Solved

cant use cached domain credentials when logging on through rdp

Posted on 2016-09-08
10
51 Views
Last Modified: 2016-09-17
Hi,

We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.

Here's the problem:

We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.

Any suggestions on how to resolve this are very welcome.

Regards,
0
Comment
Question by:PramoIT
10 Comments
 
LVL 3

Expert Comment

by:JeffMatthias
ID: 41789647
Have you signed on to the member server at least once before with the same account?
0
 

Author Comment

by:PramoIT
ID: 41789665
Yes, i did mutliple times. Through rdp.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41793769
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation

The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.

Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx

Mahesh.
0
 
LVL 42

Expert Comment

by:Davis McCarn
ID: 41794094
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 35

Expert Comment

by:Mahesh
ID: 41794186
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
0
 

Author Comment

by:PramoIT
ID: 41795104
Hi Mahesh,

Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?

Regards.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41795449
Yes, that's right

logging on server with RDP protocol and logging on server with console (interactive) are two different processes

RDP required domain controller validation, hence either you use RDP in administrative mode or terminal server mode (application mode), it will not work unless domain controller is available

Anyways:
If you can test below scenario to check if it works for you....

Put your member servers in one OU and apply new GPO on that OU with below settings (keep disabled): Network access: Do not allow storage of passwords and credentials for network authentication
https://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

In same GPO also add cached credentials setting for 50 users - "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"

Also ensure that RDP properties of server are configured as below:
select "allow remote connections to this computer"
Uncheck " allow connections only from remote desktop using NLA"
OR
If these servers are terminal (RDS) servers, in same GPO navigate to
"computer configuration\administartive templates\windows components\remote desktop services\remote desktop session host\security" and disable "require user authentication for remote connections by using network level authentication OR you might find option to disable NLA in RDSH collection properties

be informed that these settings are not recommended by me or Microsoft becaue it reduces security

Mahesh.
0
 

Author Comment

by:PramoIT
ID: 41802397
Hi Mahesh,

I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.

Regards,
Mohamed
0
 
LVL 35

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 41802948
Thats right.
That i told you earlier

The what i told you to test is, just work around because I have never tested that

The RDP protocol do require DC validation
The best way you can do is, put one local DC at location and made it global catalog so that all requests will be validated locally

This is what MS exchange administrator does if they have exchange boxes in multiple sites, they place GC in each site to avoid exchnage lookup failure if link betwwen both site goes down, because exchange do need functional DC with GC role, without that it can't function

Mahesh
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now