question

ToniMartnez-5162 avatar image
0 Votes"
ToniMartnez-5162 asked SimonBurbery-9608 answered

Not able to log in to VM via RDP - Azure AD DS

Hi
I created a managed domain in Azure using a custom domain, let's say aaddscontoso.com. My default domain in Azure AD is contoso.com. After a lot of trouble I was able to join an Azure VM to the managed domain. At first my users got locked out when trying to join the machine. Finally I used the pre-Windows 2000 format to be able to join the VM (as I didn't know if I had to use the suffix @contoso.com or @aaddscontoso.com
I was able to join the VM but now I am not able to log in via RDP with a domain account. If I log in using a local account I am able to authenticate to the domain, for instance using "Run as another user" to open an mmc or searching the domain from the computer management console when adding a domain user to a local group.

Finally I was able to see the users from ADUC and I see they have the UPN suffix @contoso.com. But still I cannot log in using a domain account via RDP.
Any clue?

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ToniMartnez-5162 avatar image
0 Votes"
ToniMartnez-5162 answered

I finally found out the problem myself. I had to add this line to the RDP file:

enablecredsspsupport:i:0

It looks like a problem with NTLM even though I disabled it on the VM Remote settings.

After adding that to the RDP I was able to log in using a domain account. But it is a pain not being able to copy&paste the cred as I get the login screen.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered

Hi @ToniMartnez-5162 ,

the domain user is a local admin on the VM?
Could please add the domain user to the local Remote Desktop Users group on the VM and test again.


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ToniMartnez-5162 avatar image
0 Votes"
ToniMartnez-5162 answered

Hi

Thank for your answer but this is not a permission issue. The domain user is local admin and just in case I added to the Remote Desktop Users group and still get the same error. I get the event below using the same credentials that I use to open ADUC successfully:

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: admin_aaddsXXXX@XXXX.XXX
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: XXXXXX
Source Network Address: XX.186.128.XXX
Source Port: 0

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SimonBurbery-9608 avatar image
0 Votes"
SimonBurbery-9608 answered

Are the users cloud or AD Connect synced? I've just been through an AVD / AADDS depoyment that involved both user types... Azure AD accounts had no problem from the outset, but when AD synced users tried to login it failed immediately 'Oops... something wrong blah blah...'

I thought it should work 'out of the box', but you have to run a PowerShell script on the AD Connect server as per:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-password-hash-sync#enable-synchronization-of-password-hashes.

But the issue still occurred after this! We then found in the AADDS configuration in Azure, under 'Security' enable the following:
'NTLM v1 Authentication'
'Password Synchronization from On-Premises'
'NTLM Password Synchronization'

After doing these steps, be patient and give it 30 mins or so - it does not take effect immediately.

Then you can reset the users passwords on-premises (or in Azure AD if you have 'Password Writeback' enabled. Wait five minutes and gasp as you see the login working! =)

Cheers,
Simon - https://www.howdoiuseacomputer.com

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.