• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 106
  • Last Modified:

cant use cached domain credentials when logging on through rdp

Hi,

We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.

Here's the problem:

We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.

Any suggestions on how to resolve this are very welcome.

Regards,
0
PramoIT
Asked:
PramoIT
2 Solutions
 
JeffMatthiasCommented:
Have you signed on to the member server at least once before with the same account?
0
 
PramoITAuthor Commented:
Yes, i did mutliple times. Through rdp.
0
 
MaheshArchitectCommented:
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation

The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.

Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx

Mahesh.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Davis McCarnOwnerCommented:
0
 
MaheshArchitectCommented:
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
0
 
PramoITAuthor Commented:
Hi Mahesh,

Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?

Regards.
0
 
MaheshArchitectCommented:
Yes, that's right

logging on server with RDP protocol and logging on server with console (interactive) are two different processes

RDP required domain controller validation, hence either you use RDP in administrative mode or terminal server mode (application mode), it will not work unless domain controller is available

Anyways:
If you can test below scenario to check if it works for you....

Put your member servers in one OU and apply new GPO on that OU with below settings (keep disabled): Network access: Do not allow storage of passwords and credentials for network authentication
https://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

In same GPO also add cached credentials setting for 50 users - "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"

Also ensure that RDP properties of server are configured as below:
select "allow remote connections to this computer"
Uncheck " allow connections only from remote desktop using NLA"
OR
If these servers are terminal (RDS) servers, in same GPO navigate to
"computer configuration\administartive templates\windows components\remote desktop services\remote desktop session host\security" and disable "require user authentication for remote connections by using network level authentication OR you might find option to disable NLA in RDSH collection properties

be informed that these settings are not recommended by me or Microsoft becaue it reduces security

Mahesh.
0
 
PramoITAuthor Commented:
Hi Mahesh,

I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.

Regards,
Mohamed
0
 
MaheshArchitectCommented:
Thats right.
That i told you earlier

The what i told you to test is, just work around because I have never tested that

The RDP protocol do require DC validation
The best way you can do is, put one local DC at location and made it global catalog so that all requests will be validated locally

This is what MS exchange administrator does if they have exchange boxes in multiple sites, they place GC in each site to avoid exchnage lookup failure if link betwwen both site goes down, because exchange do need functional DC with GC role, without that it can't function

Mahesh
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now