{"id":6260,"date":"2022-10-19T02:28:58","date_gmt":"2022-10-19T02:28:58","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=6260"},"modified":"2023-02-02T06:16:49","modified_gmt":"2023-02-02T06:16:49","slug":"protected-users-group-cannot-rdp","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/protected-users-group-cannot-rdp","title":{"rendered":"Protected Users Group &#8211; Cannot RDP"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Use Protected Users group for Users Not services<br><\/li>\n\n\n\n<li>Members of the Protected Users group must be able to authenticate by using Kerberos ( NTLM is not supported which is what RDP fails back to&nbsp; )&nbsp; with Advanced Encryption Standards (AES).<\/li>\n\n\n\n<li>Only the FQDN is supported to access via remote desktop because when you use IP adress, you will use NTLM for authentication. If you try you will see this<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/Screenshot_20230202_051509.png\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"142\" src=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/Screenshot_20230202_051509.png\" alt=\"\" class=\"wp-image-6638 img-responsive\" srcset=\"https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/Screenshot_20230202_051509.png 566w, https:\/\/pariswells.com\/blog\/wp-content\/uploads\/2023\/02\/Screenshot_20230202_051509-300x75.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/a><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check if network flow ( Line of site ) is opened between client machine and domain controller RDPing for kerberos authentication<\/li>\n\n\n\n<li>Check SPN settings, if the server has many FQDN , you should add same SPNs for each FQDN<\/li>\n\n\n\n<li>Note that an unjoined domain client will absolutely do Kerberos. The username just needs to provide enough information to hint what domain they&#8217;re in. So instead of &#8216;admin&#8217; use&nbsp;<a href=\"mailto:%22admin@fully.qualified.domain.com\" target=\"_blank\" rel=\"noreferrer noopener\">&#8220;admin@fully.qualified.domain.com<\/a>&#8221; and make sure the client has line of sight to the domain controller.<br><\/li>\n\n\n\n<li>For users outside the network without&nbsp; line of sight to the domain controller you can use&nbsp;<a href=\"https:\/\/pariswells.com\/blog\/research\/password-synced-to-remote-computer-without-connectivity-to-domain-controller-after-password-change\">KDC Proxy<\/a>&nbsp;and proxy the RDP sessions through a gateway<\/li>\n\n\n\n<li>Failing that you can use an RMM service to access the server<br><\/li>\n\n\n\n<li>Do not disable CredSSP. Seriously. It&#8217;s the thing that guarantees you&#8217;re connecting to the right server, and protects the server from nosy clients.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4041,3585,3812,4040,4042,4039,207],"class_list":["post-6260","post","type-post","status-publish","format-standard","hentry","category-research","tag-a-user-account-restriction","tag-kdc-proxy","tag-kerberos","tag-ntlm","tag-preventing-you-from-logging-on","tag-protected-users","tag-rdp"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=6260"}],"version-history":[{"count":3,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6260\/revisions"}],"predecessor-version":[{"id":6640,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/6260\/revisions\/6640"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=6260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=6260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=6260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}