RDS SSO with delegated credentials fails after installing 2022-10 updates

dadom 21 Reputation points
2022-10-27T07:13:57.033+00:00

Hi,

KB5018410 on W10 21H2 with its new mstsc.exe kills our local Single-Sign-On experience on a Server 2019 RDS farm which has worked for several years. KB5017380 (the 2022-09 preview update that was on WSUS for one day in September) did the same.

Clients without that update are still working fine. An affected client is working again after uninstalling the update or manually replacing the mstsc.exe and corresponding dll from a client that has not yet received the update.

We are using one 2019 RDS Broker with a valid certificate and several RDSH. GPO sets the delegation of standard credentials as well as the trusted SHA thumbprint of the cert. No Web Access or gateway in use, only local connections.

When trying to log on using a predefined .rdp file and the logged-in client user credentials (SSO), the server shows "Other user: invalid username or password" on a regular Windows 2019 login screen with picture background. After clicking OK, the username field is already filled and when you type your password manually, you get logged in. The session itself seems to work properly, once logged in.

Broker eventvwr shows lots of event IDs 4625/4648 with code 0xC000006D/0xC0000064. No matter which RDSH an affected clients gets redirected to, result is the same. It's clearly related to the mstsc.exe build (.2075) of the client. Servers did not get installed 2022-10 updates yet. Similar for W11 clients that got updated.

Other admins on different forums have confirmed they are having the same issue, no solution yet.

Disabling UDP does not change this.

Any ideas? Thanks!

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,152 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,065 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,595 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,209 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,390 questions
0 comments No comments
{count} votes

11 answers

Sort by: Most helpful
  1. THOMAS PROEHL 0 Reputation points
    2023-09-01T15:54:48.6633333+00:00

    Any Updates on this?

    We try to connect from Win11 22H2 (updatestate August 23) to a 2022 RDP Farm. Always „false credentials“. This also happens from Win11 to 2016 RDP Farm.

    The named Flag is set doesnt work. What mstsc.exe version from what basesystem will work? Tried a 2022 mstsc Version. No Luck.

    Win10 with the same GPO‘s and settings work as expected.