RDP to Azure Active Directory joined Windows 10 Computer
In case you have trouble to connect to an Azure AD joined Windows 10 Computer by using the Remote Desktop Protocol (RDP) and your Azure AD credentials like shown below, you first need to adjust some settings in the RDP file.
Here I wanted to connect to a virtual Windows 10 computer which is running in on-premise on Hyper-V and is just Azure AD joined.
I just got the error message The logon attempt failed, nothing more.
To be able to connect, first check if Allow remote connections to this computer is enabled and the option Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) is not checked.
Network Level Authentication was already disabled. If not, disable it.
Also check that the Azure AD user (or Hybrid user) have the rights to connect to from remote. So the user either should be in the local Administrators or Remote Desktop Users group.
If not you can add an Azure AD user by using the following PowerShell Cmdlet
net localgroup “Remote Desktop Users” /add “AzureADthe-UPN-attribute-of-your-user”
Source: https://learn.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pc
Now at least we also need to adjust the RDP file resp. first save this file in order to be able to edit it.
Right click on the RDP file and open it with your favorite text editor.
Add or change the following RDP properties if not still listed and have the correct value. In most cases you just have to disable CredSSP by set enablecredsspsupport to 0. The authentication level property mostly is already set to 2.
authentication level:i:2
enablecredsspsupport:i:0Supported RDP properties with Remote Desktop Services
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop
Now we can try to connect to our VM by double click on the RDP file.
Here we need to add the AzureAD domain in front of the username to tell Windows to authenticate against Azure AD. If not we see a message that the username or password is not correct as shown below.
Without AzureAD<username>
As mentioned enter also the AzureAD domain in front of your username like
AzureADjdoe@braintesting.de
Now we are able to connect remote to our Azure AD joined Windows 10 Computer and by using our Azure AD credentials or Hybrid if synced from on-premise to Azure AD.
Credential Security Support Provider (CredSSP) protocol
The Credential Security Support Provider protocol (CredSSP) is a Security Support Provider that is implemented by using the Security Support Provider Interface (SSPI). CredSSP lets an application delegate the user’s credentials from the client to the target server for remote authentication. CredSSP provides an encrypted Transport Layer Security Protocol channel. The client is authenticated over the encrypted channel by using the Simple and Protected Negotiate (SPNEGO) protocol with either Microsoft Kerberos or Microsoft NTLM.
Source: https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-security-support-provider
Network Level Authentication is an authentication method that can be used to enhance RD Session Host server security by requiring that the user be authenticated to the RD Session Host server before a session is created.
Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.
More about Hybrid and syncing on-premise user to Azure AD you will find in my following posts.
Links
Connect to remote Azure Active Directory-joined PC
https://learn.microsoft.com/en-us/windows/client-management/connect-to-remote-aadj-pcSupported RDP properties with Remote Desktop Services
https://learn.microsoft.com/en-us/windows-server/remote/remote-desktopCredential Security Support Provider (CredSSP) protocol
https://learn.microsoft.com/en-us/windows/win32/secauthn/credential-security-support-providerConfigure Network Level Authentication for Remote Desktop Services Connections
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)