08, 2018 Connecting Microsoft Remote Desktop on Mac. Download the Microsoft Remote Desktop app from the App Store to get started. Open the app and click New.Here, give your PC a name in the Connection. Start the Microsoft Remote Desktop Connection client by clicking Start All Programs Accessories Remote Desktop Connection. Specify the target host name or IP address. Click Connect. When prompted to log on with shared access credentials, choose Yes. When prompted with the Shared Access Selection window, select one of the credential pools.

Failure negotiating credentials from MAC-OSX for RemoteDesktop. I have only just downloaded the Microsoft Remote Desktop app from the Mac App Store. To connect to your campus Windows PC from a Mac you will need to use the Microsoft Remote Desktop application for Mac version 10.3.8 (or higher). If you are using a university-owned Mac, you may already have this app installed. Apr 16, 2018 Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection. Remote Desktop Connection 6.0 prompts you to accept the identity of the server if the identity of the server cannot be verified. You may be unable to use a smart card to log on to Remote Desktop Connection 6.0, even though you could use a. Download Microsoft Remote Desktop for Mac. Connect to Windows-based PCs to access Windows-based files, applications, devices, and networks from your Mac. Nov 09, 2019  Remote desktop server is created in an intention to give access to the internet-hosted server to the desktop. Mainly there is lots of windows server that supports these features. But not all the client computer gets the access to enjoy it. Check out the procedure to connect a Remote desktop server from windows and Mac.

-->

This article provides details for integrating your Remote Desktop Gateway infrastructure with Azure Multi-Factor Authentication (MFA) using the Network Policy Server (NPS) extension for Microsoft Azure.

The Network Policy Server (NPS) extension for Azure allows customers to safeguard Remote Authentication Dial-In User Service (RADIUS) client authentication using Azure's cloud-based Multi-Factor Authentication (MFA). This solution provides two-step verification for adding a second layer of security to user sign-ins and transactions.

This article provides step-by-step instructions for integrating the NPS infrastructure with Azure MFA using the NPS extension for Azure. This enables secure verification for users attempting to sign in to a Remote Desktop Gateway.

Note

This article should not be used with MFA Server deployments and should only be used with Azure MFA (Cloud-based) deployments.

The Network Policy and Access Services (NPS) gives organizations the ability to do the following:

  • Define central locations for the management and control of network requests by specifying who can connect, what times of day connections are allowed, the duration of connections, and the level of security that clients must use to connect, and so on. Rather than specifying these policies on each VPN or Remote Desktop (RD) Gateway server, these policies can be specified once in a central location. The RADIUS protocol provides the centralized Authentication, Authorization, and Accounting (AAA).
  • Establish and enforce Network Access Protection (NAP) client health policies that determine whether devices are granted unrestricted or restricted access to network resources.
  • Provide a means to enforce authentication and authorization for access to 802.1x-capable wireless access points and Ethernet switches.

Typically, organizations use NPS (RADIUS) to simplify and centralize the management of VPN policies. However, many organizations also use NPS to simplify and centralize the management of RD Desktop Connection Authorization Policies (RD CAPs).

Organizations can also integrate NPS with Azure MFA to enhance security and provide a high level of compliance. This helps ensure that users establish two-step verification to sign in to the Remote Desktop Gateway. For users to be granted access, they must provide their username/password combination along with information that the user has in their control. This information must be trusted and not easily duplicated, such as a cell phone number, landline number, application on a mobile device, and so on. RDG currently supports phone call and push notifications from Microsoft authenticator app methods for 2FA. For more information about supported authentication methods see the section Determine which authentication methods your users can use.

Prior to the availability of the NPS extension for Azure, customers who wished to implement two-step verification for integrated NPS and Azure MFA environments had to configure and maintain a separate MFA Server in the on-premises environment as documented in Remote Desktop Gateway and Azure Multi-Factor Authentication Server using RADIUS.

The availability of the NPS extension for Azure now gives organizations the choice to deploy either an on-premises based MFA solution or a cloud-based MFA solution to secure RADIUS client authentication.

Authentication Flow

For users to be granted access to network resources through a Remote Desktop Gateway, they must meet the conditions specified in one RD Connection Authorization Policy (RD CAP) and one RD Resource Authorization Policy (RD RAP). RD CAPs specify who is authorized to connect to RD Gateways. RD RAPs specify the network resources, such as remote desktops or remote apps, that the user is allowed to connect to through the RD Gateway.

An RD Gateway can be configured to use a central policy store for RD CAPs. RD RAPs cannot use a central policy, as they are processed on the RD Gateway. An example of an RD Gateway configured to use a central policy store for RD CAPs is a RADIUS client to another NPS server that serves as the central policy store.

When the NPS extension for Azure is integrated with the NPS and Remote Desktop Gateway, the successful authentication flow is as follows:

  1. The Remote Desktop Gateway server receives an authentication request from a remote desktop user to connect to a resource, such as a Remote Desktop session. Acting as a RADIUS client, the Remote Desktop Gateway server converts the request to a RADIUS Access-Request message and sends the message to the RADIUS (NPS) server where the NPS extension is installed.
  2. The username and password combination is verified in Active Directory and the user is authenticated.
  3. If all the conditions as specified in the NPS Connection Request and the Network Policies are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure MFA.
  4. Azure MFA communicates with Azure AD, retrieves the user's details, and performs the secondary authentication using supported methods.
  5. Upon success of the MFA challenge, Azure MFA communicates the result to the NPS extension.
  6. The NPS server, where the extension is installed, sends a RADIUS Access-Accept message for the RD CAP policy to the Remote Desktop Gateway server.
  7. The user is granted access to the requested network resource through the RD Gateway.

Prerequisites

This section details the prerequisites necessary before integrating Azure MFA with the Remote Desktop Gateway. Before you begin, you must have the following prerequisites in place.

  • Remote Desktop Services (RDS) infrastructure
  • Azure MFA License
  • Windows Server software
  • Network Policy and Access Services (NPS) role
  • Azure Active Directory synched with on-premises Active Directory
  • Azure Active Directory GUID ID

Remote Desktop Services (RDS) infrastructure

You must have a working Remote Desktop Services (RDS) infrastructure in place. If you do not, then you can quickly create this infrastructure in Azure using the following quickstart template: Create Remote Desktop Session Collection deployment.

If you wish to manually create an on-premises RDS infrastructure quickly for testing purposes, follow the steps to deploy one.Learn more: Deploy RDS with Azure quickstart and Basic RDS infrastructure deployment.

Azure MFA License

Required is a license for Azure MFA, which is available through Azure AD Premium or other bundles that include it. Consumption-based licenses for Azure MFA, such as per user or per authentication licenses, are not compatible with the NPS extension. For more information, see How to get Azure Multi-Factor Authentication. For testing purposes, you can use a trial subscription.

Windows Server software

The NPS extension requires Windows Server 2008 R2 SP1 or above with the NPS role service installed. All the steps in this section were performed using Windows Server 2016.

Network Policy and Access Services (NPS) role

The NPS role service provides the RADIUS server and client functionality as well as Network Access Policy health service. This role must be installed on at least two computers in your infrastructure: The Remote Desktop Gateway and another member server or domain controller. By default, the role is already present on the computer configured as the Remote Desktop Gateway. You must also install the NPS role on at least on another computer, such as a domain controller or member server.

For information on installing the NPS role service Windows Server 2012 or older, see Install a NAP Health Policy Server. For a description of best practices for NPS, including the recommendation to install NPS on a domain controller, see Best Practices for NPS.

Azure Active Directory synched with on-premises Active Directory

To use the NPS extension, on-premises users must be synced with Azure AD and enabled for MFA. This section assumes that on-premises users are synched with Azure AD using AD Connect. For information on Azure AD connect, see Integrate your on-premises directories with Azure Active Directory.

Azure Active Directory GUID ID

To install NPS extension, you need to know the GUID of the Azure AD. Instructions for finding the GUID of the Azure AD are provided below.

Configure Multi-Factor Authentication

This section provides instructions for integrating Azure MFA with the Remote Desktop Gateway. As an administrator, you must configure the Azure MFA service before users can self-register their multi-factor devices or applications.

Follow the steps in Getting started with Azure Multi-Factor Authentication in the cloud to enable MFA for your Azure AD users.

Configure accounts for two-step verification

Once an account has been enabled for MFA, you cannot sign in to resources governed by the MFA policy until you have successfully configured a trusted device to use for the second authentication factor and have authenticated using two-step verification.

Follow the steps in What does Azure Multi-Factor Authentication mean for me? to understand and properly configure your devices for MFA with your user account.

Install and configure NPS extension

This section provides instructions for configuring RDS infrastructure to use Azure MFA for client authentication with the Remote Desktop Gateway.

Acquire Azure Active Directory GUID ID

As part of the configuration of the NPS extension, you need to supply admin credentials and the Azure AD ID for your Azure AD tenant. The following steps show you how to get the tenant ID.

  1. Sign in to the Azure portal as the global administrator of the Azure tenant.

  2. In the Azure portal menu, select Azure Active Directory, or search for and select Azure Active Directory from any page.

  3. Select Properties.

  4. In the Properties blade, beside the Directory ID, click the Copy icon, as shown below, to copy the ID to clipboard.

Install the NPS extension

Install the NPS extension on a server that has the Network Policy and Access Services (NPS) role installed. This functions as the RADIUS server for your design.

Important

Be sure you do not install the NPS extension on your Remote Desktop Gateway server.

  1. Download the NPS extension.
  2. Copy the setup executable file (NpsExtnForAzureMfaInstaller.exe) to the NPS server.
  3. On the NPS server, double-click NpsExtnForAzureMfaInstaller.exe. If prompted, click Run.
  4. In the NPS Extension For Azure MFA Setup dialog box, review the software license terms, check I agree to the license terms and conditions, and click Install.
  5. In the NPS Extension For Azure MFA Setup dialog box, click Close.

Configure certificates for use with the NPS extension using a PowerShell script

Next, you need to configure certificates for use by the NPS extension to ensure secure communications and assurance. The NPS components include a Windows PowerShell script that configures a self-signed certificate for use with NPS.

The script performs the following actions:

  • Creates a self-signed certificate
  • Associates public key of certificate to service principal on Azure AD
  • Stores the cert in the local machine store
  • Grants access to the certificate's private key to the network user
  • Restarts Network Policy Server service

If you want to use your own certificates, you need to associate the public key of your certificate to the service principal on Azure AD, and so on.

To use the script, provide the extension with your Azure AD Admin credentials and the Azure AD tenant ID that you copied earlier. Run the script on each NPS server where you installed the NPS extension. Then do the following:

  1. Open an administrative Windows PowerShell prompt.

  2. At the PowerShell prompt, type cd 'c:Program FilesMicrosoftAzureMfaConfig', and press ENTER.

  3. Type .AzureMfaNpsExtnConfigSetup.ps1, and press ENTER. The script checks to see if the Azure Active Directory PowerShell module is installed. If not installed, the script installs the module for you.

  4. After the script verifies the installation of the PowerShell module, it displays the Azure Active Directory PowerShell module dialog box. In the dialog box, enter your Azure AD admin credentials and password, and click Sign In.

  5. When prompted, paste the Directory ID you copied to the clipboard earlier, and press ENTER.

  6. The script creates a self-signed certificate and performs other configuration changes. The output should be like the image shown below.

Configure NPS components on Remote Desktop Gateway

In this section, you configure the Remote Desktop Gateway connection authorization policies and other RADIUS settings.

The authentication flow requires that RADIUS messages be exchanged between the Remote Desktop Gateway and the NPS server where the NPS extension is installed. This means that you must configure RADIUS client settings on both Remote Desktop Gateway and the NPS server where the NPS extension is installed.

Configure Remote Desktop Gateway connection authorization policies to use central store

Remote Desktop connection authorization policies (RD CAPs) specify the requirements for connecting to a Remote Desktop Gateway server. RD CAPs can be stored locally (default) or they can be stored in a central RD CAP store that is running NPS. To configure integration of Azure MFA with RDS, you need to specify the use of a central store.

Remote desktop negotiating credentials mac
  1. On the RD Gateway server, open Server Manager.

  2. On the menu, click Tools, point to Remote Desktop Services, and then click Remote Desktop Gateway Manager.

  3. In the RD Gateway Manager, right-click [Server Name] (Local), and click Properties.

  4. In the Properties dialog box, select the RD CAP Store tab.

  5. On the RD CAP Store tab, select Central server running NPS.

  6. In the Enter a name or IP address for the server running NPS field, type the IP address or server name of the server where you installed the NPS extension.

  7. Click Add.

  8. In the Shared Secret dialog box, enter a shared secret, and then click OK. Ensure you record this shared secret and store the record securely.

    Note

    Shared secret is used to establish trust between the RADIUS servers and clients. Create a long and complex secret.

  9. Click OK to close the dialog box.

Configure RADIUS timeout value on Remote Desktop Gateway NPS

To ensure there is time to validate users' credentials, perform two-step verification, receive responses, and respond to RADIUS messages, it is necessary to adjust the RADIUS timeout value.

  1. On the RD Gateway server, open Server Manager. On the menu, click Tools, and then click Network Policy Server.

  2. In the NPS (Local) console, expand RADIUS Clients and Servers, and select Remote RADIUS Server.

  3. In the details pane, double-click TS GATEWAY SERVER GROUP.

    Note

    This RADIUS Server Group was created when you configured the central server for NPS policies. The RD Gateway forwards RADIUS messages to this server or group of servers, if more than one in the group.

  4. In the TS GATEWAY SERVER GROUP Properties dialog box, select the IP address or name of the NPS server you configured to store RD CAPs, and then click Edit.

  5. In the Edit RADIUS Server dialog box, select the Load Balancing tab.

  6. In the Load Balancing tab, in the Number of seconds without response before request is considered dropped field, change the default value from 3 to a value between 30 and 60 seconds.

  7. In the Number of seconds between requests when server is identified as unavailable field, change the default value of 30 seconds to a value that is equal to or greater than the value you specified in the previous step.

  8. Click OK two times to close the dialog boxes.

Verify Connection Request Policies

By default, when you configure the RD Gateway to use a central policy store for connection authorization policies, the RD Gateway is configured to forward CAP requests to the NPS server. The NPS server with the Azure MFA extension installed, processes the RADIUS access request. The following steps show you how to verify the default connection request policy.

  1. On the RD Gateway, in the NPS (Local) console, expand Policies, and select Connection Request Policies.

  2. Double-click TS GATEWAY AUTHORIZATION POLICY.

  3. In the TS GATEWAY AUTHORIZATION POLICY properties dialog box, click the Settings tab.

  4. On Settings tab, under Forwarding Connection Request, click Authentication. RADIUS client is configured to forward requests for authentication.

  5. Click Cancel.

Note

For more information about creating a connection request policy see the article, Configure connection request policies documentation for the same.

Configure NPS on the server where the NPS extension is installed

The NPS server where the NPS extension is installed needs to be able to exchange RADIUS messages with the NPS server on the Remote Desktop Gateway. To enable this message exchange, you need to configure the NPS components on the server where the NPS extension service is installed.

Register Server in Active Directory

To function properly in this scenario, the NPS server needs to be registered in Active Directory.

  1. On the NPS server, open Server Manager.

  2. In Server Manager, click Tools, and then click Network Policy Server.

  3. In the Network Policy Server console, right-click NPS (Local), and then click Register server in Active Directory.

  4. Click OK two times.

  5. Leave the console open for the next procedure.

Create and configure RADIUS client

The Remote Desktop Gateway needs to be configured as a RADIUS client to the NPS server.

  1. On the NPS server where the NPS extension is installed, in the NPS (Local) console, right-click RADIUS Clients and click New.

  2. In the New RADIUS Client dialog box, provide a friendly name, such as Gateway, and the IP address or DNS name of the Remote Desktop Gateway server.

  3. In the Shared secret and the Confirm shared secret fields, enter the same secret that you used before.

  4. Click OK to close the New RADIUS Client dialog box.

Configure Network Policy

Recall that the NPS server with the Azure MFA extension is the designated central policy store for the Connection Authorization Policy (CAP). Therefore, you need to implement a CAP on the NPS server to authorize valid connections requests.

  1. On the NPS Server, open the NPS (Local) console, expand Policies, and click Network Policies.

  2. Right-click Connections to other access servers, and click Duplicate Policy.

  3. Right-click Copy of Connections to other access servers, and click Properties.

  4. In the Copy of Connections to other access servers dialog box, in Policy name, enter a suitable name, such as RDG_CAP. Check Policy enabled, and select Grant access. Optionally, in Type of network access server, select Remote Desktop Gateway, or you can leave it as Unspecified.

  5. Click the Constraints tab, and check Allow clients to connect without negotiating an authentication method.

  6. Optionally, click the Conditions tab and add conditions that must be met for the connection to be authorized, for example, membership in a specific Windows group.

  7. Click OK. When prompted to view the corresponding Help topic, click No.

  8. Ensure that your new policy is at the top of the list, that the policy is enabled, and that it grants access.

Verify configuration

To verify the configuration, you need to sign in to the Remote Desktop Gateway with a suitable RDP client. Be sure to use an account that is allowed by your Connection Authorization Policies and is enabled for Azure MFA.

As show in the image below, you can use the Remote Desktop Web Access page.

Mac Microsoft Remote Desktop Negotiating Credentials Download

Upon successfully entering your credentials for primary authentication, the Remote Desktop Connect dialog box shows a status of Initiating remote connection, as shown below.

If you successfully authenticate with the secondary authentication method you previously configured in Azure MFA, you are connected to the resource. However, if the secondary authentication is not successful, you are denied access to the resource.

In the example below, the Authenticator app on a Windows phone is used to provide the secondary authentication.

Once you have successfully authenticated using the secondary authentication method, you are logged into the Remote Desktop Gateway as normal. However, because you are required to use a secondary authentication method using a mobile app on a trusted device, the sign in process is more secure than it would be otherwise.

View Event Viewer logs for successful logon events

To view the successful sign-in events in the Windows Event Viewer logs, you can issue the following Windows PowerShell command to query the Windows Terminal Services and Windows Security logs.

To query successful sign-in events in the Gateway operational logs (Event ViewerApplications and Services LogsMicrosoftWindowsTerminalServices-GatewayOperational), use the following PowerShell commands:

  • Get-WinEvent -Logname Microsoft-Windows-TerminalServices-Gateway/Operational where {$_.ID -eq '300'} FL
  • This command displays Windows events that show the user met resource authorization policy requirements (RD RAP) and was granted access.
  • Get-WinEvent -Logname Microsoft-Windows-TerminalServices-Gateway/Operational where {$_.ID -eq '200'} FL
  • This command displays the events that show when user met connection authorization policy requirements.

You can also view this log and filter on event IDs, 300 and 200. To query successful logon events in the Security event viewer logs, use the following command:

  • Get-WinEvent -Logname Security where {$_.ID -eq '6272'} FL
  • This command can be run on either the central NPS or the RD Gateway Server.

You can also view the Security log or the Network Policy and Access Services custom view, as shown below:

On the server where you installed the NPS extension for Azure MFA, you can find Event Viewer application logs specific to the extension at Application and Services LogsMicrosoftAzureMfa.

Troubleshoot Guide

If the configuration is not working as expected, the first place to start to troubleshoot is to verify that the user is configured to use Azure MFA. Have the user connect to the Azure portal. If users are prompted for secondary verification and can successfully authenticate, you can eliminate an incorrect configuration of Azure MFA.

If Azure MFA is working for the user(s), you should review the relevant Event logs. These include the Security Event, Gateway operational, and Azure MFA logs that are discussed in the previous section.

Below is an example output of Security log showing a failed logon event (Event ID 6273).

Below is a related event from the AzureMFA logs:

To perform advanced troubleshoot options, consult the NPS database format log files where the NPS service is installed. These log files are created in %SystemRoot%System32Logs folder as comma-delimited text files.

For a description of these log files, see Interpret NPS Database Format Log Files. The entries in these log files can be difficult to interpret without importing them into a spreadsheet or a database. You can find several IAS parsers online to assist you in interpreting the log files.

The image below shows the output of one such downloadable shareware application.

Finally, for additional troubleshoot options, you can use a protocol analyzer, such Microsoft Message Analyzer.

The image below from Microsoft Message Analyzer shows network traffic filtered on RADIUS protocol that contains the user name CONTOSOAliceC.

Next steps

-->

Applies To: Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016

You can use the Remote Desktop client for Mac to work with Windows apps, resources, and desktops from your Mac computer. Use the following information to get started - and check out the FAQ if you have questions.

Note

  • Curious about the new releases for the macOS client? Check out What's new for Remote Desktop on Mac?
  • The Mac client runs on computers running macOS 10.10 and newer.
  • The information in this article applies primarily to the full version of the Mac client - the version available in the Mac AppStore. Test-drive new features by downloading our preview app here: beta client release notes.

Get the Remote Desktop client

Follow these steps to get started with Remote Desktop on your Mac:

  1. Download the Microsoft Remote Desktop client from the Mac App Store.
  2. Set up your PC to accept remote connections. (If you skip this step, you can't connect to your PC.)
  3. Add a Remote Desktop connection or a remote resource. You use a connection to connect directly to a Windows PC and a remote resource to use a RemoteApp program, session-based desktop, or a virtual desktop published on-premises using RemoteApp and Desktop Connections. This feature is typically available in corporate environments.

What about the Mac beta client?

We're testing new features on our preview channel on AppCenter. Want to check it out? Go to Microsoft Remote Desktop for Mac and click Download. You don't need to create an account or sign into AppCenter to download the beta client.

If you already have the client, you can check for updates to ensure you have the latest version. In the beta client, click Microsoft Remote Desktop Beta at the top, and then click Check for updates.

Add a Remote Desktop connection

To create a remote desktop connection:

  1. In the Connection Center, click +, and then click Desktop.

  2. Enter the following information:

    • PC name - the name of the computer.
      • This can be a Windows computer name (found in the System settings), a domain name, or an IP address.
      • You can also add port information to the end of this name, like MyDesktop:3389.
    • User Account - Add the user account you use to access the remote PC.
      • For Active Directory (AD) joined computers or local accounts, use one of these formats: user_name, domainuser_name, or user_name@domain.com.
      • For Azure Active Directory (AAD) joined computers, use one of these formats: AzureADuser_name or AzureADuser_name@domain.com.
      • You can also choose whether to require a password.
      • When managing multiple user accounts with the same user name, set a friendly name to differentiate the accounts.
      • Manage your saved user accounts in the preferences of the app.
  3. You can also set these optional settings for the connection:

    • Set a friendly name
    • Add a Gateway
    • Set the sound output
    • Swap mouse buttons
    • Enable Admin Mode
    • Redirect local folders into a remote session
    • Forward local printers
    • Forward Smart Cards
  4. Click Save.

To start the connection, just double-click it. The same is true for remote resources.

Export and import connections

You can export a remote desktop connection definition and use it on a different device. Remote desktops are saved in separate .RDP files.

  1. In the Connection Center, right-click the remote desktop.
  2. Click Export.
  3. Browse to the location where you want to save the remote desktop .RDP file.
  4. Click OK.

Microsoft remote desktop connection application for mac. Use the following steps to import a remote desktop .RDP file.

  1. In the menu bar, click File > Import.
  2. Browse to the .RDP file.
  3. Click Open.

Add a remote resource

Remote resources are RemoteApp programs, session-based desktops, and virtual desktops published using RemoteApp and Desktop Connections.

  • The URL displays the link to the RD Web Access server that gives you access to RemoteApp and Desktop Connections.
  • The configured RemoteApp and Desktop Connections are listed.

To add a remote resource:

  1. In the Connection Center click +, and then click Add Remote Resources.
  2. Enter information for the remote resource:
    • Feed URL - The URL of the RD Web Access server. You can also enter your corporate email account in this field – this tells the client to search for the RD Web Access Server associated with your email address.
    • User name - The user name to use for the RD Web Access server you are connecting to.
    • Password - The password to use for the RD Web Access server you are connecting to.
  3. Click Save.

The remote resources will be displayed in the Connection Center.

Connect to an RD Gateway to access internal assets

A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from anywhere on the Internet. You can create and manage your gateways in the preferences of the app or while setting up a new desktop connection.

To set up a new gateway in preferences:

  1. In the Connection Center, click Preferences > Gateways.
  2. Click the + button at the bottom of the table Enter the following information:
    • Server name – The name of the computer you want to use as a gateway. This can be a Windows computer name, an Internet domain name, or an IP address. You can also add port information to the server name (for example: RDGateway:443 or 10.0.0.1:443).
    • User name - The user name and password to be used for the Remote Desktop gateway you are connecting to. You can also select Use connection credentials to use the same user name and password as those used for the remote desktop connection.

Manage your user accounts

When you connect to a desktop or remote resources, you can save the user accounts to select from again. You can manage your user accounts by using the Remote Desktop client.

To create a new user account:

  1. In the Connection Center, click Settings > Accounts.
  2. Click Add User Account.
  3. Enter the following information:
    • User Name - The name of the user to save for use with a remote connection. You can enter the user name in any of the following formats: user_name, domainuser_name, or user_name@domain.com.
    • Password - The password for the user you specified. Every user account that you want to save to use for remote connections needs to have a password associated with it.
    • Friendly Name - If you are using the same user account with different passwords, set a friendly name to distinguish those user accounts.
  4. Tap Save, and then tap Settings.

Customize your display resolution

You can specify the display resolution for the remote desktop session.

  1. In the Connection Center, click Preferences.
  2. Click Resolution.
  3. Click +.
  4. Enter a resolution height and width, and then click OK.

To delete the resolution, select it, and then click -.

Mac Remote Desktop Client

Displays have separate spacesIf you are running Mac OS X 10.9 and disabled Displays have separate spaces in Mavericks (System Preferences > Mission Control), you need to configure this setting in the remote desktop client using the same option.

Drive redirection for remote resources

Drive redirection is supported for remote resources, so that you can save files created with a remote application locally to your Mac. The redirected folder is always your home directory displayed as a network drive in the remote session.

Note

In order to use this feature, the administrator needs to set the appropriate settings on the server.

Use a keyboard in a remote session

Mac keyboard layouts differ from the Windows keyboard layouts.

  • The Command key on the Mac keyboard equals the Windows key.
  • To perform actions that use the Command button on the Mac, you will need to use the control button in Windows (e.g.: Copy = Ctrl + C).
  • The function keys can be activated in the session by pressing additionally the FN key (e.g.: FN + F1).
  • The Alt key to the right of the space bar on the Mac keyboard equals the Alt Gr/right Alt key in Windows.

Mac Microsoft Remote Desktop Negotiating Credentials For Business

By default, the remote session will use the same keyboard locale as the OS you're running the client on. (If your Mac is running an en-us OS, that will be used for the remote sessions as well.) If the OS keyboard locale is not used, check the keyboard setting on the remote PC and change it manually. See the Remote Desktop Client FAQ for more information about keyboards and locales.

Support for Remote Desktop gateway pluggable authentication and authorization

Windows Server 2012 R2 introduced support for a new authentication method, Remote Desktop Gateway pluggable authentication and authorization, which provides more flexibility for custom authentication routines. You can now try this authentication model with the Mac client.

Important

Custom authentication and authorization models before Windows 8.1 are not supported, although the article above discusses them.

To learn more about this feature, check out https://aka.ms/paa-sample.

Microsoft Remote Desktop Download

Tip

Mac Microsoft Remote Desktop 10

Questions and comments are always welcome. However, please do NOT post a request for troubleshooting help by using the comment feature at the end of this article. Instead, go to the Remote Desktop client forum and start a new thread. Have a feature suggestion? Tell us in the client user voice forum.