When attempting to RDP via ASA/OPA (ASA/OPA client to ASA/OPA server agent), the RDP connection fails with the following type of error:
Your credentials did not work. The logon attempt failed.
From the ASA/OPA perspective, no errors are logged, as client/server agent debug logs look similar to a successful connection.
On the Windows server OS side, the Security logs may log the error:
An account failed to log on" with the failure reason "Unknown user name or bad password".
- Advanced Server Access (ASA)
- Okta Privileged Access (OPA)
This is a sign of a configuration mismatch in the Windows environment outside the scope of the ASA/OPA client or ASA/OPA server. Potential causes may vary, but in this example the cause is due to Windows client configured to use LM or NTLMv1 protocols to authenticate the session, but server only allowing NTLMv2.
In this example, the environment was configured such that only NTLMv2 would be allowed for RDP sessions. To resolve the issue, the following GPO had to be pushed out to clients to ensure that they only try to use NTLMv2:
- Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options:
- Network security: LAN Manager authentication level.
- Send NTLMv2 response only.
- Network security: LAN Manager authentication level.
Please consult with the Windows administrators before making such a change to ensure there are no broader environmental implications.
If this does not resolve the issue and/or the troubleshooting suggests the issue is not related to NTLM settings, investigate further in the Windows environment. Overall, the error signature cited in the "Overview" signature and the lack of errors in ASA/OPA side logs suggest the issue is outside the scope of ASA/OPA.
