Jump to content

Restricting logon accounts in AD and PWS Remote


Derek
 Share

Recommended Posts

I have a few accounts in AD that are restricted to only allow Logon from certain hosts.

I tried turning off the Logon Restriction, and it works.

 

I tried adding the PWS server in, but the Browser Based RDP Console does not work.

How can I determine what the "name" of the Computer that I need to allow in AD?

Does the Browser Based Launcher generate one randomly?

 

Annotation 2019-07-01 143524.jpg

Link to comment
Share on other sites

Hello,

 

Could you provide us a screenshot of the restriction you're referring to, and we'll do some testing to see if we can reproduce the issue? From our understanding of the feature we think you're talking about, you specify which hosts you are allowed "to" logon, not "from" which hosts - but maybe we are thinking of the wrong setting in AD.

Regards

Click Studios

Link to comment
Share on other sites

The feature has a different function on Windows 8.1 and above.

It not only restricts where you can logon TO, but it also restricts where you can connect FROM because it does the Auth on your local PC and then does a Token to the target machine.

This is the Default behavior. 

See this long thread.

https://social.technet.microsoft.com/Forums/office/en-US/fab6f026-86c2-47e0-b485-2ac40623051f/remote-desktop-denies-login?forum=w8itprosecurity

 

About 80% of the way down it has a long explanation of this change in how Windows 8.1 and Server 2012 and higher handle it.

Here's a good comment that Microsoft support responded with to a user who opened a case:

 

The RDP client behaviour is changed in 8.1 and it now it enforces NLA which uses CREDSSP – it is more secure.  
Previous behaviour is that it allowed fallback to “no NLA” when NLA failed. 
If NLA is set to “required” on the RDP server side then it is expected that the client connection will fail due to the workstation not being in the list. NLA is using Kerberos or NTLM authentication which cares about where you log on from as per above attribute. In addition if you take RDP out of the loop and browse to a share, for example, on the same RDP server from any OS workstation which is not in the <log onto> list it will also fail with the same error STATUS_INVALID_WORKSTATION!. 

 

Available options here: 
1. Use this setting: HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp "SecurityLayer", Default is 1 (SSL).  -> Set this to 0. 
2. On the client workstation, open the RDP file with Notepad and add the string enablecredsspsupport:i:0 
3. Add the source server that the user is connecting to into the LogonTo field.

 

I'm trying to solve my issue with option 3.

I just need to know the Source Server's name that is being used to connect to the Destination Host when using the Browser Based Client.

Annotation 2019-07-02 131244.jpg

Link to comment
Share on other sites

Hi Derek,

Sorry, we've missed your updated post. It will task us some time to do this testing, but the computer name should be your Passwordstate web server name - as this is where gateway is installed by default. And if you have a look at the gateway.conf file in the Gateway folder, we also have credSSP set to true by default.

Regards

Click Studios

Link to comment
Share on other sites

I set the credSSP setting to False and it didn't change my test results.

I still got the message that the Remote Account couldn't connect.

 

We will probably disable the "Logon To" feature for our service accounts going forward.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...