• Troubleshooting
  • Authentication and Login Issues
  • Windows Login Failures

Error Message Is Shown to the User (Windows)

Case 1: "The Requested Session Access Is Denied" Error Message

In the Windows Event Logs, the login is successful, but the following error message is shown to the user: The requested session access is denied.

Potential Solution

Ensure that the user or the user's group is added to the Remote Desktop Users group via the Restricted Groups Group Policy setting.

Case 2: "The Security Database on the Server Does Not Have a Computer Account for This Workstation Trust Relationship" Error Message

The user receives the error message "The security database on the server does not have a computer account for this workstation trust relationship" during login.

Potential Solution

Remove any obsolete trust relationships from the previous domain. Then, establish a new one-way trust relationship between the domains using valid Domain Administrator credentials.

Case 3: "Logon Failure. The User Has Not Been Granted the Requested Logon Type at This Machine" Error Message

The user receives the error message "Logon failure. The user has not been granted the requested logon type at this machine" during login.

Potential Solution

  • Verify that the login attempt targets a domain account (not a local account).
  • If the user is a domain user:
    • Ensure that the it has the Log on locally permission.
    • Confirm that the UPN is correct.

Case 4: "Signing in With a Smart Card Isn't Supported for Your Account" Error Message

The user receives the error message "Signing in with a smart card isn't supported for your account" during login.

This error often occurs if the Domain Controller (DC) uses a KDC certificate that lacks required Extended Key Usage (EKU) attributes for RDP smart card authentication.

Potential Solution

To verify the current KDC certificates on the DC, run the following command:

certutil -dcinfo verify

Ensure the DC has a valid KDC certificate issued by the enterprise CA, with the following EKU Object Identifiers (OIDs):

EKU OID 1.3.6.1.5.5.7.3.1   Server Authentication  
EKU OID 1.3.6.1.5.5.7.3.2   Client Authentication  
EKU OID 1.3.6.1.4.1.311.20.2.2   Smart Card Logon  
EKU OID 1.3.6.1.5.2.3.5     KDC Authentication

Ensure the certificate is based on a Kerberos Authentication template that includes all required EKUs.

Was this page helpful?