Case of the Logon Attempt Failed RDP Connection

When attempting to connect from a Windows 8.1 machine to a Server 2008 R2 machine, using a local admin account on the remote machine, the error message provided was The logon attempt failed, this despite confirming the correct account details were used, account wasn’t locked out, etc. 

image 

In the security event log on the target machine, the following information was logged:

 

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:        –
    Account Domain:        –
    Logon ID:        0x0

Logon Type:            3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        soeadmin
    Account Domain:        ******svr01

Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xc000006d
    Sub Status:        0xc000006a

Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    –

Network Information:
    Workstation Name:    ONE8-A12BCDEFG
    Source Network Address:    –
    Source Port:        –

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    –
    Package Name (NTLM only):    –
    Key Length:        0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    – Transited services indicate which intermediate services have participated in this logon request.
    – Package name indicates which sub-protocol was used among the NTLM protocols.
    – Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

 

However from another Server 2008 R2 machine, using same credentials, I was able to RDP perfectly fine. This logged the following message on the server:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:        –
    Account Domain:        –
    Logon ID:        0x0

Logon Type:            3

New Logon:
    Security ID:        ******SVR01\soeadmin
    Account Name:        soeadmin
    Account Domain:        ******SVR01
    Logon ID:        0x1df89377
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:        0x0
    Process Name:        –

Network Information:
    Workstation Name:    ***HPVMEL01
    Source Network Address:    –
    Source Port:        –

Detailed Authentication Information:
    Logon Process:        NtLmSsp
    Authentication Package:    NTLM
    Transited Services:    –
    Package Name (NTLM only):    NTLM V2
    Key Length:        128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    – Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
    – Transited services indicate which intermediate services have participated in this logon request.
    – Package name indicates which sub-protocol was used among the NTLM protocols.
    – Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

 

 

We can see from the security logon that successful connections are using Package Name (NTLM only):    NTLM V2

 

On the Server 2008 R2 box, in secpol.msc we can see LM & NTLM is refused (As it should be…)

image 

However the client had a group policy, that had been enabled to allow a legacy application to connect to ancient Windows servers, this forced Send LM & NTLM responses

image

Now the bad way to fix this, is to change the server to a less secure setting (i.e. Send LM & NTLM responses)

While it is best to eliminate servers that still require LM or NTLM, and use the “refuse LM & NTLM” setting, you can compromise by changing the client policy to allow LM & NTLM, but use NLTM v2 if available, this will at least prevent you from downgrading security on your servers running more recent Windows operating systems.

clip_image002

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Group Policy, Server 2008 R2, Troubleshooting, Windows 8 and tagged , , . Bookmark the permalink.

5 Responses to Case of the Logon Attempt Failed RDP Connection

  1. rogerdpack says:

    how do you check the security event logs here? :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s