question

Chris-9656 avatar image
0 Votes"
Chris-9656 asked Garion-7386 answered

Server 2012 r2 continuously locks desktop every few seconds, requiring re-authentication via smartcard (RDP)

More detailed description of the issue:

I RDP into server and auth via smart card. Server session is established and I'm doing my thing in the server. Every few seconds (15secs or so) my desktop session is locked (as if I hit Windows+L) and have to sign back in with smart card.

I've reviewed numerous event logs and see a few errors regarding logon and smart card, but I have found nothing relevant when researching these events.

The only thing that works is restarting the server.

-I've tried restarting smart card services to no avail
-I've tried gpupdate to no avail
-I've tried closing the RDP session and attempting another RDP session
-This seems to affect all admins on the affected server

It's not the smart card reader as other servers seem to behave normally during this issue. Doesn't affect all of my servers at the same time so I don't think it's network or GPo related as they're all in the same subnet and OU.

Any advice on where to look would be great. Due to security reason we are limited to what 3rd party applications we can run on these servers for troubleshooting.

remote-desktop-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JiaYou-MSFT avatar image
0 Votes"
JiaYou-MSFT answered Chris-9656 commented

HI

1.When the current issue first happen? Did it work fine before?

2.When we use the same win10 PC remote access both the normal RD session host server and the issue RD session host server, is issue only happen on issue RD session host server?

3.Could you please create a temp folder in disk C and run below command on issue RDsession host server then check if we configure below policy?
gpresult /h c:\temp\rds.html
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Interactive logon: Smart card removal behavior
Lock Workstation in the Properties dialog box


4."Server 2012 r2 continuously locks desktop every few seconds (15secs or so),"
When we remote access the session host server by using smart card,Did you remove smart card after that time?

Interactive logon: Smart card removal behavior
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior


5.When issue happen, are there any logs about smart card?
I think our issue happen on/before event ID 4800 occur in security log.

4800 - The workstation was locked.
4801 - The workstation was unlocked.

Event Viewer\windows logs\security

Event Viewer\Applications and Services Logs\microsoft\windows\
smartcard-audit authentication
smartcard-deviceenum operational
smartcard-TPM-VCard-Module admin
operational

Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-ClientUSBDevices
_Admin
_Operational
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-PnPDevices_Admin
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-PnPDevices_Operational
Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement


Smart Card Events
https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-events

6.Since our smart card is redirect to remote session, I am not sure if redirect smart card to remote session has some problem after 15secs. Did you try to update smart card driver for both smart card readers device and smart cards device on both win10 client and issue remote server in device manager?

118978-10.png




============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


10.png (54.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I noticed something weird in the Security Event logs today when the issue happened again.

At 10:42:08 Event 4624 "An account was successfully logged on"
Logon ID: 0x17A09156

Next Event, same time 10:42:08 and same Event 4624, "An account was successfully logged on"
Logon ID: 0x17A40CCC

The next Event I see is 4672 "Special privileges assigned to new logon"
Logon ID: 0x17A09156

The next Event after that, 4634 "An account was logged off"
Logon ID: 0x17A40CCC

Right after that, the next event 4634 "An account was logged off"
Logon ID: 0x17A09156


Not sure what's causing that, but it looks like it's creating 2 logon sessions for me somehow, and then when privileges get assigned to one, both logon session get logged off.

Any ideas???

0 Votes 0 ·
Chris-9656 avatar image
0 Votes"
Chris-9656 answered

Thank you for the reply and info!

So this issue is happening again. See info below.


Security event logs: Event ID 4625 "an account failed to log on"
Failure reason: "an error occurred during logon."
Status: 0xc000038f
Sub status: 0x0
Caller Process Name: C:\Windows\System32\lsass.exe


I'm also noticing around the same time, in the the application event logs I'm seeing Event ID 7 "An error occurred while signing a message using the inserted smart card: provider could not perform the action since the context was acquired as silent"

System event logs I'm seeing Event ID 7036 "WMI Performance Adapter service entered a stopped state, and then 1 second later same event ID but the message is "WMI Performance Adapter service entered a running state".

All of these events happened within a second of each other.

It's really hard for me to pinpoint as it keeps locking out every 15-20 seconds and generates a new set of logs.

I confirmed that Interactive logon: Smart card removal behavior is set to Lock Workstation

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Garion-7386 avatar image
0 Votes"
Garion-7386 answered

I have found that on Server 2012R1 that when you have disabled caching of credentials on the server that the (Credential Manager) LSASS.exe is not required or needed. my experience with the server locking every now and then after logging in with a smart card is fixed when the Credential Manager Service is disabled. Problem goes away.

NOTE: For Server 2016 it is still Credential Manager but the serviced name is now Vaultsvc.


IMO, i believe this is because Server 2012 is trying to either cache or reach your cached credentials and when it can't it locks the server and you have to login all over again.

I have not had any issues with disabling the service and using smart cards for RDP authentication.

Before trying this method, I tried everything i could think of in GP to fix it to no avail.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.