How to configure Windows VPN to not save *Session password?

So I have a standard PPTP VPN connection in Windows (8 or 10, behavior is the same). When I connect to the VPN, I'm using a standard username/password combination, not a Windows password and not my machine login password.

The trouble is Windows will save that password as *Session and I have to go remove it from "Manage network passwords" every time I connect or I will lose the ability to connect to any of my regular servers via SMB because it tries to log into those servers using the VPN password.

I've searched around and can find almost no other information about this.

CoreyH

Posted 2015-07-30T20:06:37.440

Reputation: 885

Found a 7 year old post that seems related, but I don't think Windows uses PBK files for VPNs anymore https://social.technet.microsoft.com/Forums/windows/en-US/275599f0-6239-46a5-8245-50a5c13a2713/vista-connects-to-vpn-then-fails-windows-authentication-for-sql-iis-on-local-lan-sspi?forum=itprovistanetworking

– CoreyH – 2015-07-30T20:13:47.637

I've just tried this, from that post: "1. Locate the .pbk file that contains the entry that you dial. To do so, click Start, type *.pbk in the Research Bar, and then press Enter.

Open the file in Notepad.
Locate the following entry: UseRasCredentials=1
Modify the entry to the following: UseRasCredentials=0
On the File menu, click Save, and the click Exit."

-on Windows 10 1803 and it worked. – colmob – 2018-10-10T06:13:20.170

Answers

Check this link: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication

Some of the caveats are listed above. The setting is found by going to Control Panel->Administrative Tools->Local Security Policies. Then open: Local Policies->Security Options->Network access: Do not allow storage of passwords and credentials for network authentication Set it to Enabled

This is not as narrow a setting as you might like, and may not apply to your situation. But for me it prevents our laptop users on laptops from saving their VPN credentials.

At first glance it does not appear to work; it does not prevent the check box from appearing, and the user name appears to be saved in the setup window, but after setup, the VPN connection always prompts for credentials.

Mac-n-Mac

Posted 2015-07-30T20:06:37.440

Reputation: 1

On Windows 7 you were able to control this via either registry or Connection Manager Admin Kit

The registry to edit is:

User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings]

Value Name: DisablePasswordCaching

Data Type: REG_DWORD

(DWORD Value) Value Data: (0 = default, 1 = disable password cache)

Alternatively you can clear the password by right click (but still every time)

TomEus

Posted 2015-07-30T20:06:37.440

Reputation: 3 355

-1

On destination server open The Local Group Policy Editor

Go to: User Configuration | Administrative Templates | Windows Components | Remote Desktop Services

Select the Remote Desktop Connection Client item under Remote Desktop Services. In the Setting list on the right, double-click on the Do not allow passwords to be saved setting. Set it to enable.

Now the password will not be saved.

integratorIT

Posted 2015-07-30T20:06:37.440

Reputation: 727

1I don't think this is it - this refers to remote desktop and I'm talking about vpn and the windows session password for browsing network shares. – CoreyH – 2015-08-07T18:17:31.653

aren't You authenticating vpn users with local or active directory users? – integratorIT – 2015-09-28T12:58:05.093