No remote desktop login possible from outside the Active Directory forest

Assume the following scenario:

You want to establish a remote desktop connection.
The client computer from which the connection is made is not a member of the same Active Directory forest as the target computer.
The connection fails with the following error message:

A user account restriction (for example, a time-of-day restriction) is preventing you from logging on. For assistance, contact your system administrator or technical support.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The phenomenon occurs when the user in question is a member of the Protected Users security group and one of the following conditions applies:

Access is from a system outside the Active Directory forest to which the target computer belongs.
The application was made in the format DOMAIN\username.

The underlying cause is that in this case no authentication via Kerberos is performed, but a fallback to NTLM takes place.

However, if the user is a member of Protected Users, the use of NTLM is not possible.

Solution

You can force authentication via Kerberos by specifying the login in the format Username@domain that is, it uses the user principal name (UPN).

In addition, care must be taken to ensure that the connection is established via the fully qualified DNS name of the target system and not via its IP address.

No remote desktop logon possible from outside the Active Directory forest

Cause

Solution

Related links:

External sources