YMartin
asked on
Terminal Server unable to connect to DC for authentication
We are having intermittent issues with a terminal server 2008r2. At some point it prevents certain users from connecting giving: "An authentication error has occurred. The Local Security Authority cannot be contacted"
So far the only solution is to delete the AD user and recreate.
I deliberately entered the wrong password 3 times and it locked the account out on the DC. I then logged into the same TS as admin (no issues logging on) and opened ADUC on the terminal server. I pulled up the user and it did show that the user was locked out. I then reset the password telling it to unlock the user. The password appeared to reset however the user was still locked out.
I also tried connecting to Exchange OWA and was unable to log in as that user. Something seems to have corrupted on the AD User. This only happens to users logging into that one terminal server account.
Any ideas would be appreciated.
So far the only solution is to delete the AD user and recreate.
I deliberately entered the wrong password 3 times and it locked the account out on the DC. I then logged into the same TS as admin (no issues logging on) and opened ADUC on the terminal server. I pulled up the user and it did show that the user was locked out. I then reset the password telling it to unlock the user. The password appeared to reset however the user was still locked out.
I also tried connecting to Exchange OWA and was unable to log in as that user. Something seems to have corrupted on the AD User. This only happens to users logging into that one terminal server account.
Any ideas would be appreciated.
How is your DC health and replication? I would check this first. You said that you unlocked this account and then it was still locked out. Password changes (resets) are instant. This replication does not go through the regular replication cycle. When a password is reset the DC that is resetting the password automatically replicates this password change to the PDC.
Check Replication and Health by using the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDIag /v
Also as stated make sure your DNS is in check as well.
Will.
Check Replication and Health by using the following commands...
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads
DCDIag /v
Also as stated make sure your DNS is in check as well.
Will.
ASKER
Thanks for the help so far.
I attempted to unlock the user on the DC itself and it would not unlock.
It could be that one of the other DC's is locking it as fast as I unlock it but would be pretty fast replication across a VPN (all other DC's are remote). I found no errors relating to this on the DC. I will check replication issues shortly. DNS points to the DC. Nslookup on the domain returns the DC.
Once I changed the account logon name I was able to unlock the user and the login error also was resolved. This was discovered when deleting the user and recreating a user with the same name failed to resolve the issue.
The problem is that it keeps recurring somewhat randomly. I had to change the username twice yesterday. Also early this morning he was unable to log in, however by the time I got into the office the problem was gone so it may be correcting itself sometimes.
I am looking through the group policy for that user- lot of settings disabled in control panel, no cmd, hidden items from the start menu, disable dfs roots/shares. Alternate credentials are disabled.
Probably more likely to be on the server: most redirection is disabled and this:
Other things which have been tried (but failed) were to move the user to another OU where users have not had this problem and also a reboot on the RDP server.
I attempted to unlock the user on the DC itself and it would not unlock.
It could be that one of the other DC's is locking it as fast as I unlock it but would be pretty fast replication across a VPN (all other DC's are remote). I found no errors relating to this on the DC. I will check replication issues shortly. DNS points to the DC. Nslookup on the domain returns the DC.
Once I changed the account logon name I was able to unlock the user and the login error also was resolved. This was discovered when deleting the user and recreating a user with the same name failed to resolve the issue.
The problem is that it keeps recurring somewhat randomly. I had to change the username twice yesterday. Also early this morning he was unable to log in, however by the time I got into the office the problem was gone so it may be correcting itself sometimes.
I am looking through the group policy for that user- lot of settings disabled in control panel, no cmd, hidden items from the start menu, disable dfs roots/shares. Alternate credentials are disabled.
Probably more likely to be on the server: most redirection is disabled and this:
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environmenthide
Policy Setting Comment
Allow desktop composition for remote desktop sessions Disabled
Optimize visual experience for Remote Desktop Services sessions Enabled
Visual experience: Text
Policy Setting Comment
Set compression algorithm for RDP data Enabled
RDP compression algorithm: Optimized to use less network bandwidth
Other things which have been tried (but failed) were to move the user to another OU where users have not had this problem and also a reboot on the RDP server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It seems to be working now after the last rename. I would like to trace this down and will use your advice next time we see this issue.
Few broad things to check:
Make sure your DNS entries on the terminal server are all correct
See if the users having the issue are required to "change password on next login"
We get the same error sometimes if we accidentally select the remote desktop option "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)". If that is checked in your "Remote" tab of "System Properties" try selecting the option above it and see if it resolves your issue as a workaround.