Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

System administrator has limited computers you can log on

RRAS, VPN, TS/RDP, Routing and remote Access.

System administrator has limited computers you can log on

Postby chicagotech » Wed Mar 01, 2017 11:50 am

Situation: After upgrading Windows 7 to 10, the client receives this message when login a remote server: the system administrator has limited the computers you can log on with. Try logging on at a different computer.

Troubleshooting:
After study, I find Microsoft has changed RDP behaviors for security reason. That is why we have this problem after installing Windows update. It is better to use group policy to allow remote access instead of “Log on to” settings. Please refer to “Quote 2” for more details.

The temporary resolution is edit registry or add string enablecredsspsupport:i:0.

Quote 1
The RDP client behaviour is changed in 8.1 and it now it enforces NLA which uses CREDSSP – it is more secure.
Previous behaviour is that it allowed fallback to “no NLA” when NLA failed.
If NLA is set to “required” on the RDP server side then it is expected that the client connection will fail due to the workstation not being in the list. NLA is using Kerberos or NTLM authentication which cares about where you log on from as per above attribute. In addition if you take RDP out of the loop and browse to a share, for example, on the same RDP server from any OS workstation which is not in the <log onto> list it will also fail with the same error STATUS_INVALID_WORKSTATION!.

Available options here:
1. Use this setting: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp "SecurityLayer", Default is 1 (SSL). -> Set this to 0.
2. On the client workstation, open the RDP file with Notepad and add the string enablecredsspsupport:i:0
3. Add the source server that the user is connecting to into the LogonTo field.

Quote 2
• I don't work for Microsoft but I do work extensively with their internal logon APIs and behaviors. I believe I understand why this behavior is in fact really "by design" and not just saying that to cover up a bug. This is an unfortunate case of how workstation control was implemented and how logons have evolved over the years.
Starting with the Account->Log on to... dialog where we specify "Logon Workstations": This was originally just used to restrict what workstation consoles the user might approach and logon to with their domain account. (Hence the "Log on to" verbiage). If your workstation wasn't in the list, your authentication was denied. The way that is implemented is, the domain controller checks the value of the "Workstation" field in the NTLM auth or the Kerberos ticket request against the list, and blocks the authentication. Simple enough.
OK, now let's evolve the scenario. We add RDP NLA, which is a separate initial authentication. If the workstation is on the LAN, the NLA auth uses Kerberos directly to the DC. If not, it uses NTLM to the RDP server. In either case, the "Workstation" field of the authentication request is set to the value of the RDP client machine's name. So what happens at the DC side? The DC examines the Workstation value and compares it against the list, like before. If it's not in the list, you are blocked. Simple! But in this case it seems like incorrect behavior to the mere humans who don't understand the underpinnings of its implementation.
As far as I can think of, there isn't any way to truly fix this apart from overhauling the entire way authentication works in Windows. The best you can do is to avoid using the "Log on to" feature to restrict your users. Now let's talk about why that's not such a bad idea.
Remember the "Workstation" field I mentioned, which is how the DC decides what to do with the request? Well it turns out there is no mutual authentication between the computer account of the client and the DC. The client simply volunteers whatever string value it wants in the "Workstation" field, and the DC trusts that. This means that the entire feature you are relying on for security is really more of an "honor system" that only works if every RDP client in the universe chooses to tell the truth about its workstation name.
Not worried yet? OK, here's a way to do it using trusted MS systems: Just name your standalone windows machine the same workstation name as one of the "allowed" logon workstations, and now the DC will believe it should be allowed.
Gosh, what should we do? Some other posters in this thread already have the solution. In Windows-land, the best way to secure who is allowed to log on where is via group policy. When you push a policy to a target server, that server does its own additional policing of who is trying to log in. After the DC authenticates a user, the target server examines the user's token and checks the appropriate "Allow" and "Deny" logon policy items to see whether it should proceed or block. This is immune to the "Workstation" field problem I describe, because no one in this case cares where the request is coming from, but rather whether the user is allowed to logon at the target server. And this is exactly what you are trying to enforce, so it's a perfect fit.
IMO: abandon the ancient "Log on workstations" feature because it just doesn't do anything useful. In the NT days it might have been good enough because all the protocols were closed and it was pretty inconceivable that someone might connect "remotely" or with a machine that was not authorized and joined to the domain. These days, it's worse than useless; just pretend security. But fortunately we can use GPOs to do the real thing!
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: System administrator has limited computers you can log on

Postby chicagotech » Tue Sep 12, 2017 9:37 am

These settings can be found in Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment.

Enable Deny log on locally and Deny access to this computer from the network.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: System administrator has limited computers you can log on

Postby chicagotech » Tue Sep 26, 2017 5:02 pm

Available Options

==============

1. Use this setting: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp "SecurityLayer", Default is 1 (SSL). -> Set this to 0.
2. On the client workstation, open the RDP file with Notepad and add the string enablecredsspsupport:i:0
3. Add the source server that the user is connecting to into the LogonTo field.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: System administrator has limited computers you can log on

Postby chicagotech » Tue Sep 26, 2017 5:03 pm

Option 2 and 3 work fine.

2. On the client workstation, open the RDP file with Notepad and add the string enablecredsspsupport:i:0
3. Add the source server that the user is connecting to into the LogonTo field.

However, we have a couple hundred non-domain computers from different clients. It is impossible to add or configure them.

Option 1 doesn't work.

1. Use this setting: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp "SecurityLayer", Default is 1 (SSL). -> Set this to 0.

If the option 1 works, that could be a resolution.

Go back to my original question. Is it possible to create a group policy applied to a group users that limits they access most computers except a few servers?
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: System administrator has limited computers you can log on

Postby chicagotech » Tue Sep 26, 2017 5:04 pm

Because now RDP servers enable NLA by default, client machines that are out of the domain will not be able to connect to the RDP server. If we have machines out of domain requiring Remote Desktop Service, we may have to disable NLA for RDP server.

Please open Server Management, and select Local Server. Find Remote Desktop : Enabled - System Properties - Remote - Allow connection only from computers running Remote Desktop with Network Level Authentication (Recommended). Uncheck that.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: System administrator has limited computers you can log on

Postby chicagotech » Tue Sep 26, 2017 5:04 pm

Disabling NLA for RDP server fixes the problem.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6995
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to VPN, TS and Remote Access

Your Ad Here

Who is online

Users browsing this forum: No registered users and 3 guests