After update to latest Win 11 24H2 RDP kerberos authentication from non-domain PC to domain joined PC stop working

Question

After update to latest Win 11 24H2 RDP kerberos authentication from non-domain PC to domain joined PC stop working:

Error message:

An authentication error has occurred.

The function requested is not supported.

Remote Computer : computer.ourdomain.com

This cloud be due to NTLM authentication being blocked on the remote computer.

This could also be due to CredSSP encryption oracle remediation.

Error code: 0x0

Extended error code: 0x0

Setup - Non-domain computer:

( home office users BYOD device with Win11 Pro updated to 24H2 )

1, ksetup /addkdc OURDOMAIN.COM dc1.ourdomain.com

2, reboot

3, Dialed VPN to company internal network

4, mstsc - RDP Connection from nondomain (BYOD) to company domain joined computer:

Computer: testcomputer.ourdomain.com
User name: OURDOMAIN.COM\testuser

5, Error (attached screenshot)

Setup – Domain computer:

Domain computer has Kerberos Authentication and valid RDP certificate. 

GPO settings:

Set client connection encryption lever = High Level

Require use of specific security layer for remote (RDP) connections: Security Layer = SSL

Require user authentication for remote connections by using Network Level Authentication = Enable

---

This setup work until fully updated 23H2, after upgrade to 24H2, mstsc (RDP) stop working with the same setup.

 As a workaround, NLA can be turned off in the GPO for domain computers, but this is a security degradation.

or as admin run before RDP command: klist add_bind OURDOAMIN.COM dc1.ourdomain.com but for this has user no rights.

The funny thing is that for example tested from MacOs (non-joined) RDP authenticated with kerberos works.

MacOS has for example this settings:

 /etc/krb5.conf

[libdefaults]

default_realm = OURDOAMIN.COM

[realms]

OURDOMAIN.COM = {

kdc = dc1.ourdomain.com

}

Answer 1

Chưa thấy gì

Answer 2

Dear Karlie,

unfortunately your answer is not helpful: as BlueTechJohn already pointed out, everything worked perfectly with the RDP-client on 23H2, after upgrade to 24H2, RDP/Kerberos authentication is blocked, after downgrade to 23H2 everything is working perfectly again. As expected, SMB access doesn't work either in 24H2.

Moreover: Kerberos authentication is only blocked in ONE of my BYOD 24H2 devices, but it works (!) in TWO other 24H2 devices. So it cannot be a misconfiguration in the target domain/realm.

This problem is clearly a bug in 24H2, that, however, is only effective together with another "condition", unknown to me (otherwise it wouldn't work in two of my clients on 24H2).

So, please, find out the bug and the "condition", that cause Kerberos authentication in 24H2 to fail, and fix the bug!

Roland

Answer 3

Agree completely!!!

I manage many clients and about half using RDP are working after upgrading to 24H2.

Several also stopped sound, video and camera drivers after the upgrade.

All began working again after rolling back the upgrade to 23H2.

OBVIOUSLY a bug or two.

Microsoft has paused this rollout a couple of times already and are still unwilling to admit there's a problem.

Pause the update again and don't release it until the bugs are fixed.

Thank you,

Devin Zucconi, President

Chesapeake Web Solutions, Inc.

Answer 4

Dear Devin,

meanwhile I have 4 clients on 24H2, where RDP to a domain computer with Kerberos IS possible and one, where it doesn't work with 24H2, but starts working again after downgrade to 23H2.

Now I noticed, that all computers, where Kerberos is working, where primarily setup with Windows 11. The one, where it is not working, was setup with Windows 10 and afterwards upgraded to Windows 11 (without cheating).

How is that with your clients? Is there a relation of the primary Windows version (10 or 11) and the working or failure of Kerberos authentication?

Roland