Unable to RDP to on-prem server from AADJ device using Cloud Kerberos Trust

Nathan Gardner 0 Reputation points
2023-09-15T04:16:26.83+00:00

I have a new customer environment using AADJ Intune managed devices, Windows Hello for Business and Cloud Kerberos Trust. They are using a 3rd party PKI solution called SCEPMan.

The issue is when using RDP from the client to an on-prem server, the server generates an error message:

User's image

If you enter your domain username and password OR disable NLA on the server itself, user can login to server however this reduces the security of the server.

The client device has a successful user and device SCEP certificate deployed and the Trusted Root cert installed from CA.

The server has the Trusted Root CA installed.

The client can't seem to passthrough the WHfB certificate credentials to the server to log in.

All other access and functionality on these devices to internal and on-prem resources is fine. It is only RDP from client to servers that we have issues with.

All pre-requisites and configuration appear to have been met in the following Microsoft articles:

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune#can-i-use-rdpvdi-with-windows-hello-for-business-cloud-kerberos-trust

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs

Thanks !

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,229 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,307 questions
0 comments No comments
{count} votes