Having the same issue. Besides turning off NLA, cant find a way to get it working.
Unable to RDP to on-prem server from AADJ device using Cloud Kerberos Trust
I have a new customer environment using AADJ Intune managed devices, Windows Hello for Business and Cloud Kerberos Trust. They are using a 3rd party PKI solution called SCEPMan.
The issue is when using RDP from the client to an on-prem server, the server generates an error message:
If you enter your domain username and password OR disable NLA on the server itself, user can login to server however this reduces the security of the server.
The client device has a successful user and device SCEP certificate deployed and the Trusted Root cert installed from CA.
The server has the Trusted Root CA installed.
The client can't seem to passthrough the WHfB certificate credentials to the server to log in.
All other access and functionality on these devices to internal and on-prem resources is fine. It is only RDP from client to servers that we have issues with.
All pre-requisites and configuration appear to have been met in the following Microsoft articles:
Thanks !