Remote Credential Guard double-hop issue after server 2022 upgrade

Robert Ro 31 Reputation points
2022-02-21T23:03:25.583+00:00

we upgraded two of our jump/admin servers from server 2019 to server 2022. one was installed fresh, the other one was upgraded via inplace upgrade.

now mstsc /remoteguard no longer works correctly, we seem to run into a kerberos double-hop issue.

what we do is, we logon to the admin server as usual with credentials. then from the admin server we use mstsc /remoteguard to jump to a different machine. on the destination machine, upon opening network shares we receive the message:

"The system cannot contact a domain controller to service the authentication reuqest. Please try again later."

176535-image.png

this did not happen before the upgrade. everything still works fine when starting from a server 2019 admin server.
no group policies, security settings or other modifications were done the infrastructure.
anyone else experiencing this?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,191 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,590 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,848 questions
0 comments No comments
{count} votes

14 answers

Sort by: Most helpful
  1. Robert Ro 31 Reputation points
    2022-03-14T10:27:37.393+00:00

    We opened a support case on 2022-02-22 but so far no resolution.

    1 person found this answer helpful.
    0 comments No comments

  2. Simon Kleinl-Roscic 1 Reputation point
    2022-03-10T10:00:08.003+00:00

    Same problem here: when using an Windows Server 2022 jump/admin host to connect to other machines using mstsc /remoteguard then we run in the kerberos double hop issue as robert described (you can´t access file shares, ...). It doesn´t matter if the destination machine is Windows Server 2016, 2019 or 2022. If you use an Windows Server 2016 or 2019 jump/admin host to connect to other machines using mstsc /remoteguard, then everything works as expected (access to file shares works, ...).

    0 comments No comments

  3. SIMONS Philippe 1 Reputation point
    2022-03-14T10:14:17.78+00:00

    Similar issue here, using Windows 10 21H2 after applying January Patch Tuesday Update (KB5009543) as source of RDP (destination machine is Windows Server 2019 or 2022.)
    A work arround is to Lock / Unlock the remote session (CTRL+ALT+END) ... but I imagine then you are not relying on RGC but local Authentication.

    0 comments No comments

  4. SIMONS Philippe 1 Reputation point
    2022-03-14T11:30:25.443+00:00

    We also opened a support case on 2022-01-14, and provided a reproduction scenario on 19-02-2022 ...

    0 comments No comments

  5. SIMONS Philippe 1 Reputation point
    2022-04-26T15:05:55.483+00:00

    Good news,
    Preview update (4C) is available, and addresses the issue

    Windows Server 2022 - KB5012637 ,Windows 11 (SV) - KB5012643 , Windows 10 2004 \ 20H1 \ 20H2 \ 21H1 \21H2 -KB5011831

    “Addresses an issue that causes Kerberos authentication to fail, and the error is “0xc0030009 (RPC_NT_NULL_REF_POINTER)”. This occurs when a client machine attempts to use the Remote Desktop Protocol (RDP) to connect to another machine while Remote Credential Guard is enabled.”


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.