#StackBounty: #c# #events #rdp #ocx #mstsc How to recognize when logon fails in RDP / MSTSC?

Bounty: 100

I am working on a C# implementation of RDP / MSTSC using the MsRdpClient9NotSafeForScripting class.

I need to recognize when the user logon failed due to wrong credentials.

The event OnLogonError should do the job but it doesn’t fire (at least not on Server 2016), while the other events seem to work properly.

From the Microsoft documentation of OnLogonError:

LOGON_FAILED_BAD_PASSWORD (0 (0x0))

The logon failed because the logon credentials are not valid.

The behaviour (not fireing OnLogonError) is reported several times, but without solution. The once hint I found is: at codeproject:

After further testing, I found out that if connecting to a Windows 2003 server, the event is entered. But not when connecting to Win7 and newer and Win2008R2 and newer. I wonder if Microsoft removed the event functionality in newer systems?

But from the documentation of the event it should be supported

Minimum supported client Windows Vista

Minimum supported server Windows Server 2008


Edit

I downloaded mRemoteNG, which seems to be a very clean implementation of RDP. The event is not used there. But when I add it, it also never fires.

Edit2

The event seems to work when connecting to a Windows Server 2012 R2. But not for Server 2016 / 2019.


What I tried so far

  • Testing with several implemantations of the class (from MsRdpClient6NotSafeForScripting to MsRdpClient9NotSafeForScripting)
  • Testing with several settings

Questions

  • Is there any setting which could cause this event not to fire?
  • Is there any alternative to recognize a logon fail?


Get this bounty!!!

#StackBounty: #remote-desktop #rdp #windows-10 RDP with NLA does not work, unless logging in locally first

Bounty: 50

When connecting to a remote PC, I get this error:

enter image description here

But if I walk to the remote PC, login (with the same credentials) and walk back, RDP suddenly works. This happens each day. The remote PC might be powered off in between (I’ll check this in the future).

Details:

  • remote PC: Windows 10, member of a domain
  • client: Windows 10 (not member of domain, at least not the same one)
  • used login credentials: a domain user (from the joined domain, obviously)
  • time is correct on both (checked with https://time.is)

Walking to the remote PC defeats the purpose of remote access, so I’m looking for help. Also, I would rather not disable NLA.


Get this bounty!!!

#StackBounty: #rdp #remote-desktop-services #windows-authentication #ntlm Remote Desktop Authentication without NTLM – How to Configure…

Bounty: 100

Background

This has been bugging me for quite a while (and no amount of internet searching has amounted to a decent solution), so I’m hoping someone can offer some sage advice. When I try and start a Remote Desktop session from a Mac to a Windows domain-joined PC, using Microsoft’s latest Remote Desktop Client (v10.3.9 currently), I’ll often receive the error in the following screenshot.

Error code: 0x207. We couldn't connect to the remote PC.

We couldn’t connect to the remote PC. This might be due to an expired
password. If this keeps happening, contact your network administrator
for assistance.

Error code: 0x207

If I try and remote into the same PC from a Windows PC, using the native Windows Remote Desktop client, I don’t get this error, and can connect fine. This is specific to non-Windows clients.

TL;DR

Is there a way I can enable non-Windows clients to connect to domain-joined Windows PCs by remote desktop, without making NTLM authentication exceptions for each target PC? Kerberos doesn’t seem available for the Mac RDP Client, is there another authentication mechanism that is supported?

GPO Settings and Event Logs, on the RDP Server

The domain-joined target PC (RDP server) has many GPO’s applied. What I think are all the relevant settings from gpresult follow:

  • Computer Settings > Policies > Administrative Templates
    • Network/Network Connections/Windows Defender Firewall/Domain Profile:
      • Windows Defender Firewall: Allow Local Port Exceptions: Enabled
      • Windows Defender Firewall: Defined Inbound Port Exceptions: 3389:TCP:[IP Addresses]:enabled:Remote Desktop Connections
    • System/Credentials Delegation
      • Remote Host Allows delegation of non-exportable credentials: Enabled
    • Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
      • Allow users to connect remotely by using Remote Desktop Services: Enabled
    • Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
      • Always prompt for password upon connection: Enabled
      • Require secure RPC communication: Enabled
      • Require user authentication for remote connections by using Network Level Authentication: Enabled
      • Set client connection encryption level: Enabled. Encryption Level: High Level

Users intended for remote access are added to the respective remote desktop PC’s user group “Remote Desktop Users”, using the lusrmgr.msc MMC snap-in.

If I try and login from a non-Windows client, thereby receiving the above error, the Security Log on the RDP Server shows a failed Logon Event, ID 4625:-

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          <Date> <Time>
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      <RDP Host>
Description:
An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       <User Name>
    Account Domain:     <Domain Name>

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:         0x80090302
    Sub Status:     0xC0000418

Process Information:
    Caller Process ID:  0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:   <RDP PC FQDN>
    Source Network Address: <RDP PC IP Address>
    Source Port:        0

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   -
    Key Length:     0

GPO Settings and Event Logs, on the Domain Controller

So, looks like a failed Network login using NTLM authentication. As per various security best-practices and recommendations, I have tried to disable NTLM authentication in the domain, by applying the following group policies to Domain Controllers, using the Default Domain Controllers Policy:-

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
    • Network Security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
    • Network Security: Restrict NTLM: NTLM authentication in this domain: Deny for Domain Accounts to Domain Servers.
    • Network security: Restrict NTLM: Audit Incoming NTLM Traffic: Enable auditing for all accounts

On the domain controller, I have a corresponding log event to the failed NTLM authentication request, under Applications and Services logs > Microsoft > Windows > NTLM > Operational:-

Log Name:      Microsoft-Windows-NTLM/Operational
Source:        Microsoft-Windows-Security-Netlogon
Date:          <Date> <Time>
Event ID:      4004
Task Category: Blocking NTLM
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      <DC FQDN>
Description:
Domain Controller Blocked: NTLM authentication to this domain controller is blocked.
Secure Channel name: <RDP PC FQDN>
User name: <User Name>
Domain name: <Domain>
Workstation name: <RDP PC FQDN>
Secure Channel type: 2

NTLM authentication within the domain <Domain> is blocked.

If you want to allow NTLM authentication requests in the domain <Domain>, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Disabled.

If you want to allow NTLM authentication requests only to specific servers in the domain ms-rtc, set the security policy Network Security: Restrict NTLM: NTLM authentication in this domain to Deny for domain servers or Deny domain accounts to domain servers, and then set the security policy Network Security: Restrict NTLM: Add server exceptions in this domain to define a list of servers in this domain as an exception to use NTLM authentication.

The Workaround

So, the only way I know of to allow Remote Desktop access to PCs from a non-Windows client, is to add that PCs FQDN to the Default Domain Controllers Policy, under:-

  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
    • Network security: Restrict NTLM: Add server exceptions in this domain:

P.S. Just thought, haven’t mentioned certificates. I have deployed an internal PKI and have RDP Certificates automatically deployed by GPO also. From the client, I am prompted whether or not to trust the certificate, the 0x207 occurs after I choose Accept to Trust the certificate, and then enter my domainuser name and password. As above, I can connect if an NTLM exception is listed, or login will fail if the server is not listed as an exception.


Get this bounty!!!

#StackBounty: #windows #group-policy #windows-server-2016 #rdp Allow non-admin users RDP session "Sign off" rights on Windows…

Bounty: 50

Is there a way to allow a non admin user access to kill rogue RDP sessions on Windows Server 2016 using Group Policy? Our network consists of hundreds of 2016 and 2012r2 servers so we’re trying to do this with GP instead of individually on each server.

This post is related, only our servers do not have the RDSH role applied, and it seems this would need to be configured on each server individually.

enter image description here


Get this bounty!!!