Solving a strange Remote Desktop Gateway authentication problem

I recently deployed a new Remote Desktop Gateway server but when I authenticated it would tell me the logon failed even though I knew the policies were valid for the user (because I could logon from a different computer) and I knew the credential was correct.

There were no logs under TerminalServices-Gateway\Operational which meant the problem was not a policy issue as the connection was not getting this far.

To start the troubleshooting Kerberos logging was enabled on the client machine:

On connecting again I could check the System event log and examined Kerberos logs. Sure enough there were Kerberos errors. The problem seemed to be on my machine the authentication did not fallback to NTLM which it did on the machines where it worked.

The solution was to add an SPN for the public facing name which solved the problem.

Leave a Reply