No remote desktop logon possible from outside the Active Directory forest

Assume the following scenario:

• You want to establish a remote desktop connection.
• The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
• The connection fails with the following error message:

A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.

Cause

The phenomenon occurs when the user in question is a member of the Protected Users security group and one of the following conditions applies:

• Access is from a system outside the Active Directory forest to which the target computer belongs.
• The application was made in the format DOMAIN\username.

The underlying cause is that in this case no authentication via Kerberos is performed, but a fallback to NTLM takes place.

However, if the user is a member of Protected Users, the use of NTLM is not possible.

Solution

You can force authentication via Kerberos by specifying the login in the format Username@domain that is, it uses the user principal name (UPN).

In addition, care must be taken to ensure that the connection is established via the fully qualified DNS name of the target system and not via its IP address.

Related links:

External sources

• Protected Users Security Group (Microsoft)
• Ten things you need to be aware of before using the Protected Users Group (Sander Berkouwer)
• A User Account Restriction Is Preventing You From Logging On (Agema A/S)