无法通过 RDP 进入 Windows Server 2016:0x80090302

tag-icon tag-icon windows active-directory remote-desktop windows-server-2016 ntlm
无法通过 RDP 进入 Windows Server 2016:0x80090302

我尝试通过 RDP 连接多个 Windows Server 2016 VM,但没有成功。它已加入域,我正在使用域帐户。

我在服务器上看到的错误是事件 ID 4625:

An account failed to log on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:           0x0

Logon Type:             3

Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:       XXXX
    Account Domain:     XXXX

Failure Information:
    Failure Reason:     An Error occured during Logon.
    Status:             0x80090302
    Sub Status:         0xC0000418

Process Information:
    Caller Process ID:      0x0
    Caller Process Name:    -

Network Information:
    Workstation Name:       X.X.X.X
    Source Network Address: X.X.X.X
    Source Port:            0

Detailed Authentication Information:
    Logon Process:              NtLmSsp 
    Authentication Package:     NTLM
    Transited Services:         -
    Package Name (NTLM only):   -
    Key Length:                 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

我相信这可能是 NTLM 身份验证的问题,因为它应该被禁用,但事件日志仍然显示 NTLM 作为身份验证包。

在域控制器和服务器上设置了以下本地安全策略:

  • 网络安全:LAN 管理器身份验证级别:仅发送 NTLMv2 响应。拒绝 LM 和 NTLM
  • 网络安全:基于 NTLM SSP 的客户端/服务器的最低会话安全性:需要 NTLMv2 会话安全,需要 128 位加密
  • 网络安全:此域中的 NTLM 身份验证:全部拒绝

注册表项HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel已在服务器上设置为 5https://technet.microsoft.com/en-us/library/cc960646.aspx

如果我禁用仅允许运行具有网络级别身份验证的远程桌面的计算机进行连接尽管这不是一个长久之计。

答案1

“身份验证包”问题只是个幌子。那里的选项是 NTLM 和 Kerberos。

如果在关闭 NLA 时它可以正常工作,那么您的问题很可能是无法满足 NLA 的先决条件。当您使用 NLA 时,机器会使用证书验证彼此的身份,然后您的机器通过 TLS 传递您的凭据。

第一步是通过运行 MMC.EXE 并为这些机器添加证书管理单元来检查证书。

服务器和客户端是否都具有 RDP 证书?该证书有效吗?计算机的主机名是否与证书匹配?该证书是否受另一台计算机信任(特别是,客户端必须信任服务器的证书)?

通常,Windows 将生成一个自签名证书如果您没有设置企业 CA。可以将此证书添加到客户端上的受信任根存储以解决此问题。请注意,此证书的有效期仅为 6 个月,因此如果这是原因,问题最终会再次出现。

如果您希望 NLA“正常工作”,您应该设置 Windows 企业 CA 并通过组策略配置所有机器的自动注册。

相关内容