NTLM authentication failed because the account was a member of the Protected User group.
Question
-
Hi everyone,
we have two domains (A and B), each has its own forest and two domain controllers. There is a trust between domains. Each admin has two Domain Admins account in each domain (like A\Admin and B\Admin).
Domain A has a PAW, where the admins are logging on with A\Admin and managing both domains (A\Admin was delegated some rights in domain B). But sometimes the admins have to connect (via RDP) to some server in B domain using B\Admin account. If an admin connects from his own computer (Windows 10) - it fails because of NTLM authentication, which is not allowed for the members of the Protected Users group. Then the admins connect from PAW and it works. In the logs I see another type of the Authentication - Kerberos!
Question: how to enable Kerberos authentication on Windows 10 to be able to connect to a server in another Domain using credentials of this domain?
Thank you in advance!
All replies
-
Hi Hannah,
I've set "Send NTLMv2 response only. Refuse LM & NTLM" on my computer:
but I still can't connect and in the logs I see the same error:
-
Hi Anahaym,
Thank you so much for your kindly reply.
As for "Question: how to enable Kerberos authentication on Windows 10 to be able to connect to a server in another Domain using credentials of this domain?"
How we connect to a server in another domain? We are wondering whether we use the Remote Desktop Connection or \\IP address or server name\shared directories.
As for "If an admin connects from his own computer (Windows 10) ", we thought that Windows 10 is domain joined and we log on Windows 10 with domain administrator account? How could an admin connect from his own computer?
I did some tests in my lab and tried to figure out this issue. But I could not reproduce our issue. I will keep on follow up this issue. For any update, I will come back to you.
Thank you so much for your time and support.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hello Anahaym,
Thank you so much for the detailed explanation. I appreciate your time and support.
I did more tests in my lab and the issue could not be reproduced. Below are my tests.
1, I logged on Windows 10 with the non-domain user (in my case, it is hannah), which is added to the protected group. From the Windows 10 computer (In my case, it is WIN1010), it connected to a server (In my case, it is DC) in contoso (In my case, it is book.com) domain via RDP.
I tried to enter the wrong password and then I checked the event log as shown below. And then entered the right password, it could successfully log in.
2, I logged on Windows 10 with the non-domain user (in my case, it is hannah), which is added to the protected group. From the Windows 10 computer (In my case, it is WIN1010), it connected to a DC in Fabrikam (In my case, it is sayms.local) domain via RDP.
I tried to enter the wrong password and then I checked the event log as shown below. And then entered the right password, it could successfully log in.
3, I tried to connect to a DC in Fabrikam (In my case, it is sayms.local) domain via RDP from the DC in book.com. I tried to enter the wrong password and then I checked the event log as shown below. And then entered the right password, it could successfully log in.
From my tests, they could successfully log in if providing the right credentials. As for our case, it fails because of NTLM authentication, which is not allowed for the members of the Protected Users group.
We are wondering whether it is the error message showing on the UI interface. Or when we enter the credentials, what is the error message on the UI interface?
For any question, please feel free to contact us.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
sorry, my bug mistake.... I apologize... 🙏
1, I logged on Windows 10 with the non-domain user (in my case, it is hannah), which is added to the protected group
the user is domain, I meant non-admin user... and this user ins't member of Protected Users group.
So, the procedure is the following:
book\hannah logs in to WIN1010
sayms\hannah tries to connect to DC in sayms domain via RDP
sayms\hannah is a member of Protected Users groupPlease don't use built-in Administrator.
When it fails to log in, I see this:
and on DC this:
-
Hello,
It's OK. Thank you so much for your kindly reply.
Below is my test.
1, Log on the Windows 10 with BOOK\susan and this user is not member of protected group.
2, Then Remote Desktop connect to DC in SAYMS domain with SAYMS\emma, which is a member of Protected group.
3, In my test, I entered the wrong passwords and then checked the event viewer as shown below. It could successfully log on when entering the right password.
As for this error message, it seems to be a Remote Desktop Connection issue. Have we entered the password of the user account when connecting to the DC in another domain via RDP?
I researched and found out that we might get this error message when using a user account without password. For more information, we could refer to: https://social.technet.microsoft.com/Forums/office/en-US/832a70f9-f829-4bb4-b6d6-b2409f17b23f/rdp-remote-desktop-to-windows-10-without-passwords-not-possible-anymore-bug-or-feature?forum=winserverTS
Thank you so much for your time and support.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hello Anahaym,
Thank you so much for your feedback.
It is Windows Server 2008 R2 DC with the domain and forest functional level Windows Server 2008 R2.
For any question, please feel free to contact us.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hello Anahaym,
I would appreciate your kindly feedback. So sorry for the inconvenience caused. Thank you so much for your correction.
I did the test again and below are the steps.
1, Log on the Windows 7 with SAYMS\emma and this user is not member of protected group.
2, Then Remote Desktop connect to DC in BOOK.com domain with BOOK\mytest, which is a member of Protected group.
3, The DC in BOOK.com is Windows 2016 with DFL/FFL Windows 2016.
4, In my test, I entered the wrong password and then checked the event viewer as shown below. It could successfully log on when entering the right password.
For any question, please feel free to contact us.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
Hello Anahaym,
You are welcome and thank you so much for your feedback.
I added BOOK\mytest to Protected User group.
When I logged in BOOK\DC$ with BOOK\mytest account, it could be successful, but I did not see any message. And I also did the same test as before, it could also successfully connect via Remote Desktop Connection. Once I entered the wrong password, the event viewer recorded the below events.
Thank you again and have a nice day.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com. -
could you please check Event ID 4624 on the DC?
-
Hello,
Thank you so much for your kindly reply.
Below is the Event ID 4624 on DC.
Best regards,
Hannah XiongPlease remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
