We have a domain-joined RDS 2008 R2 server where logons are rejected for domain accounts (even domain admins) coming in directly over the internet, but it works fine over VPN or internally.
The RDS server also has a number of local accounts, and those logons work fine directly over the internet or over VPN. The domain is controlled by SBS 2003.
Some configuration and locking down was done long ago on this server, so I'm not sure if this is due to some configuration or it's a Windows issue.
I don't think it is a Windows or hardware firewall issue, since the attempted RDP logon reaches the server. The failed logon is recorded in the Event Viewer:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: testuser
Account Domain: testdomain
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: testPC
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
All the single dashes above are verbatim from the log entry, I did not insert them for privacy.
It turns out this issue is due to KB3002657 and KB3046049: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28642944.html
I uninstalled KB3046049 and the problem went away for a few weeks. Recently the problem returned, so I uninstalled KB3002657 and the problem went away again. Hopefully it will stay that way this time.
You threw a curve ball when you said local accounts work directly over the internet. Then you threw another one when you said the authentication does reach the server when you look at the log.
I only can come up with 2 answers. Since you said lock down configuration was done before I would look in 2 places.
Have you checked the remote desktop users group to see who's in it? Perhaps only the local accounts are there and not the domain accounts. Lastly, check the gpo that this server belongs to. Specifically computer configuration > windows settings > local policies > user rights assignments > allow log on through rds.
User contributions licensed under CC BY-SA 3.0