Remote Credential Guard double-hop issue after server 2022 upgrade

Robert Ro 31 Reputation points
2022-02-21T23:03:25.583+00:00

we upgraded two of our jump/admin servers from server 2019 to server 2022. one was installed fresh, the other one was upgraded via inplace upgrade.

now mstsc /remoteguard no longer works correctly, we seem to run into a kerberos double-hop issue.

what we do is, we logon to the admin server as usual with credentials. then from the admin server we use mstsc /remoteguard to jump to a different machine. on the destination machine, upon opening network shares we receive the message:

"The system cannot contact a domain controller to service the authentication reuqest. Please try again later."

176535-image.png

this did not happen before the upgrade. everything still works fine when starting from a server 2019 admin server.
no group policies, security settings or other modifications were done the infrastructure.
anyone else experiencing this?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,191 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,590 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,848 questions
0 comments No comments
{count} votes

14 answers

Sort by: Most helpful
  1. SIMONS Philippe 1 Reputation point
    2022-04-27T08:14:56.713+00:00

    We are running our VMs on Hyper-V (Guarded Fabric with Shielded VMs) , so the comparison will be difficult.

    196903-vbs.png

    You probably don't have vTPM on you VMs (in our case the CLIENT needs to be VBS Capable , so with a TPM and Set-VMProcessor -VMName 'CLIENT' -ExposeVirtualizationExtensions $true )

    0 comments No comments

  2. Robert Ro 31 Reputation points
    2022-04-27T08:18:59.853+00:00

    hyper-v .... i guessed so. thanks for confirming..... :)
    let's see what MS support has to say about this.
    thanks again!

    0 comments No comments

  3. Alexander L. Marchenko 1 Reputation point
    2022-04-28T06:54:14.287+00:00

    Hi
    Please install the KB5011831 on client and check it again
    https://support.microsoft.com/en-us/topic/april-25-2022-kb5011831-os-builds-19042-1682-19043-1682-and-19044-1682-preview-fe4ff411-d25a-4185-aabb-8bc66e9dbb6c

    "Addresses an issue that causes Kerberos authentication to fail, and the error is “0xc0030009 (RPC_NT_NULL_REF_POINTER)”. This occurs when a client machine attempts to use the Remote Desktop Protocol (RDP) to connect to another machine while Remote Credential Guard is enabled."


  4. Robert Ro 31 Reputation points
    2022-08-17T12:18:02.287+00:00

    FYI,
    the issue has been fixed with august preview update "windows10.0-kb5016693-x64_cdae6466553f8a5025611babab46598380a5b83e.msu"

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.