question

DerekPrice-1030 avatar image
0 Votes"
DerekPrice-1030 asked LeilaKong-MSFT answered

Microsoft Store RDP App Wont allow conenction when protected users group enabled

I have just enabled the protected users group on a domain and the RDP Windows store application does not support kerberos authentication is there any workarounds for this that allows me to keep using the app and the protected users group

remote-desktop-client
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @DerekPrice-1030 ,

What's the version of your Microsoft Store RDP Application? What's the OS of the server? Is there any error message of authentication failure?

Members of the Protected Users group must be able to authenticate by using Kerberos with Advanced Encryption Standards (AES). This method requires AES keys for the account object in Active Directory. The built-in Administrator does not have an AES key unless the password was changed on an Active Directory Domain Controller that runs Windows Server 2008 or later. Additionally, any account object, which has a password that was changed at an Active Directory Domain Controller that runs an earlier version of Windows Server, is locked out.

Authentication policy silos are containers to which administrators can assign user accounts, computer accounts, and service accounts. Sets of accounts can then be managed by the authentication policies that have been applied to that container. This reduces the need for the administrator to track access to resources for individual accounts, and helps prevent malicious users from accessing other resources through credential theft.

Capabilities introduced in Windows Server 2012 R2 , allow you to create authentication policy silos, which host a set of high-privilege users. You can then assign authentication policies for this container to limit where privileged accounts can be used in the domain. When accounts are in the Protected Users security group, additional controls are applied, such as the exclusive use of the Kerberos protocol.


For your reference:
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group


Best regards,
Leila


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hello @DerekPrice-1030 ,

How are things going there on this issue?
Please let me know if you would like further assistance.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.