Microsoft RD Client on IOS iPad, user logon fails with server event ID 4625.

We're using newest v8.1.5 of the IOS MS RD Client on ipads.   Our MS RDS host is Windows 2008 R2.    

Remote users logon fails, server shows event ID 4625.    The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."

We can successfully logon as Administrator but not as any of our remote users.  


BIG HINT:   Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users.   THAT'S THE DIFFERENCE.    If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.    

What's with MS IOS RD Client?    Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
LVL 1
JReamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Spike99On-Site IT TechnicianCommented:
I don't know if this will help, but I would try modifying the list of servers which users are allowed to log on to by adding the IP addresses of those servers.

I have never used the iOS RD client, but at my last job we had issues with users logging on to our load balanced terminal server farm via TS Gateway. They would get a TS Resource Access Policy error (TS RAP) stating they didn't have rights to log on to the server in question even though the server was specified by name in the RAP in the TS Gateway server's settings.  We corrected the problem by adding the IPs of the farm & all member servers to the local computer group used by the RAP (turned out our load balancing hardware would use the IPs interchangeably with the fully qualified domain names to direct users to any of the servers in the farm).

Worth a shot...
0
JReamAuthor Commented:
We tried using all the IPs and FQDNs we could think of in the list of [Log On To] computers without any success.
0
Spike99On-Site IT TechnicianCommented:
Are you restricting access using a gpo?

We never restricted logon access at the domain level. What we did was just add user domain user groups to the local "Remote Desktop Users" group on specific servers to grant users log on rights.  Doing it that way meant we had to manually add that group to the local RD users group on every server in the farm (so it could be a pain to add that group on a large number of servers), but it proved less problematic than trying to control logon rights via GPO.

Since standard users don't have rights to log on remotely by default, this enabled us to keep users off servers they shouldn't be on.  We would only add their user group to the servers they were allowed to be on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

JReamAuthor Commented:
We do the [Log On To] restriction via  "Active Directory Users and Computers"  management administrative tools.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."?  I assume yes.

I do see that we already have a domain user group specifically for our remote users.   And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.      

Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list.     Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only,  so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else.      I'll have to give this some careful thought.
0
Spike99On-Site IT TechnicianCommented:
I have never used that "Log on to..." option in the user account properties in Active Directory Users and Computers.

I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.

By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
0
JReamAuthor Commented:
So we think our proposed solution is

1.  Remove the existing [Log On To] computer restrictions listed within each remote user account via  "Active Directory Users and Computers"  management administrative tools.    

 2.  Add Domain Policy:  Deny log on locally.       Add our Remote Users Group to this to deny list.    This was a previously undefined group policy.

Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.

This solution does indeed now allow our remote users to use the IOS App for MS RD Client.    I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy  objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
0
JReamAuthor Commented:
Hi Alicia -  Your solution is working perfectly.   Thank you.
0
Spike99On-Site IT TechnicianCommented:
You're welcome!  I'm glad I could help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.