Forum Discussion
Protected Users on a brand new active directory (to force Kerberos)
Ok, I found out what the problem is.
For some reason email address username @ domain.com shows no domain in the 4625 log, the domain\username shows just domain in the 4625 log and the email username @ domaine.dom shows domain.dom in the field and it works.
I'll have to look into why that is the case.
Hi ArnaudTez,
the RDP issue you're having after adding a user to the Protected Users group in Active Directory is occuring because the group's restriction to Kerberos authentication, with NTLM not being supported for these users.
Here are some steps to troubleshoot:
- FQDN Usage:
Remote desktop access must use the Fully Qualified Domain Name (FQDN).
If an IP address is used, NTLM authentication is triggered. - SPN Settings:
For servers with multiple FQDNs, ensure consistent Service Principal Names (SPNs) for each FQDN. - Network Flow:
Confirm open network flow between the client and domain controller for Kerberos authentication. - AES Keys:
Members of Protected Users need to authenticate using Kerberos with Advanced Encryption Standards (AES), requiring appropriate AES keys in the Active Directory account object.
Also, accounts for services and computers should not be part of the Protected Users group.
For more detailed information, refer to the links:
Unable to access via remote desktop after adding user account to proctected users. - Microsoft Q&A
Protected Users Security Group | Microsoft Learn
Microsoft Store RDP App Wont allow conenction when protected users group enabled - Microsoft Q&A
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi,
I have the same exact issue on my own domain now.
With VPN on both computers, one works fine the other throws the usual 0xC07 error.
Also, the other worked fine a few days ago (through an ipsec tunnel, which doesnt work either now) which is even more weird.
Hi ArnaudTez,
thanks for your update.The 0xC07 error suggests issues with Kerberos authentication. Check:
- VPN and IPsec Settings: Ensure consistent configurations on both ends.
- Firewall: Confirm ports for RDP and VPN are open.
- Network Connectivity: Verify no network issues between client and server.
- Updates: Check recent updates or changes on both machines.
- Event Logs: Investigate Windows Event Viewer for detailed error information.
- Rollback Changes: If issues started after a change, consider rolling back.
- Consult IT Support: Seek assistance from IT support or Microsoft for specific guidance.
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)Hi,
Thanks for the informations !
1- I hooked up the computers to the same network and had the same issue
2- I can connect just fine without the protect user group on both (using RDP)
3- I dont remember any updates happening between friday and monday (both on windows 11 22h2 22621.2861)
4- what events should i be looking for ? (i only checked the 4625 until now)
Also for the first points that I didn't really answer :
1- The AD only has one FQDN
2- All ports should be opened (at least on the network part since one machine can communicate)
3- I have no idea how to check if the AES key is correct or not (?) i can check that as well. Since I am connecting with the same user I was thinking it was good.
Thanks !
ArnaudOk, I found out what the problem is.
For some reason email address username @ domain.com shows no domain in the 4625 log, the domain\username shows just domain in the 4625 log and the email username @ domaine.dom shows domain.dom in the field and it works.
I'll have to look into why that is the case.