-1

I came into work last week, checked my first ticket (easy to fix one), RDP'd into the server needed for this and the login did not work. After clicking 'connect' I got the "Unable to Log You on Because of an Account Restriction" message. Checked another server (all machines are 2008R2/2012R2), the same message. No, I do not habe an empty password, not using network auth, my clint is Windows 10 (1607).

Here is what I did:

  • Used another client (Win10.1607), same ou, same setup. Can perfectly login from anywhere to anywhere (so I am asuming it's no my user account or a GPO)
  • Checked servers: I can RDP into all my DC's and a few other machines (2008R2/2012R2), looks random to me (all server in the same OU, no special software installed)
  • Deleted the mstsc cache (%appdata%..\local\Microsoft\Terminal Server Client* )
  • Cleaned up HCU\SOFTWARE\Microsoft\Terminal Server Client
  • Watched the eventlogs: nothing. Absolutely nothing. So I assume it's my client, not the servers. But I can RDP into all my servers at home and in another (customers) network ...
  • Checked date/time on client/server (0.0002ms apart)
  • Checked account restrictions on ma account (neither time nor machine restrictions are present)
  • Checked if logon at the console works (vm/ilo): works perfectly fine with my credentials
  • Checked if Share-Access would work (\\server\share): Does not work, I am seeing the same error message. Works from clientB, but not from alientA.
  • When doing the same thing from one of the 'working' machines (sever or client), everything is fine.

Any Ideas where to look for this? It is haunting me into my sleep :-(

Updates: Surely I checked the local policies on the server(s). any changes would have surprised me - there are a lot of servers. Also checked the clients GPO, nothing.

bjoster
  • 4,805
  • 5
  • 25
  • 33
  • Try logging on with a different account. – Greg Askew Sep 27 '16 at 11:45
  • First, a good sleep is required for solving stuff... Anyway, maybe there's a local GPO that blocks it (allow\deny remote\network access under security settings). Can you post results of 'gpresult /h gpresoprt.html'? – EliadTech Sep 27 '16 at 11:47
  • @GregAskew: does not work either (eg 'administrator', the default and first domain admin). Not from this client. Works from other clients/servers. – bjoster Sep 27 '16 at 12:27
  • @EliadTech: my client is not member of the domain, so my report is rather short. The gpresult of the server(s) are somewhat larger, but due to the intimate details I am not allowed to post it completely. I checked the resultset before (using rsop.msc) and found nothing (no User/Group restrictions). Do you have any special places I should have look at? – bjoster Sep 27 '16 at 12:31
  • You can RDP to and from servers and desktops that belong to the domain. You cannot RDP from this PC1 that is in workgroup mode. Is there a different PC2 that is also in workgroup that you can try to RDP from? – Clayton Sep 27 '16 at 13:16
  • @bjoster GPEdit.msc > Computer settings > Windows settings > Security settings > Local policies > User rights assignments > 1. Allow\Deny log on through Remote Desktop Services 2. Access this computer from the network. Also, for clarity, you get the error after typing username and password, right? – EliadTech Sep 27 '16 at 13:20
  • @bjoster One more thing, you contradicted yourself: you wrote "Used another client (Win10.1607), same ou..." in the question, but you wrote in the comments the the client is not domain-joined. So... ? – EliadTech Sep 27 '16 at 13:22
  • @Craig620: Yes, I can use any other computer here, part of the domain or not. – bjoster Sep 27 '16 at 13:43
  • To clear thing up (sorry for my somewhat chaotic description): We do have multiple (client) computers here, some are part of the domain, some are not. My primary personal machine is not joined. RDP works from any other computer, joined or not. My test clients are Win10.1607(joined), Win10.1607(not-joined), Win8.1(joined), Win8.1(not-joined), and the servers. The only machine RDP is not working from (here), is my personal Win10 (not joined) machine. @EliadTech: Yes. Skipped (sure) when using saved credentials. – bjoster Sep 27 '16 at 13:49
  • What do the logs on the server and your client show? – user5870571 Sep 27 '16 at 13:57
  • @bjoster I'd say dive again into the event logs, maybe even set some more audit options. Otherwise, just format your PC (maybe try a Live-cd first, just to be on the safe side). – EliadTech Sep 27 '16 at 14:03
  • @user5870571: The mstsc client does not have logging besides the eventlogs TerminalService-Client* (which do show nothing). The server logs are completely clean. I can see the TCP-Connection when sniffing with Wireshark. – bjoster Sep 27 '16 at 14:13
  • If you are getting a logon error from the server and you don't have anything in the server logs, my first suggestion is get your logging corrected. The logs will likely contain helpful information but if you don't have logging enabled then you are doing a lot of guessing. – user5870571 Sep 27 '16 at 14:16
  • @user5870571: Do you knwo how to enable logging on the client? @ EliadTech Booting from another OS works, it's not my Hardware :-) It even work from within a VM. – bjoster Sep 27 '16 at 14:29
  • If the error is being generated by the server then you want to enable logging on the server. – user5870571 Sep 27 '16 at 14:30
  • @bjoster You get an error regarding the account, so the RDP itself (probably) isn't the issue. Look at the security logs, maybe [add more auditing](https://rdpguard.com/windows-server-how-to-catch-failed-logons.aspx). – EliadTech Sep 28 '16 at 07:17

1 Answers1

0

The solution in my case was the option "Restrict delegation of Credentials to remote Servers".

Basically, there is a new Group policy settings that can prevent a system to pass credentials to a remote server. This was exactly the issue. you can find this setting in your lokal oder domain group policy under:

Computer Configuration > Administrative Templates > System > Credential Delegation
bjoster
  • 4,805
  • 5
  • 25
  • 33