none
AZURESTACK\AzureStackAdmin RDP RRS feed

  • Question

  • After a successfull deployment of AzureStack 1.1907.0.20, i am unable to login via RDP as either the local administrator or as AZURESTACK\AzureStackAdmin. Local access to the machine is possible via both accounts but not via RDP.

    The RDP was working fine upto the point that AzS-DC01 was deployed, then the host restarts, after that I have only been able to connect locally on the host via iDrac, remote RDP is not possible.

    Has anyone else encounted this issue?

    The source network I am connecting from is not one of the AzureStack networks, i am connecting from a 10.16.x.x range, to the IP of the Deployment network on the AzureStack host.

    EventViewer shows:

    EventID 4673 for the account AZURESTACK\AzureStackAdmin for request SeTcbPrivilege

    EventID 4625 for the account AZURESTACK\AzureStackAdmin, bad user name or bad password
    Logon process: NTLmSsp
    Authentication Package: NTLM

    (The password works fine locally)

    Thursday, August 8, 2019 9:47 AM

Answers

  • Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        azurestackadmin
        Account Domain:        azurestack

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xC000006D
        Sub Status:        0xC000006A

    Same status for both AZURESTACK\AzureStackAdmin and Administrator.

    Following some debug tracing, I believe the issue might be due to the LAN Manager authentication level defined within the GPO on the stack, for both MemberServer and DomainController.

    I have tested this by setting the GPO for MemberServer and DomainController:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
    Network security: LAN Manager authentication level

    Original Value: Send NTLMv2 response only. Refuse LM & NTLM
    New Value: Send NTLMv2 response only

    This now allows RDP to the Stack for Administrator and AZURESTACK\AzureStackAdmin

    This is not a problem with the AzureStack but more a issue with our own domain setup and polices, but i will put this information here incase anyone has similar issues.

    Friday, August 9, 2019 8:13 AM

All replies

  • Do you have a sub status on your Event ID 4625? It should be something similar to 0xC0000064
    Thursday, August 8, 2019 11:53 PM
    Moderator
  • Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        azurestackadmin
        Account Domain:        azurestack

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xC000006D
        Sub Status:        0xC000006A

    Same status for both AZURESTACK\AzureStackAdmin and Administrator.

    Following some debug tracing, I believe the issue might be due to the LAN Manager authentication level defined within the GPO on the stack, for both MemberServer and DomainController.

    I have tested this by setting the GPO for MemberServer and DomainController:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
    Network security: LAN Manager authentication level

    Original Value: Send NTLMv2 response only. Refuse LM & NTLM
    New Value: Send NTLMv2 response only

    This now allows RDP to the Stack for Administrator and AZURESTACK\AzureStackAdmin

    This is not a problem with the AzureStack but more a issue with our own domain setup and polices, but i will put this information here incase anyone has similar issues.

    Friday, August 9, 2019 8:13 AM