I have an application that provides its own Credential Provider for Windows 2012 R2. That means that authentication must happen server side. Windows added something called “Network Level Authentication” that requires clients to authenticate BEFORE the RDP connection is established at all. Unfortunately, those credentials are then used to authenticate the user directly to his desktop withouth choosing another Credential Provider.
I obviously disabled NLA and everything else that I could find for client-side authentication in the Local Group Policy Editor (server is not member of a domain), but RDP simply didn’t care.
After googling long and hard I found the solution here: http://sogeeky.blogspot.de/
It’s not really a solution but more of a crappy workaround around Windows idiocy, but it works. Sadly.