This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
After update to latest Win 11 24H2 RDP kerberos authentication from non-domain PC to domain joined PC stop working:
Error message:
An authentication error has occurred.
The function requested is not supported.
Remote Computer : computer.ourdomain.com
This cloud be due to NTLM authentication being blocked on the remote computer.
This could also be due to CredSSP encryption oracle remediation.
Error code: 0x0
Extended error code: 0x0
Setup - Non-domain computer:
( home office users BYOD device with Win11 Pro updated to 24H2 )
1, ksetup /addkdc OURDOMAIN.COM dc1.ourdomain.com
2, reboot
3, Dialed VPN to company internal network
4, mstsc - RDP Connection from nondomain (BYOD) to company domain joined computer:
Computer: testcomputer.ourdomain.com
User name: OURDOMAIN.COM\testuser
5, Error (attached screenshot)
Setup – Domain computer:
Domain computer has Kerberos Authentication and valid RDP certificate.
GPO settings:
Set client connection encryption lever = High Level
Require use of specific security layer for remote (RDP) connections: Security Layer = SSL
Require user authentication for remote connections by using Network Level Authentication = Enable
This setup work until fully updated 23H2, after upgrade to 24H2, mstsc (RDP) stop working with the same setup.
As a workaround, NLA can be turned off in the GPO for domain computers, but this is a security degradation.
or as admin run before RDP command: klist add_bind OURDOAMIN.COM dc1.ourdomain.com but for this has user no rights.
The funny thing is that for example tested from MacOs (non-joined) RDP authenticated with kerberos works.
MacOS has for example this settings:
/etc/krb5.conf
[libdefaults]
default_realm = OURDOAMIN.COM
[realms]
OURDOMAIN.COM = {
kdc = dc1.ourdomain.com
}
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.
I performed a clean install of Windows 11 24H2 on the client-side managed laptop/BYOD and on the target-side Windows domain computer.
RDP is experiencing the same problem authenticating Kerberos, showing the same error.
We use computers that are shipped with Windows 11.
"So, it doesn't seem to be a problem with upgrading from Windows 10 to Windows 11."
Hello
Two changes I know of for Windows 24H2/WS 2025 that could affect this.
Darrell
Hello Darrell,
Thanks for the answer, but I've mentioned several times here that we only use Kerberos.
We're not addressing the connection between 24H2 and the RDS server here.
We discovered this issue when we upgraded several systems to Windows 11 24H2 for testing. In the past for Kerberos to work properly we always had to use username @ domain.FQDN.com in order to connect cross domain or from non-domain to domain. For some reason MS in their infinite wisdom BROKE this with 24H2. We now have to use domain.FQDN.com\username as the login username for RDP to work again with Kerberos. This is seriously frustrating as all of our user guides have users doing it the other way that's always worked.
This issue is killing us right now - Almost the exact same scenario as described in the OP. Remote, VPN-connected non domain-joined machines trying to access a domain via Kerberos authentication. We access a client's SMB shares this way. NTLM is not an option and the client is not going to make radical adjustments to their security posture just to accomodate us.
23H2 and earlier -every machine works.
24H2 - not a single machine works.
We have spent a week scouring local policy, group policy and registry settings with no luck or change. Even better is that after 10 days you cannot rollback, so our only option seems to be wiping almost 30 PCs and laptops to get them back to 23H2 or earlier.
Microsoft is not acknowledging that this is an issue or bug but at this point it clearly is in my opinion. Client-side Kerberos authentication is failing in 24H2 and if you cannot fall back to NTLM authentication then the connection is simply dead.
