Forum Discussion
ArnaudTez
Dec 12, 2023Copper Contributor
Protected Users on a brand new active directory (to force Kerberos)
Hi !
As said in the title I just installed a brand new Active Directory (windows server 2022).
I'm trying to switch the domain account to kerberos by using the Protected Users security group, but for some reason I can't connect through RDP anymore after the switch.
I get some 4625 logon error events about NTLM and RDP throws the "user account restriction" (even though it works fin without the Protected User group).
Is there something new I missed on the new version that prevents protected users from connecting through RDP connection ?
Thanks in advance !
Arnaud
Ok, I found out what the problem is.
For some reason email address username @ domain.com shows no domain in the 4625 log, the domain\username shows just domain in the 4625 log and the email username @ domaine.dom shows domain.dom in the field and it works.
I'll have to look into why that is the case.
- alex_levCopper Contributor
- LeonPavesicSilver Contributor
Hi ArnaudTez,
the RDP issue you're having after adding a user to the Protected Users group in Active Directory is occuring because the group's restriction to Kerberos authentication, with NTLM not being supported for these users.
Here are some steps to troubleshoot:
- FQDN Usage:
Remote desktop access must use the Fully Qualified Domain Name (FQDN).
If an IP address is used, NTLM authentication is triggered. - SPN Settings:
For servers with multiple FQDNs, ensure consistent Service Principal Names (SPNs) for each FQDN. - Network Flow:
Confirm open network flow between the client and domain controller for Kerberos authentication. - AES Keys:
Members of Protected Users need to authenticate using Kerberos with Advanced Encryption Standards (AES), requiring appropriate AES keys in the Active Directory account object.
Also, accounts for services and computers should not be part of the Protected Users group.
For more detailed information, refer to the links:
Unable to access via remote desktop after adding user account to proctected users. - Microsoft Q&A
Protected Users Security Group | Microsoft Learn
Microsoft Store RDP App Wont allow conenction when protected users group enabled - Microsoft Q&A
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- ArnaudTezCopper Contributor
Hi,
I have the same exact issue on my own domain now.
With VPN on both computers, one works fine the other throws the usual 0xC07 error.
Also, the other worked fine a few days ago (through an ipsec tunnel, which doesnt work either now) which is even more weird.- LeonPavesicSilver Contributor
Hi ArnaudTez,
thanks for your update.The 0xC07 error suggests issues with Kerberos authentication. Check:
- VPN and IPsec Settings: Ensure consistent configurations on both ends.
- Firewall: Confirm ports for RDP and VPN are open.
- Network Connectivity: Verify no network issues between client and server.
- Updates: Check recent updates or changes on both machines.
- Event Logs: Investigate Windows Event Viewer for detailed error information.
- Rollback Changes: If issues started after a change, consider rolling back.
- Consult IT Support: Seek assistance from IT support or Microsoft for specific guidance.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
- FQDN Usage: