Protected Users group causing issues with RDP

Question

Protected Users group causing issues with RDP

AnnaG 166

Dear all, 3rd part Security company provides a report on vulnerabilities in the environment and any steps to mitigate or reduce. One of these items related to placing privileged accounts in the protected security group but as a consequence none of them were able to RDP servers any longer. On removing them it worked again and we knew this was the issue due to the error and our good friend Google. Error

We do have NLA configured as well if this is a factor. Is there a workaround which does not mean removing the account(s) from the Protected Security Group?

4 answers

Your answer

Answer 1

Thameur-BOURBITA 36,261 Moderator

Hi @Testing

When you add a admin account to protected users group , NTLM will be disable.

When a admin try to access through RDP for Example using the IP adresse , the authentication will be failed because it using ntlm authentication. You have to ask admin to use the FQDN of server serverName.domain.lan to use kerberos instead of ntlm When kerberos authentication failed , the problem should be:

Missing SPN
Network flow problem

If it's not possible to use kerberos authentication , you should remove admin account from protected users to let him access through RDP on target server.

Please don't forget to accept helpful answer

AnnaG 166 Reputation points

2024-02-15T19:40:14.7266667+00:00

Thanks for your response. We already tried using FQDN and it was still failing. I did a lot of reading on this at the time and nothing worked. We have VPN and connect to the servers in the domain from a jump box server in another domain. Nothing worked. We've taken all accounts out now.
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-02-16T14:58:24.19+00:00

Hi @Testing •

It should be network flow for kerberos authentication is blocked and admin need ntlm enabled for authentication that's mean to be out of protected users.

Please don't forget to accept helpful answer and close this thread
AnnaG 166 Reputation points

2024-02-18T22:30:45.9266667+00:00

Thanks for this. Can you explain a little more. What steps are required?
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-02-19T12:52:58.7466667+00:00

@AnnaG

Try to check if the network flows required for kerberos authentication between client and servers with domain controllers.

How to configure a firewall for Active Directory domains and trusts

Please don't forget to accept helpful answer

Answer 2

Anonymous

Hello, You have to contact your system admin to modify your authentication method. This is the official link about protected users securiity group : Protected Users Security Group | Microsoft Learn

---If the Answer is helpful, please click "Accept Answer" and upvote it.

AnnaG 166 Reputation points

2024-02-19T10:47:58.1+00:00

Thanks, Yes, I have seen this article already but it does not contain what I need. Hence the question here.

Answer 3

Tomislav Đorđević 0

Hi,

i think that you had the same problem as me

try enableing GPO: Key Distribution Center (KDC) client support for claims, compound authentication and Kerberos armoring

path: Computer Configuration | Administrative Templates | System | KDC.

Link to MS article:https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

User's image

Please do have in mind that when you are using kerberos you cant user IP addresses for RDP, only fqdn's (server.domain.local).

Answer 4

Amol Avere 0

Try login with UserID@DomainName instead of DomainName\UserID

Share via

Protected Users group causing issues with RDP

4 answers

Your answer