Solved

cant use cached domain credentials when logging on through rdp

Posted on 2016-09-08
10
68 Views
Last Modified: 2016-09-17
Hi,

We have a domain controller in 1 location and a member server in an other location. They are both server 2012 R2. The 2 are connected through an ipsec vpn tunnel. On the domain controller we have set that the policy "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" to 50 logons.

Here's the problem:

We logon to the memberserver through rdp. When the vpn tunnel is down, we cant login because the server says there's no domaincontroller available. We have checked that the gpo is applied bij going to the registry key that controls the number of cached logons. It says 50, so the gpo is applied.

Any suggestions on how to resolve this are very welcome.

Regards,
0
Comment
Question by:PramoIT
10 Comments
 
LVL 3

Expert Comment

by:JeffMatthias
ID: 41789647
Have you signed on to the member server at least once before with the same account?
0
 

Author Comment

by:PramoIT
ID: 41789665
Yes, i did mutliple times. Through rdp.
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 41793769
the policy is applicable only for interactive logon (console logon), the one which you using on workstations for day to day logon....not for RDP sessions, your DC must be reachable in order to get the RDP because RDP require domain controller validation

The another thing is, this policy should be applied on OU containing workstations, not on domain controllers OU. Now this policy only affect domain controllers machines (that is also console / interactive logon)and not standard workstations.

Even if you don't configure this setting, by default 10 or 25 (I don't recollect exact value) last successful logon information is cached on workstations / member servers
I don't know why you set it as 50 - its not that it will allow logon interactively only 50 times
what policy is saying that once it applied machines will remember last successful logon attempts (50 users in your case on one machine - i don't think 50 users are logging on one machine) and it did not put any restrictions how many times you can logon to workstation with cached credentials
Check below link
http://windowsitpro.com/systems-management/q-what-are-different-windows-logon-types-can-show-windows-event-log
and
https://technet.microsoft.com/en-us/library/jj852209(v=ws.11).aspx

Mahesh.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 43

Expert Comment

by:Davis McCarn
ID: 41794094
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 41794186
In short what devis is suggesting is to add domain controller at site where member server resides. This server should also be configured as global catalog server so that you don't need to traverse through VPN tunnel to validate RDP credentials
0
 

Author Comment

by:PramoIT
ID: 41795104
Hi Mahesh,

Do you mean that the cached domain credentials will never work on a virtual terminal server where people will only be logging in through RDP? Is a connection to a domain controller always needed when loging in through RDP?

Regards.
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41795449
Yes, that's right

logging on server with RDP protocol and logging on server with console (interactive) are two different processes

RDP required domain controller validation, hence either you use RDP in administrative mode or terminal server mode (application mode), it will not work unless domain controller is available

Anyways:
If you can test below scenario to check if it works for you....

Put your member servers in one OU and apply new GPO on that OU with below settings (keep disabled): Network access: Do not allow storage of passwords and credentials for network authentication
https://technet.microsoft.com/en-us/library/jj852185(v=ws.10).aspx

In same GPO also add cached credentials setting for 50 users - "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"

Also ensure that RDP properties of server are configured as below:
select "allow remote connections to this computer"
Uncheck " allow connections only from remote desktop using NLA"
OR
If these servers are terminal (RDS) servers, in same GPO navigate to
"computer configuration\administartive templates\windows components\remote desktop services\remote desktop session host\security" and disable "require user authentication for remote connections by using network level authentication OR you might find option to disable NLA in RDSH collection properties

be informed that these settings are not recommended by me or Microsoft becaue it reduces security

Mahesh.
0
 

Author Comment

by:PramoIT
ID: 41802397
Hi Mahesh,

I've done what you said, but users still cant login via RDP when dc is down. I guess this is just not possible when logging in via RDP.

Regards,
Mohamed
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 41802948
Thats right.
That i told you earlier

The what i told you to test is, just work around because I have never tested that

The RDP protocol do require DC validation
The best way you can do is, put one local DC at location and made it global catalog so that all requests will be validated locally

This is what MS exchange administrator does if they have exchange boxes in multiple sites, they place GC in each site to avoid exchnage lookup failure if link betwwen both site goes down, because exchange do need functional DC with GC role, without that it can't function

Mahesh
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question