Forum Discussion

ArnaudTez's avatar
ArnaudTez
Copper Contributor
Dec 12, 2023
Solved

Protected Users on a brand new active directory (to force Kerberos)

Hi !   As said in the title I just installed a brand new Active Directory (windows server 2022). I'm trying to switch the domain account to kerberos by using the Protected Users security group, bu...
Active Directory
windows server
  • ArnaudTez's avatar
    ArnaudTez
    Dec 26, 2023

    Ok, I found out what the problem is.
    For some reason email address username @ domain.com shows no domain in the 4625 log, the domain\username shows just domain in the 4625 log and the email username @ domaine.dom shows domain.dom in the field and it works.
    I'll have to look into why that is the case.

ArnaudTez's avatar
ArnaudTez
Copper Contributor
Dec 18, 2023

Hi,

I have the same exact issue on my own domain now.
With VPN on both computers, one works fine the other throws the usual 0xC07 error.
Also, the other worked fine a few days ago (through an ipsec tunnel, which doesnt work either now) which is even more weird.

LeonPavesic's avatar
LeonPavesic
Silver Contributor
Dec 18, 2023

Hi ArnaudTez,

thanks for your update.

The 0xC07 error suggests issues with Kerberos authentication. Check:

  1. VPN and IPsec Settings: Ensure consistent configurations on both ends.
  2. Firewall: Confirm ports for RDP and VPN are open.
  3. Network Connectivity: Verify no network issues between client and server.
  4. Updates: Check recent updates or changes on both machines.
  5. Event Logs: Investigate Windows Event Viewer for detailed error information.
  6. Rollback Changes: If issues started after a change, consider rolling back.
  7. Consult IT Support: Seek assistance from IT support or Microsoft for specific guidance.


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.



Kindest regards,


Leon Pavesic
(LinkedIn)

  • ArnaudTez's avatar
    ArnaudTez
    Copper Contributor
    Dec 19, 2023

    Hi,

    Thanks for the informations !

    1- I hooked up the computers to the same network and had the same issue
    2- I can connect just fine without the protect user group on both (using RDP)
    3- I dont remember any updates happening between friday and monday (both on windows 11 22h2 22621.2861)
    4- what events should i be looking for ? (i only checked the 4625 until now)

    Also for the first points that I didn't really answer :
    1- The AD only has one FQDN
    2- All ports should be opened (at least on the network part since one machine can communicate)
    3- I have no idea how to check if the AES key is correct or not (?) i can check that as well. Since I am connecting with the same user I was thinking it was good.

    Thanks !

    Arnaud

    • ArnaudTez's avatar
      ArnaudTez
      Copper Contributor
      Dec 26, 2023

      Ok, I found out what the problem is.
      For some reason email address username @ domain.com shows no domain in the 4625 log, the domain\username shows just domain in the 4625 log and the email username @ domaine.dom shows domain.dom in the field and it works.
      I'll have to look into why that is the case.