RDP to another Domain over VPN

Hello Experts,
I have a strange issue I am hoping someone can help with.  We have set-up a VPN tunnel to another organizations servers in AWS, all connectivity seems to be fine back and forth.  What we cannot do is RDP to the servers in AWS, before you throw up firewall let me explain the oddities of the issue.

The consultants of the organization can come to our office and, from our network, RDP back to these machines without issue.

We thought it was a username?password issue but they tested our credentials from their machines and they were successful.

We have disabled firewalls yet still unable to connect.

We found out that from our network we can take a fresh PC, never joined to our domain and connect via RDP.  Once that machine is joined to the domain the connection can no longer be made.  Here is the real kicker, removing the machine from the domain, does not change the issue.  Instead it still suffers the same inability to connect via RDP as the domain joined machines.

The best I can come up with is our GPO is making some registry changes that are not being reversed once dis-joined from the domain.  

Does anyone have any idea of a setting that could cause this issue?  I have cleared the DNS suffix, tried static and DHCP, Admin logins, Firewalls disabled, tracert looks good (issues there would be present regardless of domain memberships).  I am at a loss, help would be greatly appreciated.

Thanks,
Mark
merritthornIT directorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AntzsInfrastructure ServicesCommented:
What about the firewall setting on the PC itself?  Was the firewall feature turn off when it was fresh and it was turn on when it was joined to the domain?
0
gilnovSystems AdministratorCommented:
Smells like DNS. Did you try RDP using IP address rather than hostname? Compare the joined vs unjoined PC's DNS settings when connected to your network. Are they the same?
0
8046586Commented:
You can check the domain policy or server local policy who is allowed to log on remotely.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

gilnovSystems AdministratorCommented:
OK...just re-read your last sentence and see you already tried RDP via IP address. Still curious to know how your DNS settings compare in ipconfig and the NIC properties between joined and unjoined.

Also, it would help if you could give a bit more detail on what GP's are in place on your domain.
0
merritthornIT directorAuthor Commented:
Sorry I should have specified, we are using IP's not DNS so it is not a DNS issue, I don't think it can be anyway.  The firewall is off so that should not be the issue either.  Likewise, the fact the none domain joined machine can connect to the RDP server would indicate firewall is not the issue.  

I do appreciate the suggestions though....Could the firewall thought be effected on the client side?  Maybe I am discounting that idea too quickly?  I just know the servers firewall is accepting connections from any machine not joined to my domain.
0
8046586Commented:
When you will join the desktop to the domain than GP is the only thing that is making desktops to perform differently. DNS, Firewall and everything passive and active network are intact. Focus on your GP that apply to your server for Computers only (NOT users), GP that apply to your OU where desktops are, and server LOCAL SECURITY POLICY (might be something related to the domain desktops).
1
8046586Commented:
Check this:
GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
0
merritthornIT directorAuthor Commented:
Oh one more bit of information that could be really important.  When trying to connect to the remote server via RDP I get a prompt for credentials, but the return error is the credentials used were not valid, we know, however, the credentials are valis as the work on non domain joined machines.  It is almost like RDP is assuming the domain to be ours vs. the remote domain, though we are specifying it domain\username.
0
8046586Commented:
For troubleshooting purposes:
If the server is not a DC, then create a local account with local admin permissions, add it to the remote desktop group, try logging with that account. Another tip, if you are using different language, check the keyboard selection on the remote session. I had a similar problem with credentials for an Italian client.
0
merritthornIT directorAuthor Commented:
There are only two GPO's in user right assignment that are specified.
Deny logon through remote desktop service applied to domain\service accounts
Impersonate client after authentication applied to a handful of groups that I am a part of.

Keep in mind these are client side gpo's not server side, I am setting up a test user account now not part of any groups to see if this helps.
0
merritthornIT directorAuthor Commented:
I will have to ask the consultant to create the local user for me.  That is certainly worth a shot.  I have tried a new local user on my side with no luck.
0
merritthornIT directorAuthor Commented:
I think I just stumbled on the answer, but I have to wait for my account to unlock to be sure.  After many attempts I forgot to enter my password in the RDP login and pow.  I got to the server with a prompt for creds.  As I said though my account is locked now so I have to wait for the policy duration to unlock me.
1
NAMEWITHELD12Commented:
any update on this ?

I know I am bad about updating my questions i ask , but I am curious to hear the answer !
0
merritthornIT directorAuthor Commented:
Not yet, I waited to see if my account unlocked so I can get in, but now I am back to the original problem, bad credentials.  This problem is really baffling.  We are are off today being the day after Christmas, but I will be sure to update as I get them.  If anyone has further suggestions I am game.
0
NAMEWITHELD12Commented:
well , I think from a problem solving prospective do what I call "splitting the problem domain" where you make a chart of the environment and clearly define where the problem arises  and exclude areas by testing . For example you can split the problem domain by finding a test to divide if it is NON GPO vs GPO related etc. then for example if it proven to be a GPO issue  further split the problem domain by testing specific GPO's etc

you can use this logic if other paths toward resolution arise like is it a NAME RESOLUTION ISSUE or NOT A NAME RESOLUTION ISSUE, find a test for that and to split the problem domain

at a point where you can not shrink the problem domain down any further take a real hard look at  setting the log level to verbose on any log on the client and servers that may be relevant, any of and all of them.

force the error by attempting to login and failing , while at the exact time that you attempt to log in see if any  logs are produced  after you attempt to log in  , dont move on from this step until you have increased the logging level for every conceivable log  ( server side app log, security log ,NTP, client side logs etc.) and found that there are no logs being created .

Merry Christmas and good luck
0
gilnovSystems AdministratorCommented:
Since you successfully hit the logon screen of the remote server and were asked for credentials, I think we can conclude the problem is not a firewall, DNS, VLAN or other strict networking-related issue.

I'd focus on one of the group policies you mentioned - "Deny logon through remote desktop service applied to domain\service accounts". It's not clear from your description if this is being applied to all domain accounts but, if so, it would definitely prevent you from logging on via RDP. Incidentally, the question of client side vs server side does not apply here as this policy applies to user accounts as opposed to workstations or servers.

Here's an excerpt from the policy's KB: https://technet.microsoft.com/en-us/library/dn221959(v=ws.11).aspx

"Potential impact

If you assign the Deny log on through Remote Desktop Services user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the computer through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected."

Also, this policies is "not defined" by default. For many policies, a default of "not defined" effectively means "leave as is" when the policy is no longer being applied. That would account for why you still can't connect when PC's are joined (PC gets policy) then removed from the domain (policy is left as is). It also accounts for why consultants and non-joined PC's can connect. You could run an rsop command on a PC that was removed from the domain to see if the policy is still there if you're curious.

Make sure your user account is in an OU that does not have this policy applied (create an OU for the purpose if needed) then wait for a GP update or force one from an elevated command prompt (gpupdate /force on your workstation/laptop). If you still can't connect, you may need to manually apply the "Allow log on through Remote Desktop Services" policy either locally or, better still, on the OU you created. NOTE: the deny policy will supersede the allow policy if both are being applied.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
8046586Commented:
Did you create local account to test the credentials and bypass the domain? With the domain try <full internal domain>\username, but do not log on with username "Administrator" (try another account that have remote access permission).
0
gilnovSystems AdministratorCommented:
One thing that still doesn't fit...you mentioned consultants being able to logon with their credentials and you being able to logon with your credentials from their computers. The fact you are able to logon at all from a computer that has never been joined to your local domain means it's not the user account credentials per se. However, the GP we are talking about only affects user accounts on the local domain. Something doesn't add up. Do an rsop from an affected computer and compare it to one that you can logon from. Focus on what's different.
0
merritthornIT directorAuthor Commented:
@gilnov - I would tend to agree that the GPO could have a big role here, however, the GPO's I mentioned effect computers in our domain, the servers we are trying to connect to are not in our domain and therefore, should not restrict specific users from connecting.

I have tried local users, I have tried pc's dis-joined from the domain with no GPO's (verfied by rsop.msc) and nothing seems to get around this.  There must be some GPO or registry setting that is creating the issue, but is not reversed after dis-joining.  

I did find a work around here but I am not super fond of it.  GPO policy only seems to effect the Remote Desktop Connection application, if I use Remote Desktop, the windows 10 App, it works fine.   I appreciate everyone's help here, this has been a truly puzzling problem.
0
gilnovSystems AdministratorCommented:
Ah. Ok. For some reason I was thinking the remote servers were in your domain. Could be some domain trust problem. Are you able to check the system event logs on the remote server where the logon failures are occurring?
0
NAMEWITHELD12Commented:
yeah I agree , force it to fail and verbosify the logs and check the logs at the exact time of the attempted login
0
merritthornIT directorAuthor Commented:
While I never found the main root of the issue I still believe it to be in the GPO.  I am sure digging into these GPO's further will yield a solution.

**EDIT**
I wanted to update this as I finally found the solution to the trouble and I am hoping it helps someone out there.  The issue described also broke the mapping of drives to the remote domain.
In the end I found the default domain policy was changing the LAN Manager Authentication Level to something other than Send NTLMv2 Response Only.  This is located in GPO Manager
Computer Configuration-->Windows Settings-->Security Settings-->Local Policy-->Security options--> Network Security: LAN Manager Authentication Level.  

Setting it to NTLMv2 Response Only resolved the issue and is best practice for Windows 10.  Side note you may need to delete the registry key to get the new setting to take effect from machine already joined to the domain.

In order to delete this key go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
And delete the key.

Read more from MS here
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.