Secure Gateway connections using users that are member of the 'Protected Users' group : Royal Apps

Problem:

When you try to connect via RDP to a server using the Royal Server Secure Gateway using a user that is part of the 'Protected Users' group, you receive the following error message (in the Royal TS/X log):

A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support

Reason:

There are a number of reasons for this message. One possible reason is that if a user is part of the 'Protected Users' group, a number of restrictions are enforced. One of these restrictions is that NTLM authentication is disabled.

RDP uses Kerberos/NLA by default, which means it will do a form of network authentication to the target using Kerberos, unless it fails - in which case it will do an NTLM fallback instead.

The reasons for Kerberos failing can be

Client cannot locate a domain controller to do Kerberos
Client did find a domain controller and asked for a ticket to termsrv/yourtarget and that SPN doesn't exist on any host (termsrv is aliased to host/, so if host/yourtarget exists, termsrv/yourtarget exists)
Client connects to target using IP address (Kerberos doesn't work with IP addresses)

Now, when using a Secure Gateway connection, the actual connection, as far as RDP is concerned, goes to 127.0.0.1:<dynamic-port>. This is because a Secure Gateway connection is essentially an SSH tunnel bound to a local IP address and port. As this is an IP and no longer a hostname, Kerberos falls back to NTLM, which again fails because it is not allowed for members of the 'Protected Users' group.

You can easily test this by just using mstsc.exe and connecting to your host by using 'Protected Users' group member:

using a hostname will work
using the IP will not work

In effect, it is not possible to use Secure Gateway connections with users who are members of the 'Protected Users' group.

More information about Protected Users can be found here:

Windows Domains on Windows Server 2012 R2 and 2012

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)?redirectedfrom=MSDN

Windows Domains on Windows Server 2022, Windows Server 2019, Windows Server 2016

https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

Royal Apps

How can we help you today?

Secure Gateway connections using users that are member of the 'Protected Users' group

Related Articles