The error you're encountering when trying to access the server with users in the Protected Users Active Directory group is likely related to the enhanced security restrictions placed on such accounts, particularly around NTLM authentication, Kerberos, and RDP.
Protected Users in AD have a number of restrictions, including:
- NTLM is blocked entirely.
- Kerberos ticket lifetimes are reduced.
- Older encryption types like DES and RC4 are disabled.
- Cached credentials cannot be used.
This makes RDP connections using IP addresses or alias names (CNAMEs) problematic because:
- Kerberos cannot be used when connecting via an IP address or alias/CNAME since Kerberos requires the Service Principal Name (SPN), which is typically linked to the actual server hostname. If Kerberos is not used, RDP may try to fall back on NTLM, which is blocked for Protected Users.
Possible Solutions Without Removing Users from the Group:
- Use the FQDN of the server: Ensure that users connect using the fully qualified domain name (FQDN) of the server rather than the IP address or alias. This allows Kerberos to be used instead of falling back to NTLM.
- Example: Instead of using
192.168.x.x
oralias_name
, useservername.domain.com
.
- Example: Instead of using
- Configure SPN for the alias (CNAME): If you need to continue using the alias, you can configure a Service Principal Name (SPN) for the alias. This allows Kerberos to authenticate using the alias or CNAME. Here’s how you can do it:
- Run the following command from an elevated command prompt to add the SPN:
setspn -a TERMSRV/alias_name server_name setspn -a TERMSRV/alias_name.domain.com server_name
- Replace
alias_name
andserver_name
accordingly.
- Ensure Kerberos Constrained Delegation (KCD) is configured correctly: If delegation is involved in the process, ensure that KCD is configured correctly between the servers involved, as Protected Users cannot use unconstrained delegation.
- Disable Network Level Authentication (NLA): For testing purposes, you could temporarily disable NLA on the RDP server to see if it resolves the issue, though this might reduce security. This would allow the use of a password prompt in RDP without needing Kerberos or NTLM. If NLA is disabled, make sure only secure, trusted connections are allowed.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin