Solved

Microsoft RD Client on IOS iPad, user logon fails with server event ID 4625.

Posted on 2014-12-02
8
363 Views
Last Modified: 2016-11-23
We're using newest v8.1.5 of the IOS MS RD Client on ipads.   Our MS RDS host is Windows 2008 R2.    

Remote users logon fails, server shows event ID 4625.    The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."

We can successfully logon as Administrator but not as any of our remote users.  


BIG HINT:   Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users.   THAT'S THE DIFFERENCE.    If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.    

What's with MS IOS RD Client?    Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
0
Comment
Question by:JReam
  • 4
  • 4
8 Comments
 
LVL 16

Expert Comment

by:Spike99
ID: 40476880
I don't know if this will help, but I would try modifying the list of servers which users are allowed to log on to by adding the IP addresses of those servers.

I have never used the iOS RD client, but at my last job we had issues with users logging on to our load balanced terminal server farm via TS Gateway. They would get a TS Resource Access Policy error (TS RAP) stating they didn't have rights to log on to the server in question even though the server was specified by name in the RAP in the TS Gateway server's settings.  We corrected the problem by adding the IPs of the farm & all member servers to the local computer group used by the RAP (turned out our load balancing hardware would use the IPs interchangeably with the fully qualified domain names to direct users to any of the servers in the farm).

Worth a shot...
0
 
LVL 1

Author Comment

by:JReam
ID: 40476953
We tried using all the IPs and FQDNs we could think of in the list of [Log On To] computers without any success.
0
 
LVL 16

Accepted Solution

by:
Spike99 earned 500 total points
ID: 40477012
Are you restricting access using a gpo?

We never restricted logon access at the domain level. What we did was just add user domain user groups to the local "Remote Desktop Users" group on specific servers to grant users log on rights.  Doing it that way meant we had to manually add that group to the local RD users group on every server in the farm (so it could be a pain to add that group on a large number of servers), but it proved less problematic than trying to control logon rights via GPO.

Since standard users don't have rights to log on remotely by default, this enabled us to keep users off servers they shouldn't be on.  We would only add their user group to the servers they were allowed to be on.
0
 
LVL 1

Author Comment

by:JReam
ID: 40477077
We do the [Log On To] restriction via  "Active Directory Users and Computers"  management administrative tools.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."?  I assume yes.

I do see that we already have a domain user group specifically for our remote users.   And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.      

Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list.     Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only,  so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else.      I'll have to give this some careful thought.
0
ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

 
LVL 16

Expert Comment

by:Spike99
ID: 40477295
I have never used that "Log on to..." option in the user account properties in Active Directory Users and Computers.

I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.

By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
0
 
LVL 1

Author Comment

by:JReam
ID: 40477315
So we think our proposed solution is

1.  Remove the existing [Log On To] computer restrictions listed within each remote user account via  "Active Directory Users and Computers"  management administrative tools.    

 2.  Add Domain Policy:  Deny log on locally.       Add our Remote Users Group to this to deny list.    This was a previously undefined group policy.

Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.

This solution does indeed now allow our remote users to use the IOS App for MS RD Client.    I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy  objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 40478401
Hi Alicia -  Your solution is working perfectly.   Thank you.
0
 
LVL 16

Expert Comment

by:Spike99
ID: 40478481
You're welcome!  I'm glad I could help.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now