Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Microsoft RD Client on IOS iPad, user logon fails with server event ID 4625.

Posted on 2014-12-02
8
Medium Priority
?
453 Views
Last Modified: 2016-11-23
We're using newest v8.1.5 of the IOS MS RD Client on ipads.   Our MS RDS host is Windows 2008 R2.    

Remote users logon fails, server shows event ID 4625.    The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."

We can successfully logon as Administrator but not as any of our remote users.  


BIG HINT:   Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users.   THAT'S THE DIFFERENCE.    If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.    

What's with MS IOS RD Client?    Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
0
Comment
Question by:JReam
  • 4
  • 4
8 Comments
 
LVL 17

Expert Comment

by:Spike99
ID: 40476880
I don't know if this will help, but I would try modifying the list of servers which users are allowed to log on to by adding the IP addresses of those servers.

I have never used the iOS RD client, but at my last job we had issues with users logging on to our load balanced terminal server farm via TS Gateway. They would get a TS Resource Access Policy error (TS RAP) stating they didn't have rights to log on to the server in question even though the server was specified by name in the RAP in the TS Gateway server's settings.  We corrected the problem by adding the IPs of the farm & all member servers to the local computer group used by the RAP (turned out our load balancing hardware would use the IPs interchangeably with the fully qualified domain names to direct users to any of the servers in the farm).

Worth a shot...
0
 
LVL 1

Author Comment

by:JReam
ID: 40476953
We tried using all the IPs and FQDNs we could think of in the list of [Log On To] computers without any success.
0
 
LVL 17

Accepted Solution

by:
Spike99 earned 2000 total points
ID: 40477012
Are you restricting access using a gpo?

We never restricted logon access at the domain level. What we did was just add user domain user groups to the local "Remote Desktop Users" group on specific servers to grant users log on rights.  Doing it that way meant we had to manually add that group to the local RD users group on every server in the farm (so it could be a pain to add that group on a large number of servers), but it proved less problematic than trying to control logon rights via GPO.

Since standard users don't have rights to log on remotely by default, this enabled us to keep users off servers they shouldn't be on.  We would only add their user group to the servers they were allowed to be on.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 1

Author Comment

by:JReam
ID: 40477077
We do the [Log On To] restriction via  "Active Directory Users and Computers"  management administrative tools.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."?  I assume yes.

I do see that we already have a domain user group specifically for our remote users.   And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.      

Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list.     Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only,  so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else.      I'll have to give this some careful thought.
0
 
LVL 17

Expert Comment

by:Spike99
ID: 40477295
I have never used that "Log on to..." option in the user account properties in Active Directory Users and Computers.

I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.

By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
0
 
LVL 1

Author Comment

by:JReam
ID: 40477315
So we think our proposed solution is

1.  Remove the existing [Log On To] computer restrictions listed within each remote user account via  "Active Directory Users and Computers"  management administrative tools.    

 2.  Add Domain Policy:  Deny log on locally.       Add our Remote Users Group to this to deny list.    This was a previously undefined group policy.

Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.

This solution does indeed now allow our remote users to use the IOS App for MS RD Client.    I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy  objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 40478401
Hi Alicia -  Your solution is working perfectly.   Thank you.
0
 
LVL 17

Expert Comment

by:Spike99
ID: 40478481
You're welcome!  I'm glad I could help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question