Solved

Microsoft RD Client on IOS iPad, user logon fails with server event ID 4625.

Posted on 2014-12-02
8
358 Views
Last Modified: 2016-11-23
We're using newest v8.1.5 of the IOS MS RD Client on ipads.   Our MS RDS host is Windows 2008 R2.    

Remote users logon fails, server shows event ID 4625.    The event 4625 detail states Failure Reason: "User not allowed to logon at this computer."

We can successfully logon as Administrator but not as any of our remote users.  


BIG HINT:   Our Administrator account works because we do NOT have a domain user restriction for [Log On To] for Administrator, but we do restrict by COMPUTER name our remote users.   THAT'S THE DIFFERENCE.    If we temporarily remove the [Log On To] restriction for a remote user, presto they can logon perfectly fine.    

What's with MS IOS RD Client?    Pocket Cloud alternative works fine for all users, but that app is now dying due to discontinued by Dell/Wyse.
0
Comment
Question by:JReam
  • 4
  • 4
8 Comments
 
LVL 16

Expert Comment

by:Spike99
Comment Utility
I don't know if this will help, but I would try modifying the list of servers which users are allowed to log on to by adding the IP addresses of those servers.

I have never used the iOS RD client, but at my last job we had issues with users logging on to our load balanced terminal server farm via TS Gateway. They would get a TS Resource Access Policy error (TS RAP) stating they didn't have rights to log on to the server in question even though the server was specified by name in the RAP in the TS Gateway server's settings.  We corrected the problem by adding the IPs of the farm & all member servers to the local computer group used by the RAP (turned out our load balancing hardware would use the IPs interchangeably with the fully qualified domain names to direct users to any of the servers in the farm).

Worth a shot...
0
 
LVL 1

Author Comment

by:JReam
Comment Utility
We tried using all the IPs and FQDNs we could think of in the list of [Log On To] computers without any success.
0
 
LVL 16

Accepted Solution

by:
Spike99 earned 500 total points
Comment Utility
Are you restricting access using a gpo?

We never restricted logon access at the domain level. What we did was just add user domain user groups to the local "Remote Desktop Users" group on specific servers to grant users log on rights.  Doing it that way meant we had to manually add that group to the local RD users group on every server in the farm (so it could be a pain to add that group on a large number of servers), but it proved less problematic than trying to control logon rights via GPO.

Since standard users don't have rights to log on remotely by default, this enabled us to keep users off servers they shouldn't be on.  We would only add their user group to the servers they were allowed to be on.
0
 
LVL 1

Author Comment

by:JReam
Comment Utility
We do the [Log On To] restriction via  "Active Directory Users and Computers"  management administrative tools.
Is this same as "at the domain level" as what you are referring to when you wrote "We never restricted logon access at the domain level."?  I assume yes.

I do see that we already have a domain user group specifically for our remote users.   And that group is already listed in the "Remote Desktop Users" group on our one and only RDS host server.      

Perhaps we are being needlessly redundant to also have the restriction in the [Log On To] list.     Our remote users are never going to need to log into any other PCs on our network, they 100% remote users only,  so we always thought the specific restriction in the [Log On To] list was a good security setting, no chance of accidently login anywhere else.      I'll have to give this some careful thought.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 16

Expert Comment

by:Spike99
Comment Utility
I have never used that "Log on to..." option in the user account properties in Active Directory Users and Computers.

I was thinking you must have had some GPO linked to the OU where the terminal server is to restrict logon rights.

By default, regular users lack rights to log on to any PC or server remotely, so I think just using the RD Users group on your RDS server is an effective way to permit users to only log on to that server.
0
 
LVL 1

Author Comment

by:JReam
Comment Utility
So we think our proposed solution is

1.  Remove the existing [Log On To] computer restrictions listed within each remote user account via  "Active Directory Users and Computers"  management administrative tools.    

 2.  Add Domain Policy:  Deny log on locally.       Add our Remote Users Group to this to deny list.    This was a previously undefined group policy.

Our Remote User Access to RDS host still provided via RDS host PC local group “Remote Desktop User”.

This solution does indeed now allow our remote users to use the IOS App for MS RD Client.    I think it's a bit rotten that this apparent bug in RD Client v8.1.5 forced our hand to change of some of the Policy  objects logistics when theoretically the [Log On To] restrictions should also have worked as they were.
0
 
LVL 1

Author Closing Comment

by:JReam
Comment Utility
Hi Alicia -  Your solution is working perfectly.   Thank you.
0
 
LVL 16

Expert Comment

by:Spike99
Comment Utility
You're welcome!  I'm glad I could help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Remote Desktop Shadowing often has a lot of benefits. When helping end users determine problems, it is much easier to see what is going on, what is being slecected and what is being clicked on. While the industry has many products to help with this,…
Let’s list some of the technologies that enable smooth teleworking. 
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now