Windows login failures

Sympton / Windows ErrorSolutions
Both certificate and password authentication fail.Ensure the user has adequate permissions to login to target with RDP, and no domain or local policy prevents login.
Verify that the user's group memberships on target allow RDP login, and there is no deny RDP login group that would overwrite the allow RDP group.
Password works but certificate authentication failsEnsure NLA is disabled.
Does user have the required allow logon locally access right?
Are all clocks in sync on PrivX Server, target domain host and Domain Controller?
Login with password and view certificate properties in command prompt: certutil -scinfo -pin 0
Certificate authentication fails for all users, and:
Password authentication works for domain users who have logged on the target previously.
Password authentication fails for domain users who have never logged on the target before.
If all permission settings are the same for all users (e.g. all are in correct administrator group), the profile cache might hide an issue with DC. The check this, type on target command prompt: certutil -dcinfo verify
Contact Windows Domain admins, if this error appears: The domain specified is not available. Please try again later.
Login is successful in the Windows Event log but this error is shown to the user:
The requested session access is denied.
Add Remote Desktop Users with user/user’s group to Restricted Groups group policy:
Error shown to the user:

The security database on the server does not have a computer account for this workstation trust relationship.
Remove any old trust relationships left on the other domain, and add a new one-way trust relationship between the domains with valid domain administrator accounts.
Error shown to the user:

Logon failure. The user has not been granted the requested logon type at this machine.
Ensure login attempt is to a domain account and not local account. If user is a domain user, ensure the user has logon locally access right and the UPN is correct.
Error shown to the user:

Signing in with a smart card isn’t supported for your account.
Domain controller may have several existing KDC certificates and the one used most likely has only client and server authentication key usage that doesn't satisfy RDP user certificate authentication. To view KDC certificates of the DC(s): certutil -dcinfo verify

The Domain Controller must identify itself with a valid KDC Certificate with proper Extended Key Usage OIDs enrolled from the Enterprise CA, e.g. an updated Kerberos Authentication template that has:

EKU OID Server Authentication
EKU OID Client Authentication
EKU OID Smart Card Logon
EKU OID KDC Authentication

Was this page helpful?