This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I have noticed a strange behaviour in Windows 11 24H2.
When connecting to a Server using RDP with the following message:
My User is a member of the "Protected Users" Group in Active directory, so NTLM Authentication is not possible.
We usually can work around this by connecting to the FQDN of the Server and using the UPN of the User Account, which
then will use Kerberos for Authentication.
Since installing Windows 11 24H2 this does not happen anymore. Instead it will fallback to NTLM as seen on the Domain Controllers Security Eventlog:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: domadmin
Account Domain: ad01
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006E
Sub Status: 0xC000006E
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: L01-NS-L-WN022
Source Network Address: 10.8.0.2
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Connecting from another Client with Windows 11 23H2 with the same Credentials works normally.
We were also able to replicate it with another Client that we upgraded to Windows 11 24H2.
Did anyone else also notice this behaviour?
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
Hello,
Thanks for your reply. We dont have any special settings on our Accounts or Active Directory for the kerberos pre-authentication.
But i have now found a way to connect with RDP to the Servers again. We simply need to write the username like this:
domain\username
Instead of the UPN username@domain
Kind Regards
Marcel
Hello,
Thank you for posting in the Microsoft Community Forums.
Windows 11 24H2 does not support NTLMv1, and it enforces the use of NTLMv2 or Kerberos for authentication.
For RDP connections, if the user is a member of the "Protected Users" group, NTLM authentication is not possible, and Kerberos should be used. However, if Kerberos pre-authentication fails, it could be due to issues with the encryption type or configuration settings. Ensure that the registry key for the default pre-authentication encryption type is set correctly, and consider using AES instead of RC4.
I hope the information above is helpful.
Best regards
Yanhong Liu
Hi,
Thanks for your reply and sharing.
I'm glad your problem has been solved.
Best regards
Yanhong Liu
We had the same issue and where still searching till we came up to this post.
Thank you sir for your findings!
I really hope someone of Microsoft forwards this to the correct team for debugging in the Windows 11 24H2 release since using the UPN should be the default way as described in many articles.