none
Cannot connect to Remote Desktop from Android (error 0x1307), but I can from a Windows PC RRS feed

  • Question

  • Using Group Policy Editor, I have added Administrators into Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network. This is to make sure that file sharing users cannot bypass the NTFS rights. However, I want members of the Administrators group to be able to login interactively using Remote Desktop. It works from Windows PCs, but not from Microsoft RD Client for Android, where I get the following error message:

    • We couldn't connect to the remote PC because the admin has restricted the type of logon that you may use. Ask you admin or tech support for help. Error code: 0x1307

    I can connect from Android only if I remove that policy.

    Any ideas?

    Saturday, November 30, 2019 11:38 PM

Answers

  • HI
    Thanks for your reply.
    "the attacker can circumvent Blocking remote use of local accounts by just using an old unpatched client. I would not call that a security fix."
    if we enable NLA on remote pc win10(1903),I think it will avoid the attacker's behavior although he is using an old unpatched client.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Petr Matas Monday, December 16, 2019 4:17 AM
    Thursday, December 12, 2019 1:55 AM
    Moderator
  • Hi again Andy, you are right!

    Depending on the Win10 RDP server configuration (namely NLA and Deny access to this computer from the network policy):

    • NLA disabled, policy disabled → RDP from Win7 succeeds
    • NLA disabled, policy enabled → RDP from Win7 succeeds
    • NLA enabled, policy disabled → RDP from Win7 succeeds
    • NLA enabled, policy enabled → RDP from Win7 fails with the following error message:RDP connection failure
    Thank you for your help. Merry Christmas!
    • Marked as answer by Petr Matas Monday, December 16, 2019 4:00 AM
    • Edited by Petr Matas Monday, December 16, 2019 6:13 AM adding screenshot
    Sunday, December 15, 2019 8:52 AM

All replies

  • HI
    1.can you enter winver in command prompt on session host server and look the os version and os version number ?[for example windows 10  enterprise 1809 (os build 17763.316)]
    2.if you disable NLA on session host server temporarilly,will the problem persist ?
    3.if you install Updates for version 8.1.71 on android device ,will the problem persist ?
    Updates for version 8.1.71
    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/android-whatsnew

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 2, 2019 8:35 AM
    Moderator
  • ad 1: Windows 10 Pro N 1903 build 18362.476

    ad 2: NLA was already disabled.

    ad 3: I was already using Microsoft Remote Desktop for Android version 8.1.74.397

    Tuesday, December 3, 2019 5:21 AM
  • HI
    "It works from Windows PCs, but not from Microsoft RD Client for Android,"\
    Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network
    Not exactly. after i set above local policy for testb on remote pc(win10pro 1903),yes i produce this issue on android system by using Microsoft remote app.but  when i used both win10pro 1903 (or win10pro 1909) remote access to win10pro 1903 in the same workgroup by using the same user account(testb in local administrators group),there will be below error information.
    " if you apply restrictions against remote use of local accounts on these systems, you will be able to log on only at the console".it is by design .
    https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/



    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 4, 2019 2:29 PM
    Moderator
  • I don't know whether it matters, but I am connecting from Windows 7 over internet using an internet domain name and it really works with the policy enabled, which I find very convenient. Also don't forget about the disabled NLA. I will retry it from another Windows 10 PC when I get to one.

    In the past I was doing the same between two Windows XP machines, also successfully: Administrators could not use file sharing, but they could connect using RDP.

    Wednesday, December 4, 2019 9:52 PM
  • HI
    5.did you use domain account which is in  enterprise admin group and domain admin group to remote access win10 1903 pro on both android system and win7 computer ?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, December 5, 2019 1:53 AM
    Moderator
  • Hi Andy, thank you for your care.

    Only local accounts are involved. In RDP I am entering the same local account every time, which is a member of the following groups on the the host (win10 1903):

    • Administrators
    • HelpLibraryUpdaters
    • Remote Desktop Users
    • Rodina (a user-created group)
    The user is already logged in on the host when connecting by RDP.
    • Edited by Petr Matas Thursday, December 5, 2019 2:28 AM Addition
    Thursday, December 5, 2019 2:23 AM
  • So, here it is: I can confirm that with the policy enabled I cannot connect from Win10 1903 nor from Android, but I can connect from Win7. This is strange, given that "by design" it should not be possible. Don't you think?
    Friday, December 6, 2019 7:47 AM
  • HI
    thanks for your reply
    "Only local accounts are involved. In RDP I am entering the same local account every time, which is a member of the following groups on the the host (win10 1903):"
    Administrators
    yes, I can reproduce your issue on Android device ,i mentioned above information. 
    " if you apply restrictions against remote use of local accounts on these systems, you will be able to log on only at the console".it is by design .we can check below document.
    Blocking Remote Use of Local Accounts
    https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, December 6, 2019 11:12 AM
    Moderator
  • I understand that preventing any remote use of local accounts is the purpose of the policy, so being unable to connect whatsoever is by design. But if this is the case, then why am I able to connect using a different client (namely Win7)? Is this a security hole?
    Saturday, December 7, 2019 3:34 AM
  • HI
    " But if this is the case, then why am I able to connect using a different client (namely Win7)? Is this a security hole?"

    Our latest security guidance responds to these problems by taking advantage of new Windows features to block remote logons by local accounts. Windows 8.1 and Windows Server 2012 R2 introduced two new security identifiers (SIDs), which are also defined on Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012 after installing KB 2871997:
    we can install the below 
    KB 2871997 on win7 to avoid this securty hole.
    KB 2871997
    https://www.catalog.update.microsoft.com/Search.aspx?q=2871997

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, December 7, 2019 12:31 PM
    Moderator
  • If I understand you correctly, then after installing KB 2871997 on the Win7 client I will not be able to connect to the Win10 server anymore. But what if an attacker chooses not to install this update on his Win7 machine? As I see it, he will be able to connect even though the policy is designed to prevent this.

    So, the attacker can circumvent Blocking remote use of local accounts by just using an old unpatched client. I would not call that a security fix.

    • Edited by Petr Matas Wednesday, December 11, 2019 8:00 AM Addition
    Wednesday, December 11, 2019 7:14 AM
  • HI
    Thanks for your reply.
    "the attacker can circumvent Blocking remote use of local accounts by just using an old unpatched client. I would not call that a security fix."
    if we enable NLA on remote pc win10(1903),I think it will avoid the attacker's behavior although he is using an old unpatched client.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Petr Matas Monday, December 16, 2019 4:17 AM
    Thursday, December 12, 2019 1:55 AM
    Moderator
  • Hi again Andy, you are right!

    Depending on the Win10 RDP server configuration (namely NLA and Deny access to this computer from the network policy):

    • NLA disabled, policy disabled → RDP from Win7 succeeds
    • NLA disabled, policy enabled → RDP from Win7 succeeds
    • NLA enabled, policy disabled → RDP from Win7 succeeds
    • NLA enabled, policy enabled → RDP from Win7 fails with the following error message:RDP connection failure
    Thank you for your help. Merry Christmas!
    • Marked as answer by Petr Matas Monday, December 16, 2019 4:00 AM
    • Edited by Petr Matas Monday, December 16, 2019 6:13 AM adding screenshot
    Sunday, December 15, 2019 8:52 AM
  • HI
    You are welcome!Merry Christmas! If there is any answer(or solution) is helpful for you ,could you help me to mark as answer. Microsoft values your comments, thanks for your cooperation. Thanks a lot!


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Sunday, December 15, 2019 9:25 AM
    Moderator