RD Gateway logon attempt fails with a protected users group member

Fabian 261 Reputation points

If I connect from my domain joined client in the internal network to a RD gateway with a user who is a member of the protected users group. The logon attempt fails. If I bypass the rd gateway the logon is successful. It seems the RD gateway process the logon as NTLM (Event ID 4624). Is there a way that RD gateway can support kerberos, so a logon with protected users works?

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,382 questions
{count} votes

1 answer

Sort by: Most helpful
  1. The Squirrel 111 Reputation points

    RD Gateway uses only NTLM by design. In order to use Kerberos the rd client as well as the machine being remoted into, both need to be able to communicate with the kerberos server (DC). If they can both do that, then they could just RDP without the need for an RD Gateway and it is now pointless to have.

    This is why we are switching to using the MS always on VPN (the successor to direct access).

    We are phasing out NTLM from our network and therefore phasing our RDGW. This is more resilient and allows us to apply policies to the remote computer,

    0 comments No comments