When I go in a user's AD account information and add a terminal server into their "Logon Workstations" section they can no longer remote into that terminal server.   When I empty the "Logon Workstations" list, RDP with SSL works.

 

I get the following message:

An authentication error has occured.  The Local Security Authority cannot be contacted

 

I also noticed a short character limit even though Logon Workstations says one can type in a NetBIOS or DNS address of a computer.  I can only type in the NetBIOS name in the list.

Hi,

 

You may refer to this KB:

RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.

http://support.microsoft.com/kb/2493594

 

Remote Desktop in Windows Server 2008 R2 offers three types of secure connections:

Negotiate: This security method uses TLS 1.0 to authenticate the server if TLS is supported. If TLS is not supported, the server is not authenticated.
RDP Security Layer: This security method uses Remote Desktop Protocol encryption to help secure communications between the client computer and the server. If you select this setting, the server is not authenticated.
SSL: This security method requires TLS 1.0 to authenticate the server. If TLS is not supported, you cannot establish a connection to the server. This method is only available if you select a valid certificate.

To resolve the issue, change the remote desktop security on the RD server to RDP Security Layer to allow a secure connection using Remote Desktop Protocol encryption. Below are the steps:

1. Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
2. With RD Session Host Configuration selected view under Connections.
3. Right click RDP Listener with connection type Microsoft RDP 6.1 and choose Properties.
4. In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
5. Click OK.

Note: This setting does not need a restart of the Server or Remote Desktop Service.

 

More information:

"The Local Security Authority Cannot Be Contacted" (Error 0x80090304) When You Try to Connect to a Remote Access Server

http://support.microsoft.com/kb/813550

 

 

RDP + SSL/TLS works perfectly fine in Windows Server 2008 R2.  It's when "Logon Workstations" is added that it breaks.  We also want to enforce the use of SSL so this workaround is not applicable to us.  We use a 2048bit SSL Certificate from GoDaddy.com not a selfsigned certificate too.

• Edited by VgerNYC Tuesday, January 10, 2012 9:53 PM

When you say that RDP with SSL does not work, do you mean you are trying to connect using RD Gateway and that connection is not working? If yes, then can you try to add the client machine name to the "Logon Workstations" and see if that solves the problem?

 

There's no Remote Desktop Gateway.  One Windows 2008 R2 farm with a Connection Broker and a separate Windows 2008 R2 Terminal Server, all of which are on AD.  All Terminal Servers have working RDP + SSL enforced.  If I attempt to use the "Logon Workstations" feature in users' AD account settings, they cannot log in anywhere even on the Terminal Servers I added to the Logon Workstations list.

There's also a 15 character limit in Logon Workstations even though the GUI says one can add NetBIOS or DNS names in the list.  A workaround I found was to add DNS entries to Logon Workstations via ADSI Edit.  The Logon Workstations AD attribute is called "userWorkstations."  My thinking was SSL wanted Logo

In Workstations to match the name on the certificate but it still didn't work.

I also just noticed that disabling Network Level Authentication allows RDP + SSL + Logon Workstations to work.

• Edited by VgerNYC Wednesday, January 11, 2012 3:49 PM

I still insist that this is a bug.  Just seems like it's between NLA and Logon Workstations when SSL is present..

• Edited by VgerNYC Wednesday, February 01, 2012 3:44 PM

bump.  I still need an answer

Hello,

                 

Thank you for your question.

                 

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

                 

Thank you for your understanding and support.

Hi,

 

To isolate the issue, could you please confirm me with the following questions?

#1: When we add the server to the "Logon Workstations" of one user account and cannot RDP to the server, can we logon to the console session of the server locally with this user account?

 

#2: When we add the server to the "Logon Workstations" of one user account and cannot RDP to the server, can we RDP to the other servers that was not added to the "Logon Workstations" with this user account?

 

The information can help us determine whether the issue was caused by RDP itself or the Active Directory service.

 

Best regards,
Spencer Shi

Bear in mind that the following are enabled at the same time:

Network Level Authentication , SSL , Logon Workstations

#1)    Yes

#2)     No

Also there's a 15 character limit in Logon Workstations GUI.  I can however go into ASDIedit and enter my server's full DNS address in User's userWorkstations AD field.

• Edited by VgerNYC Wednesday, February 01, 2012 4:28 PM

Hi,

Please also add the client computer name into the "Logon Workstations" list and check if this can work around the issue. If still no go, please let me know what kind of OS version of the client is facing the issue?  

Thanks,

Spencer Shi

Hmmm...interesting.  When I added the client PC to Logon Workstations from it does work.  The Remote Desktop Connection Client indicates that SSL and Kerberos are all operational still too.

I used ADSIedit to enter the client's and terminal server's NetBIOS then DNS address and both worked.  As soon as I removed the client's entry in Logon Workstations, it failed!

Server OS used:     Windows Server 2008 R2 SP1

(I believe I attempted long ago with Windows Server 2008 and it also failed)

 

Client OS used:     Windows Embedded Standard 2009,  Windows Embedded Standard 7,  Windows 7, Windows Server 2008 R2

Was thinking about it.  I like how it also includes the client and server.  Can use this to truely limit guest users.

My last question is.  Is this by design?  Or is this a workaround?

Also please adjust the 15 character limit in the GUI.

Thanks so much for your help!

• Edited by VgerNYC Friday, February 03, 2012 7:58 PM

I have just experienced this problem whilst logging on a user as domain admin over RDP using high security NLA. After looking at all the settings it turned out to be the user having "change password at next logon". Turning this off allowed the user to log in.

Hope this helps.

this IS actually quite annoying, and i would say it is a bug (or at least an undocumented 'feature') as well.

we have a w2k12 terminal server, and an w2k12 rdp gateway sitting in the dmz.

as soon as i enable "log on to" and include only the terminal server itself, the session times out (no message or log entry, even the gateway logs nothing at all). from firewall perspective it looks like the rdp gateway just closes the tcp session.

i added a testclients name to the logon to (actually a domainless testpc with the beautiful name 'blubb'), and it works.

this, sorry to say, is weird. and should be at least documented somewhere. or is it, and i'm blind?

• Edited by jzischr Monday, September 16, 2013 11:15 AM

VgerNYC and jzischr, I am seeing the same issue you describe.

The user attempting to make the Remote Desktop Connection through the gateway has "Log On To..." enabled for their Active Directory account.  When I include the destination computer in the allowed computer list, the user cannot connect.  As soon as I add the client computer name to the list, the user is able to log on remotely through the gateway.

This environment is a Windows 8.1 client connecting through a Windows Server 2012 R2 RDS environment.

Are there any workarounds or updates on this situation? I hereby confirm the symptoms, using the same configurations as others: Windows 8.1 client, Windows Server 2012 R2.

Alex

Hi - same issue exactly here: RDP fails to 2012 R2 server if only server is added to "logon Workstations" in AD on the user account. Adding the clients computer all works. Definitely this needs more investigation!

We have the same issue in our environment,but there is a little difference.

If logon workstation entries for a user account not include rd client(all rd servers is included), user fail to remote logon to some of rd servers(Windows Server 2012 R2), but at the same time from the same rd client user could remote logon to other rd servers(also be 2012R2)

error message:An authentication error has occured.  The Local Security Authority cannot be contacted.

In the security event,event ID 4625 is recorded and the error code is '0xC0000070',Failure Reason:  User not allowed to logon at this computer.

Work it out,in out invironment just disable NLA on the rd servers will resolve this problem.