"Bad username or password" error when attempting to RDP to a VDA
Article ID: CTX339881
Updated On:
Description
After installing Citrix VDA on a Windows machine, attempts to connect with RDP (mstsc) fail with "Bad username or Password". The user is presented with the graphical login interface, where upon entering the same username and password, the RDP session connects successfully.
- If you uninstall Citrix VDA, starting an RDP session is started as expected with no error, using the credentials entered in the RDP user interface.
- If you select the option 'always ask for credentials', the graphical login is presented and works as expected.
- You might see Kerberos Pre-Authentication failing in a network trace, but this is not relevant.
Computer Configuration-> Windows Settings-> Security-> Local Policies ->Security Options-> Network Security Restrict NTLM: NTLM Authentication in this domain
Resolution
For Windows Domain Controllers, configure the policy in “Default Domain Controller Policy” and set it to "DISABLE" to over-ride any other policy that is restricting NTLM Authentication.
Computer Configuration-> Windows Settings-> Security-> Local Policies ->Security Options-> Network Security Restrict NTLM: NTLM Authentication in this domain
Computer Configuration-> Windows Settings-> Security-> Local Policies ->Security Options-> Network Security Restrict NTLM: NTLM Authentication in this domain
Problem Cause
When this behaviour is observer, the failure is NTLM Authentication. If the policy highlighted is configured deny all, then only Kerberos authentication remains. This setting in the DOMAIN CONTROLLER is the culprit that is causing the RDP login behaviour when VDA is installed.
Issue/Introduction
When attempting to RDP to a VDA, you might see "Bad Username or Password", and then get the graphical logon where you can enter the username and password and start a RDP session. This may happen if the Domain Controller is Windows Server 2019.
Additional Information
See the following Microsoft article to understand the possible values for Network security: Restrict NTLM: NTLM authentication in this domain policy:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
Was this article helpful?
Yes
No
Powered by
