Certificate or Password Authentication Fails for One or More Users
Case 1: Authentication With Certificate and Password Fails
Trying to authenticate with certificates or passwords fails.
Potential Solution
Ensure the user has adequate permissions to log in to the target with RDP, and no domain or local policy prevents login. Verify:
- If user's group memberships on the target allow RDP login.
- If there is no deny RDP login group that would overwrite the allow RDP group.
Case 2: Authentication With Certificate Fails, but Passwords Work
Trying to authenticate with a password works but certificate authentication fails.
Potential Solution
Ensure NLA is disabled. Verify:
- If the user has the required allow logon locally access right.
- If all clocks on the PrivX Server, target domain host, and Domain Controller are synchronized.
- The certificate properties in the command prompt by logging in with password:
certutil -scinfo -pin 0
.
Case 3: Authentication With Password Does Not Work for Users Who Have Never Logged on to the Target
Password authentication only works for domain users who have logged on to the target previously. It fails for domain users who have never logged on to the target before. In addition, certificate authentication fails for all users.
Potential Solution
If all permission settings are the same for all users (e.g., all are in the correct administrator group), the profile cache might be hiding a DC issue. To verify this, run certutil -dcinfo verify
on the target host command prompt.
Contact Windows Domain admins if the following error appears: The domain specified is not available. Please try again later.