RDP via VPN causes account lockout on AD - Kerberos timing issue

Question

Hi,

I have a user that has a local AD joined laptop that they use to RDP onto our servers, when in the office this works perfectly. When they are remote working they tether their laptop to a iPhone then use a IKE VPN (Windows built in VPN client) to connect to the office LAN then RDP on to the server. However when they do this their account is instantly locked out on AD. After some digging I've discovered that the time stamp on the RDS connection is an hour out (we are in daylight savings time now), I am assuming this is tripping up Kerberos which is causing the account to lock. See below this is the error, the actual time is 11:22 but the error is showing 10:22 as the timestamp. For info the DC, VPN router and iPhone all have the correct times, the issue does seem to be local to the laptop as I can't reproduce the error on another laptop.

Answer 1

Hi,

Please refer the articles mentioned below to repair your Windows machine w.r.t. RDP.

General Remote Desktop connection troubleshooting - Windows Server | Microsoft Learn

Remote Desktop - Allow access to your PC from outside your network | Microsoft Learn

Advance Troubleshooting for Remote Desktop Protocol (RDP) in Windows - Microsoft Community

Please update with your findings!

Sincerely,

CK

Answer 2

Hello,

If you are concerned about time synchronization, first disable your NLA; this will then allow authentication to proceed between your server and AD.

Steps to disable NLA:

a. Open gpedit.msc applet.

b. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security.

c. Enable Require use of specific security layer for remote (RDP) connections and select RDP as Security Layer.

d. Disable Require user authentication for remote connections by using Network Level Authentication policy.

e. Reboot Terminal server. 

---

If the Answer is helpful, please click "Accept Answer" and upvote it.