Windows Desktop Is Suddenly Broken Connecting With Hostname

Occasional Contributor

Hi all.

 

I would be so greatfull if someone can share their knowledge with me because I have tried just about everything to solve this issue we are having for about 2 weeks now.

 

When connecting from site A lets call it, where out IT guys are located to a few computers / servers in other AD sites we are presented with a Remote Desktop Box stating the following: "Your Credentials did not work. The credentials you used to connect to (Insert Host Machine Name Here) did not work. Please enter new credentials. I tested Remote Desktop from a couple other machines in site A and the same message. I have uninstalled the most recent updates on the remote PC in lets call it AD site B. The one in this example is a Windows 10 machine. Latest update involved being  KB 501 8410 with no joy. i installed the later windows update to fix some issues regarding KB 501 8410 with no luck. The thing is I can remote to some other machines with KB 501 8410 installed so kind of ruled that out.

 

Windows firewall is off just to test as well as AV removed.

 

I have installed a brand new machine with Windows 10 (no updates installed and not joined to the domain to test Remote Desktop from it to the problematic machine in site B. It also brings up the same error message. I then joined it to the domain and updated fully - No luck. Still presented with the message when connecting to the machine in site B.

 

If the problematic remote PC in site B is rebooted on the off chance remote desktop then works again and once rebooted again, I am presented with the same message connecting from my work PC or any other PC in Site A. If I connect over VPN from my house PC to the problematic PC in Site B RDP works fine.  I CAN connect to the problematic PC in site B from our IT department machines in site A by using the IP Address. - DNS is fine as far as I can see as it does resolve to the correct IP Address. I can also use VNC to connect to the problematic machine in site B and logon just fine.  the credentials in question is the domain admin account.

 

The other thing is its domain controller in site B also sometimes brings up the same message (Server 2008r2) and when rebooted like 3 times we are able to login once again.  Same goes for other computers / Servers in lets call it AD site C D E.

 

Any ideas would be appreciated

 

 

8 Replies
Broken Connecting With Hostname

 


I'll assume by this you meant by ip address succeeds? If so I'd check that the time sync across domain is functional.

 

 

@Dave Patrick thank you for the feedback and suggestion.

 

I forgot to mention this was one of the things i checked and checked again this morning.

 

The time sync between all sites is spot on correct 

Might check that all members are using the static address of domain controller listed for DNS on connection properties and no others such as router or public DNS. Also check domain health is 100% (dcdiag, repadmin), check the system and dfs replication event logs for clues.

 

 

Thanks.

yes all that has been checked as well as repadmin which seems to check out fine as below:

Beginning data collection for replication summary, this may take aw
..................


Source DSA largest delta fails/total %% error
DOMAINBFTEMP 08m:36s 0 / 5 0
DOMAINBV5 10m:33s 0 / 25 0
DOMAINDB 12m:03s 0 / 10 0
DOMAINDC 18m:26s 0 / 20 0
DOMAINKW5 22m:33s 0 / 50 0
DOMAINMG 12m:04s 0 / 20 0
DOMAINMP 22m:32s 0 / 25 0
DOMAINPL5B 09m:23s 0 / 20 0
DOMAINPM 09m:23s 0 / 5 0
DOMAINPT 13m:23s 0 / 10 0
DOMAINPX 08m:36s 0 / 5 0
DOMAINST4 13m:23s 0 / 15 0
DOMAINWH 07m:33s 0 / 5 0
DOMAINWN 08m:35s 0 / 5 0
SERVERKW4 23m:37s 0 / 45 0


Destination DSA largest delta fails/total %% error
DOMAINBFTEMP 10m:41s 0 / 20 0
DOMAINBV5 09m:29s 0 / 20 0
DOMAINDB 13m:25s 0 / 15 0
DOMAINDC 22m:39s 0 / 15 0
DOMAINKW5 23m:40s 0 / 35 0
DOMAINMG 05m:24s 0 / 20 0
DOMAINMP 18m:33s 0 / 10 0
DOMAINPL5B 04m:44s 0 / 15 0
DOMAINPM 05m:21s 0 / 15 0
DOMAINPT 12m:04s 0 / 20 0
DOMAINPX 09m:16s 0 / 15 0
DOMAINST4 07m:40s 0 / 15 0
DOMAINWH 09m:17s 0 / 15 0
DOMAINWN 05m:45s 0 / 5 0
SERVERKW4 22m:38s 0 / 30 0



C:\Users\>repadmin /showreps
Windhoek\DOMAINWH
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 01994859-6ad8-416e-a18f-b17306974cdd
DSA invocationID: 69d5a0ba-3ad8-4880-8010-c269456ade64

==== INBOUND NEIGHBORS ======================================

DC=,DC=co,DC=za
Kenilworth\DOMAINKW5 via RPC
DSA object GUID: adbbbe26-70de-4ad8-b9dd-7546209cdad4
Last attempt @ 2022-11-02 15:02:41 was successful.
Strand2\DOMAINST4 via RPC
DSA object GUID: cc865bae-debc-4d94-b292-6bc78da83c33
Last attempt @ 2022-11-02 15:02:42 was successful.
Kenilworth\SERVERKW4 via RPC
DSA object GUID: bafb583a-df78-445d-a6d9-d501a18ea1eb
Last attempt @ 2022-11-02 15:02:42 was successful.

CN=Configuration,DC=,DC=co,DC=za
Strand2\DOMAINST4 via RPC
DSA object GUID: cc865bae-debc-4d94-b292-6bc78da83c33
Last attempt @ 2022-11-02 15:02:41 was successful.
Kenilworth\SERVERKW4 via RPC
DSA object GUID: bafb583a-df78-445d-a6d9-d501a18ea1eb
Last attempt @ 2022-11-02 15:02:41 was successful.
Kenilworth\DOMAINKW5 via RPC
DSA object GUID: adbbbe26-70de-4ad8-b9dd-7546209cdad4
Last attempt @ 2022-11-02 15:02:42 was successful.

CN=Schema,CN=Configuration,DC=,DC=co,DC=za
Strand2\DOMAINST4 via RPC
DSA object GUID: cc865bae-debc-4d94-b292-6bc78da83c33
Last attempt @ 2022-11-02 15:02:42 was successful.
Kenilworth\SERVERKW4 via RPC
DSA object GUID: bafb583a-df78-445d-a6d9-d501a18ea1eb
Last attempt @ 2022-11-02 15:02:42 was successful.
Kenilworth\DOMAINKW5 via RPC
DSA object GUID: adbbbe26-70de-4ad8-b9dd-7546209cdad4
Last attempt @ 2022-11-02 15:02:42 was successful.

DC=ForestDnsZones,DC=,DC=co,DC=za
Kenilworth\DOMAINKW5 via RPC
DSA object GUID: adbbbe26-70de-4ad8-b9dd-7546209cdad4
Last attempt @ 2022-11-02 15:02:42 was successful.
Strand2\DOMAINST4 via RPC
DSA object GUID: cc865bae-debc-4d94-b292-6bc78da83c33
Last attempt @ 2022-11-02 15:02:42 was successful.
Kenilworth\SERVERKW4 via RPC
DSA object GUID: bafb583a-df78-445d-a6d9-d501a18ea1eb
Last attempt @ 2022-11-02 15:02:42 was successful.

DC=DomainDnsZones,DC=,DC=co,DC=za
Kenilworth\DOMAINKW5 via RPC
DSA object GUID: adbbbe26-70de-4ad8-b9dd-7546209cdad4
Last attempt @ 2022-11-02 15:02:42 was successful.
Strand2\DOMAINST4 via RPC
DSA object GUID: cc865bae-debc-4d94-b292-6bc78da83c33
Last attempt @ 2022-11-02 15:02:42 was successful.
Kenilworth\SERVERKW4 via RPC
DSA object GUID: bafb583a-df78-445d-a6d9-d501a18ea1eb
Last attempt @ 2022-11-02 15:02:42 was successful.


The search continues

The issue seems to be related to KB 501 8419 (For Server 2019) other KB numbers will apply to other Windows Server OS:.

Info from another guy below:

The root cause is this: KB5008380—Authentication updates (CVE-2021-42287) KB5008380—Authentication updates (CVE-2021-42287)

 

So long story short:

 


- update all DCs in forest to 14 Nov 2021 Updates (KB5008602 for Server 2019)
- wait until all kerberos tickets have the PAC Attributes (System Event ID 35-38 should not appear on any DC anymore)
- Install October 2022 on the DCs (KB5018419 for Server 2019)
If you have October 22 Updates on any DC and an other DC does not have the November 21 Updates installed the only workaround is to remove the October 22 Update.

@djshaunvt

Thank you so much for posting the fix you found!

I've been seeing this pop up on random computers throughout my org. Here are my symptoms:
- RDP attempt to Hostname results in "Logon failed" message
- RDP attempt to IP works normally
- DNS resolves fine for every affected computer I've seen so far
- User account never locks out despite "logon failed" notice

 

I don't have an affected computer I can test with at the moment, but I'm hopeful those updates will help.

@gmalewis
I have the same problem. Sometimes it works, sometimes it doesn't. Whenever it fails, it's by the DNS hostname.
By IP it works!
Some help?

@Luis_E_Mendes 

 

After lots or researching there doesnt seem to be a way to go forward as Microsoft has hit the cut over switch with the latest November updates with regards to the way DOMAIN Controllers communicate using Kerboros. The only way I see is to is to update all domain controllers with the latest updates so those wont have an issue with clients connecting to those sites. Up until windows Server 2012 you will be ok as updates are still sent out. But like with some of our sites where 2008r2 DC exist we have to upgrade them or signing up with Micorosoft to carry on receiving updates for our Server 2008R2 Domain Controllers. The out Of band updates at the time don't seem to install as the Windows Versions have changed it. What I have found is just updating all the latest Domain Controllers (Server 2012 r2 Upwards all is fine again EXCEPT the sites with the older 2008R2 Domain Controllers due to them not receiving updates anymore.. Hope this makes sense.

 

I came to the conclusion that this was the issue as below:

 

So Microsoft gave us the options of registry keys in the beginning to see how our environments would be affected and to prepare.. But if you read carefully the latest Updates in September / November this year changed the state to fully migrated and took away all options of the registry key they provided in the beginning.

 

https://www.virtualizationhowto.com/2022/02/domain-controller-pacrequestorenforcement-registry-key-e...