question

BakerJohnRCUSDIFASRDTE-9745 avatar image
0 Votes"
BakerJohnRCUSDIFASRDTE-9745 asked LimitlessTechnology-2700 answered

Cedentials being blocked from use on RDP connection

We have a production network that is managed by a corporate IT group external to our facility.
We have a test network that is operated as a firewalled network segment.
The firewall is managed by the corporate IT group.
RDP connections are allowed across the firewall to windows workstations and VMs on the firewalled network segment.
A windows domain is running on the firewalled network segment and is managed by a local group to apply GPO based policies.
All resources on the firewalled network require firewall domain credentials for access.
One of the GPOs maps a DFS share.

When working locally.
[Production Workstation] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.

When working remotely from home, we can do the following.
[Remote Workstation] --RDP--> [Production Workstation]
[Production Workstation] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.

In order to facilitate remote users needs, a terminal server was added to the production network and is managed by the corporate IT group. Remote user would then use the following means of connecting.
[Remote Workstation] --RDP--> [Production Terminal Server]
[Production Terminal Server] --RDP across firewall--> [Firewalled workstation]
User on firewalled workstations/VMs can access DFS resources.

In early July, the 2 policies were added.
Delegation of default credentials with NTLM-only server authentication
Set policy “Allow delegating default credentials with NTLM-only server authentication” to “Disabled”
Restrict delegation of credentials to remote servers
Set policy “Restrict delegation of credentials to remote servers" to “Enabled” and restricted mode to “Require Restricted Admin”

Once these policies were in place.
[Remote Workstation] --RDP--> [Production Terminal Server]
[Production Terminal Server] --RDP across firewall--> [Firewalled workstation]
Users on firewalled workstations can no longer access DFS resources. No permissions. Unmapping everything and remapping sometimes works. Major PITA.

This has to do with passing of credentials and allowing them to be cached by machines that are members in the firewalled network domain.
In the past, we implemented the registry key
HKLM\System\CurrentControlSet\Control\LSA\DisableRestrictedAdmin to REG_DWORD 0x00000000

Firewalled domain credentials are clearly being presented to the firewalled domain in order for users to log on to resources. But how can they then be blocked from being used once access to the resource is granted?
What policy or policies can we implement to trust these credentials?
Other registry entries?

windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @BakerJohnRCUSDIFASRDTE-9745,

Thank you for your question.

Based on the description of your problem, I recommend that you consult the article below:

https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/troubleshoot/cannot-authenticate-or-must-authenticate-twice



If the answer is helpful, please vote positively and accept as an answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.