Hi,
I wonder if someone can help?
Since upgrading the Active Directory forest/domain to functional level
2016. If a user resides in the “Protected Users” group in Active Directory
we are unable to RDP to Windows machines from Guacamole. We can RDP from
Guacamole using a user who is not a member of the “Protected Users” group
OK and even taking the user out of the group then trying the RDP connection
works. Also RDP’ing to the same server using the Microsoft Windows RDP
client works OK for users in the “Protected Users” group.
The problem sounds very similar to this issue that was raised but there
didn’t appear to be a resolution.
[GUACAMOLE-1426] Can't open RDP with user in "Protected Users" group - ASF
JIRA (apache.org)
We’re seeing the following in the event logs which leads me to believe it’s
an NTM/Kerberos is problem:
Log Name:
Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
NTLM authentication failed because the account was a member of the
Protected User group.
Account Name: <Account Name>
Device Name: b63b8c2e4626
Error Code: 0xC000006E
Source: NTLM
Event ID: 100
Source: Microsoft Windows security auditing
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: <Account Name>
Source Workstation: b63b8c2e4626
Error Code: 0xC000006E
Event ID: 4776
Source: Microsoft Windows security auditing
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <Account Name>
Account Domain: <Domain>
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006E
Sub Status: 0xC000006E
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: b63b8c2e4626
Source Network Address: <IP Address>
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
A working login produces these events:
Source: Microsoft Windows security auditing.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: <ID>
Account Name: <Account Name>
Account Domain: <Domain>
Logon ID: <ID>
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: <GUID>
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: <IP Address>
Source Port: 0
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Event ID: 4624
Source: Microsoft Windows security auditing.
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: <Computer Name>
Account Domain: <Domain>
Logon ID: 0x3E7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: <Account Name>
Account Domain: <Domain>
Logon GUID: <GUID>
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0xac4
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Network Address: <IP Address>
Port: 0
Event ID: 4648
Log Name:
Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
A Kerberos ticket-granting-ticket (TGT) was issued for a member of the
Protected User group.
Account Information:
Account Name: <Account Name>
Supplied Realm Name:
User ID: <Account Name>
Authentication Policy Information:
Silo Name:
Policy Name:
TGT Lifetime: 0
Device Information:
Device Name:
Service Information:
Service Name: krbtgt/<Domain>
Service ID: <Domain>\krbtgt
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x878
Result Code: 0x0
Ticket Encryption Type: 0x10
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Source: Microsoft Windows security auditing.
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: <Computer Name>
Account Domain: <Domain>
Logon ID: 0x3E7
Logon Information:
Logon Type: 7
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: <Account Name>
Account Name: <Account Name>
Account Domain: <Domain>
Logon ID: 0x66A65ABC
Linked Logon ID: 0x66A65ABC
Network Account Name: -
Network Account Domain: -
Logon GUID: <GUID>
Process Information:
Process ID: 0xac4
Process Name: C:\Windows\System32\svchost.exe
Network Information:
Workstation Name: <Computer Name>
Source Network Address: <IP Address>
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
I’ve tried all the security modes on the connection but generally we have
it set to NLA and have the “ignore server certificate ticked”. Also putting
the FQDN instead of the IP address didn't change things either.
Thanks in advance.
