Why can't I RDP over VPN to a machine to which I can RDP from the LAN

I've got a user to whom I just gave a new machine. She still has her old machine running.

All machines are Windows 7. VPN is via Cisco AnyConnect client to our ASA.

She can RDP to the new machine from her old machine from within the LAN.

She can RDP to her old machine from the new machine on the LAN.

She can RDP to the old machine from her home machine on the VPN.

She *cannot* RDP to the new machine from her home machine on the VPN. The error is a simple authentication message (see attached screen shot).

She can RDP to another machine on the VPN and then hop from there to the new machine.

I looked at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
The Security Packages Key had kerberos msv1_0 schannel wdigest tspkg pku2u, as required.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VPN policy and certificates loaded on that new computer? Can she accesses all other network resources as before when she is VPN in?
richardRinJHAuthor Commented:
Yes. Access over the VPN is unchanged to all other resources. I'd think is was simply not having RDP open on the new machine except that she can get to it from within the LAN. I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?
Because the Windows Firewall is on.  Turn the Windows firewall off (all 3 settings) and test.

Once confirmed you can turn it back on and modify the firewall to allow RDP from the VPN address pool.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Also make sure she did not set her "home" network to public when she "plugged in" at home.
richardRinJHAuthor Commented:
I thought about that, but the fact that she can see other machines inside the LAN from the VPN connection led me away from thinking it's on her end.
Turn the firewall off on the machine she is connecting TO, not the machine she is connecting FROM.
> I don't know of a setting that would allow it from within the LAN but on the VPN, is there one?

Yes.  The firewall.
When she is connecting on the lan I would assume you are authenticating on the domain so the windows firewall sets that up under the "domain" firewall rules. When she is connecting from outside, she could have selected public.
richardRinJHAuthor Commented:
Firewall is OFF on all settings as recommended. User is no longer at home so can't test right away. It will likely be this evening before I'll know more.
Are all systems on the same subnet? Or isit possible that the new system has an ip that is outside the VPN rule or they have an ip overlap where the user's home network matches thrip of the new system.
richardRinJHAuthor Commented:
Still testing. The user has been on vacation!
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
I provided a valid answer and request the assigned points.
I also provided a valid answer(s) and dialogue with the open poster. I would like to ask the post remain open two more weeks until the OP can respond with specifics. If no posts have been made by that time, I would agree with closing and assigning points as to participants.
richardRinJHAuthor Commented:
The user in question returns to work on Monday and we will continue troubleshooting then. All solutions suggested to date have been applied with no success. The user will bring the laptop in question in to work on Monday and we'll see what we can find when we have it in hand.

I'd suggest letting the clock run on this for awhile longer.
Hello Richard,

any luck yet?
Please make your recommendations here.  Your recommendations may include:
1) Delete/refund
2) Delete/no refund
3) Accept one or more Expert posts as the answer
4) PAQ refund if the Asker answered his/her own question
If you recommend #3 or #4, please indicate which post ID(s) should be selected as the answer.  To make it easier for us to process this request, when posting the comment ID(s) to use, please post them in the format http:#CommentID. For example, http:#a12345678.
Further, if you recommend #3 or #4, please include a sentence or two to help the Moderator understand why that comment/selection of comments is the right answer, as your Moderator will not necessarily be an Expert in this particular subject!
A Moderator will be along in about 4 days to finalize the question.  Anyone not posting within that window shall be deemed no longer interested in the outcome.
Link to CSG thread:
EE Admin

Comment: http:#a37965503

recommend to #1 delete and refund as points and responses provided did not result in success for the issue posted.
3) Accept one or more Expert posts as the answer
50/50 split todd_beedy & RPPreacher
richardRinJHAuthor Commented:
No posts to this point have solved the problem. All were tested. I am pursuing a solution, but to date with no success.

I repeat, the problem has NOT been resolved.
The problem is that it is unclear what your issue is.  It seems you are able to connect, but the credentials you are using are being reflected as the cause for the failure to connect.

If you are entering the wrong credentials, attaching local resources that cause the remote system to reject.  Checking the event log on the desktop for the period when the connection attempts were made are the only way to see why it is being rejected.
richardRinJHAuthor Commented:
Understood. As soon as I can coerce the user into bringing her laptop to work so I can get at it that's exactly what I'm going to do. I'm trying to get the information, but am fighting user inertia!
Do you have the same VPN access?  Are you able to VPN and then RDP to a LAN system?
Is RDP on the LAN from the same system?
i.e. the laptop is on the LAN and then the user RDPs to that system?

ip route table from the remote user might be helpful before and after the VPN connection is established.
ipconfig /all
netstat -rn
richardRinJHAuthor Commented:
Using the same laptop, from the same Internet connection she can VPN to another machine sitting on her desk and plugged into another port on the same switch. If I switch the machines between the two ports the problem follows the machine.
richardRinJHAuthor Commented:
We solved the problem here. All Windows 7 Security Descriptors were missing in the registry. We added them back in manually and the problem was solved. We are unsure how the registry entries went missing, the machine was a direct purchase by the user and had never been in our shop before.

I don't believe any of the proposed solutions mentioned that, so no points awarded?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ModalotEE ModeratorCommented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for richardRinJH's comment #37972839

for the following reason:

Final solution has been posted now by the Asker, and there were no Expert suggestions used, so accepting that comment is the only correct disposition.<br /><br />Modalot<br />Community Support Moderator
Expert solutions aided the Asker in troubleshooting and identifying a solution.  Our submitted troubleshooting steps contributed to the overall identification of a solution.
richardRinJHAuthor Commented:
I don't agree, but limited split OK by me.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.