?
Solved

cant use cached domain credentials when logging on through rdp

Posted on 2016-09-08
10
Medium Priority
?
93 Views
Last Modified: 2016-09-17
Hi,

We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.

Here's the problem:

We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.

Any suggestions on how to resolve this are very welcome.

Regards,
0
Comment
Question by:PramoIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 3

Expert Comment

by:JeffMatthias
ID: 41789647
Have you signed on to the member server at least once before with the same account?
0
 

Author Comment

by:PramoIT
ID: 41789665
Yes, i did mutliple times. Through rdp.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41793769
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation

The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.

Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx

Mahesh.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 41794094
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41794186
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
0
 

Author Comment

by:PramoIT
ID: 41795104
Hi Mahesh,

Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?

Regards.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 41795449
Yes, that's right

logging on server with RDP protocol and logging on server with console (interactive) are two different processes

RDP required domain controller validation, hence either you use RDP in administrative mode or terminal server mode (application mode), it will not work unless domain controller is available

Anyways:
If you can test below scenario to check if it works for you....

Put your member servers in one OU and apply new GPO on that OU with below settings (keep disabled): Network access: Do not allow storage of passwords and credentials for network authentication
https://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

In same GPO also add cached credentials setting for 50 users - "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"

Also ensure that RDP properties of server are configured as below:
select "allow remote connections to this computer"
Uncheck " allow connections only from remote desktop using NLA"
OR
If these servers are terminal (RDS) servers, in same GPO navigate to
"computer configuration\administartive templates\windows components\remote desktop services\remote desktop session host\security" and disable "require user authentication for remote connections by using network level authentication OR you might find option to disable NLA in RDSH collection properties

be informed that these settings are not recommended by me or Microsoft becaue it reduces security

Mahesh.
0
 

Author Comment

by:PramoIT
ID: 41802397
Hi Mahesh,

I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.

Regards,
Mohamed
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 2000 total points
ID: 41802948
Thats right.
That i told you earlier

The what i told you to test is, just work around because I have never tested that

The RDP protocol do require DC validation
The best way you can do is, put one local DC at location and made it global catalog so that all requests will be validated locally

This is what MS exchange administrator does if they have exchange boxes in multiple sites, they place GC in each site to avoid exchnage lookup failure if link betwwen both site goes down, because exchange do need functional DC with GC role, without that it can't function

Mahesh
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question