Simple setup, all 2012 R2 Standard.
- Domain Controller
- RDS Gateway, Broker, Webaccess
- Session Host
Clients can log into webaccess with their email address (account in DC). When they run the connection app from webaccess it will prompt a second time for credentials. If you type in the email address again it will often go straight in. If you don't type in the email address and run with DOMAIN\username you will get one more credential request which, once details are entered, will let you in, although sometimes it doesn't. So two prompts with an email address and three with DOMAIN\username.
The event logs on the gateway state that the user is successfully redirected to the session host.
The event logs and netlogon.log, when enabled, on the session host show that when logging in with DOMAIN\username the username is (NULL)\DOMAIN\username the first two times then changes to DOMAIN\username for the third.
Using the email address, not much is in the netlogon.log. The Security log seems to state A logon was attempted using explicit credentials"in relation to the successful login but nothing about the first unsuccessful.
I might be looking at the wrong thing, but I've tried everything else I can think of, including:
- Built a new session host and connection as different session collection. Same issue.
- Add TERMSRV/*.domain.local and TERMSRV/*.domain.co.uk in "allow delegating default credentials" and the NTLM-only version in the local policy on the gateway. (will tighten security on this once works)
- Set "always prompt for password" to disabled on session host.
- Set "NTLMv2 only" in LAN manager authentication level across the domain. And checked that the client computer has this set to "Not defined".
- Turned off "Use my RD Gateway credentials for the remote computer" in the app from remote access. It prompts the second time for direct auth to the session host as expected, and DOMAIN\username works. So has to be something the gateway is doing.
Ideas would be greatly appreciated!!!! I'm certain it's something to do with (NULL)\DOMAIN\username. But could definitely be wrong.
Happy to post logs (ran out of time for now)