Windows 10 1703 - unable to connect via Remote Desktop Gateway - Force to use Kerberos for authentication

Hello,

After update my Windows 10 to creators update (1703), it's not possible to connect a server in RDP with Remote Desktop Gateway (RDG).

Before we used Windows 10 1607 and all works good.

Apparently, in this new version, Windows 10 force to use Kerberos authentification to authenticate in RDG.

But RDG doesn't support Kerberos auth, only NTLM.

It's possible to enable NTLM auth with RDG ?

Apparently, it's a change appear in the new version of Windows 10 (1703) with functionnality "Remote Credential Guard"

So it's support only Kerberos Auth and doesn't support Remote Desktop Gateway.
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/remote-credential-guard
"Remote Desktop Gateway is not compatible with Remote Credential Guard."

But apparently, with RDP client and when I try to connect to the Remote Desktop Gateway, it's not the process mstsc it's connect to RDG but it's LSASS with try to Kerberos authentification.

Like it's explain in this article :

http://www.thewindowsclub.com/credential-guard-windows-10

For example, this is a connexion from Windows 8.1 :
RDG_OUT_DATA /remoteDesktopGateway/
HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: MS-RDGateway/1.0
RDG-Connection-Id: {B96140B7-3D9A-4DC0-88BC-7B40C49C1A4D}
RDG-Correlation-Id: {0CC5ACC4-323D-4D50-9A9C-D0FFD9430000}
RDG-User-Id: xxxxxxxxxxxxxxxxxxxx
Host: rdg.mondomaine.fr
Authorization: NTLM xxxxxxxxxxxxxxxxxxxxxxxxxxx==
clientless-mode: 1
X-F5-Client: rdg-http 

This is a connexion from Windows 10 creators update (1703) :
First connect to KDC Proxy :

And after to RDG but with auth scheme Negotiate and not NTLM :
 RDG_OUT_DATA /remoteDesktopGateway/
 HTTP/1.1
 Cache-Control: no-cache
 Connection: Upgrade
 Pragma: no-cache
 Upgrade: websocket
 Accept: */*
 User-Agent: MS-RDGateway/1.0
 RDG-Connection-Id: {2FE597B6-00AE-42BC-A47D-A67BE884237D}
 RDG-Correlation-Id: {1F76CE0F-C75D-462E-9F15-FFA5951F0000}
 RDG-User-Id: xxxxxxxxxxxxxxxxxxxxxxxxxxx==
 RDG-Client-Generation: Win32#6.2=5
 Sec-WebSocket-Key: 6ekVx9V3iMEKWPlNVsbZ5g==
 Sec-WebSocket-Version: 13
 Host: rdg.mondomaine.fr
 Authorization: Negotiate xxxxxxxxxxxxxxxxxxxxxxxxxxx==
 clientless-mode: 1
 X-F5-Client: rdg-http 

Best regards

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hello,

The only alternative actually, it's to connect with another application : Remote Desktop app from Windows Store of Windows 10 :

https://www.microsoft.com/store/apps/9wzdncrfj3ps

With this application, it's possible to connect with RDG and use NTLM auth.

So it's a very bad thing when we have more than 200 servers to manage with RDP and RDG.

21 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

A very annoying surprise after the update indeed:

A colleague told me this morning that he had troubles connecting to our Remote Desktop environment, he had not changed anything on his workstation, after some questions we concluded that it probably was due to the update to the Creators update of Windows 10.

To test this I updated my laptop (which was working fine with Remote Desktop so far) to the same Creators Update, when I rebooted for the last time I had the same problem as my colleague, I was now unable to connect to our Remote Desktop environment. 

I'm glad I found this thread because the Remote Desktop App from the Windows Store works (but has its limitations), Remote Desktop Connection Manager works as well (but is not for customers, just for technicians)

T. van der Kooij

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hmm, ok, strange.

I just discovered that when I login with the credentials in the UPN format then I can login (which was inspired by the original poster, since he mentioned something about Kerberos)

The method domain\username just doesn't work anymore it seems since this version of Windows 10.

T. van der Kooij

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hmm, ok, strange.

I just discovered that when I login with the credentials in the UPN format then I can login (which was inspired by the original poster, since he mentioned something about Kerberos)

The method domain\username just doesn't work anymore it seems since this version of Windows 10.

Hi,

it's not  work for me because RDP Gateway doesn't support Kerberos authentification for RDG.

But this workaround it's not a good solution but it's solve my problem for the moment :

For now the workaround is to replace one dll and one exe with the older version like explained in another thread:
=== 
You can replace the mstsc.exe and mstscax.dll library located in %windir%\SysWOW64\ with the "backup" file in "Windows.old\WINDOWS\SysWOW64" and in %windir%\System32\ with the "backup" file in "Windows.old\WINDOWS\System32".
You will need to take ownership of the file and give Administrators Full control access to be able to replace it. Please backup the file you are replacing
===

Best regards

19 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Reply In reply to deleted message

Hi,

For us to better understand your concern, kindly clarify if you are also having the same issue as ncollet. If possible, kindly provide us the detailed explanation of the issue you're currently experiencing.

Hope to hear from you soon.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Sorry i replied at the wrong place.

my problem is that with the creators update, i can't connect to the remote desktop anymore. i tried to do the workaraound, but i can't find any file at the windows.old folder to replace.

thanks

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Since you're using Remote Desktop connection to connect to another computer, we suggest posting your concern on our Windows 10 Networking TechNet forums. The IT professionals on our TechNet forums will provide further troubleshooting on how you can address the issue.

Thanks.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi,

I found another Workaround:

It seems that mstsc has only Problems to connect to RDG using "stored" credentials.

If I delete the stored credentials and type in Domain\user at every Connection. then the Connection works.

Hope that this helps...

Regards

Stefan

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

A few days ago I replaced the mstsc.exe and mstscax.dll files in the System32 folder with the old ones, but it still wasn't working. Today I see in this post that I also needed to replace the files in the SysWOW64 folder. But my Windows.old folder is gone now! I didn't know Microsoft deletes it 30 days after an update! What do I do now? Or are the mstsc.exe and mstscax.dll files the same in the System32 and the SysWOW64 folder?

In any case, is Microsoft going to do anything about this problem?? From searching the internet I get the impression that noone that has updated to the 1703 build is able to connect to a remote desktop anymore!

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi,

This issue might be caused by corrupted system files. We suggest that you try to use the System File Checker tool. This tool will scan for any corruptions in your Windows system files and restores it.

Let us know if you need additional assistance.

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated August 21, 2020 Views 17,568 Applies to: