Share via

Protected Users and Kerberos Authentication

Anonymous
2024-01-18T21:31:09+00:00

We added service accounts to protected users group and when users try to login to the server, they are getting the following error. So, I tried to ahead and create a GPO as per not allowing NTLM authentication and allowing only Kerberos authentication and denying users if NTLM is used.

So, I created a GPO and assigned that GPO to the server with the following settings:

Disable NTLM and Enable Kerberos

Computer Configuration \ Windows Settings\Security Settings\Local Policies\User Rights Assignment - Deny Access to this computer from the network - I added users who should not have access through NTLM.

Enabled Kerberos

Computer Configuration \ Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure Encryption types allowed for Kerberos

DES_CBC_CRSC

DES_CBC_MD5 and so on.... I have checked everything.

We still get this error. So, I am not sure where else to look for that the users should be able to login to the Computer which has this policy applied and be able to RDP in. Any help would be appreciated.

Windows for business Windows Server User experience Remote desktop services and terminal services

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-19T03:16:38+00:00

    Hello Enfield,

    Thank you for posting in the Microsoft Community Forums.

    Based on the information you provided, you have added service accounts to the protected users group, but when users try to log in to the server, they encounter an error that says "User account restrictions, such as time restrictions, prevent you from logging on." Therefore, you tried to create a GPO that disables NTLM authentication, only allows Kerberos authentication, and denies users when using NTLM.

    You have checked the encryption types for Kerberos, but the problem persists. If you have ruled out network security and encryption type issues, you can check the user account restriction settings to ensure that no restrictions are set. You can also check the Group Policy settings to ensure that no other settings are blocking user login.

    Here are the specific steps:

    1. Check user account restriction settings:

       a. Open the user account properties in Active Directory.

       b. Ensure that the "Account is enabled" box is checked.

       c. Ensure that the "Account is locked out" box is not checked.

       d. Ensure that the list of computers in the "Logon to" box is correct.

       e. Ensure that the time restrictions in the "Logon hours" box are correct.

    1. Check Group Policy settings:

       a. Open your GPO in Group Policy Management.

       b. Ensure that the settings in "Computer Configuration" and "User Configuration" are correct.

       c. Check the settings in "Security Options" to ensure that nothing is blocking user login.

    1. Check if the GPO has been applied correctly to the target computer:

       a. Open Command Prompt on the target computer.

       b. Type the command "gpresult /r" to check if the Group Policy has been successfully applied.

    1. Restart the "Netlogon" service:

       a. Open the "Services" manager on the target computer.

       b. Find the "Netlogon" service and right-click on it.

       c. Select the "Restart" option to restart the service.

    If the issue still persists, you may need to further check Kerberos authentication settings, such as SPN (Service Principal Name) and Kerberos policies. If you need further assistance, please consult with your network administrator or IT support personnel.

    I hope the above information is helpful to you.

    If you have any doubts, please feel free to let me know.

    Best regards

    Bblythe Xiao

    0 comments
  2. Anonymous
    2024-01-22T19:26:01+00:00

    Hi Bblythe Xiao

    Thank you for your response. I have checked all that and everything looks fine. This is what I have done on the GPO side. I am not sure where else to go and what SPN settings or Kerberos authentication I can check l am not sure please let me know. Thank you

    0 comments
  3. Anonymous
    2024-01-23T03:19:23+00:00

    Hello Enfield,

    Thanks for your response.

    Here are the steps to further check Kerberos authentication settings, such as Service Principal Name (SPN) and Kerberos policies:

    1. Check Service Principal Name (SPN) settings:

    a. Open Command Prompt on the target computer.

    b. Type the command "setspn -L <computername>", where <computername> is the name of the target computer.

    c. Check the output for correct SPN settings. If they are not present, use the "setspn" command to add the correct SPN settings.

    1. Check Kerberos policy settings:

    a. Open Local Security Policy on the target computer.

    b. Go to "Local Policies" > "Security Options".

    c. Check the policy settings related to Kerberos authentication, such as "Network security: LAN Manager authentication level" and "Network security: Minimum session security".

    d. If changes to the policy settings are needed, double-click on the corresponding policy and make the changes.

    1. Check Kerberos logs:

    a. Open Event Viewer on the target computer.

    b. Go to "Windows Logs" > "Security".

    c. Look for events related to Kerberos authentication.

    d. Check the event details for more information about authentication failures.

    I hope the above information is helpful to you.

    If you have any doubts, please feel free to let me know.

    Best regards

    Bblythe Xiao

    0 comments
  4. Anonymous
    2024-01-23T20:05:05+00:00

    Principal Name (SPN) and Kerberos policies:

    1. Check Service Principal Name (SPN) settings:

    a. Open Command Prompt on the target computer.

    b. Type the command "setspn -L <computername>", where <computername> is the name of the target computer.

    FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525

    c. Check the output for correct SPN settings. If they are not present, use the "setspn" command to add the correct SPN settings.

    1. Check Kerberos policy settings:

    a. Open Local Security Policy on the target computer.

    b. Go to "Local Policies" > "Security Options".

    c. Check the policy settings related to Kerberos authentication, such as "Network security: LAN Manager authentication level" and "Network security: Minimum session security".

    Not sure what to set here as both are not enabled

    image.png

    There is for servers and clients

    image.png

    I am not sure what to pick here also below for Network Security: Minimum session security for NTLM..........? Should I check both options or just one option?. But, my main concern is to block NTLM and allow Kerberos and I should not get that error message about not able to login in specific hours. We are not limiting any hours to login and it is all open. So, why would I still get that message about user account restrictions.

    image.png d. If changes to the policy settings are needed, double-click on the corresponding policy and make the changes.

    1. Check Kerberos logs:

    a. Open Event Viewer on the target computer.

    b. Go to "Windows Logs" > "Security".

    c. Look for events related to Kerberos authentication.

    d. Check the event details for more information about authentication failures.

    I hope the above information is helpful to you.

    0 comments
  5. Anonymous
    2024-01-24T01:06:18+00:00

    Hello Enfield,

    I can not see the images you uploaded.

    Best regards

    Bblythe Xiao

    0 comments