RDP Error 0x267: AAD joined machine. On work account must disable Network Level Authentication

LouisWaweru 1 Reputation point
2022-04-14T03:23:22.237+00:00

Hii, the error message is well written as far as getting the case right, but is there any way to enable NLA when using RDP to access an on-premise workstation that is AAD joined.

It doesn't have P2 or the Enterprise Mobility + Security product, so to be honest I'm not sure how authentication works exactly. Not as far as what actually is granted when I tap Approve in Authenticator on my phone. It does not have Azure AD DS either. Instead it just uses Azure AD Connect without PHS. I am guessing one of those is the problem, but if so, knowing which would be a time and money saver.

Many thanks
2500
2500

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,514 questions
0 comments

1 answer

Sort by: Newest
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,876 Reputation points Microsoft Employee
    2022-04-19T00:40:36.243+00:00

    Hi @LouisWaweru ,

    We do support NLA to RDP into AAD joined machines. We recommend to turning off the Remote Credential Guard to make sure this works.

    Since the machine is domain joined, please ensure that PKU2U is enabled (the default is "disabled") with NLA.

    NLA basically authenticates against the DC before authorizing to the local machine so if there is no communication between the VMs and the DC--whether they are not domain joined, the DC is down, or there is no network connectivity--it will throw an NLA error.

    You can temporarily disable NLA using the run command option automatically from the Azure portal > run command > disable NLA. Then attempt to RDP using local admin credentials and investigate further. Check domain join > check DNS > ping DC > etc. Then you can re-enable NLA when you are done:

    You can also run Diagnostics to get the exact error message for the user:

    $activities = Get-RdsDiagnosticActivities -TenantName <tenantName> -ActivityType Connection -Outcome Failure -Detailed

    (See related.)

    If you've configured Password Hash Sync then your users should already have their password hashes stored in the right format. But I'll also note that the password hashes need to be stored in a format that is suitable for NTLM, and if the passwords are not stored in that format, you need to let those users change their passwords in order to force the right password hash format.

    Let me know if these steps help.

    -

    If this answer was helpful to you, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    0 comments