Skip to content

Fix RDP auth failure for AD Protected Users (NTLM disabled)#3176

Draft
Copilot wants to merge 2 commits intov1.78.2-devfrom
copilot/fix-mremote-rdp-connection-issue
Draft

Fix RDP auth failure for AD Protected Users (NTLM disabled)#3176
Copilot wants to merge 2 commits intov1.78.2-devfrom
copilot/fix-mremote-rdp-connection-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

Users in the AD Protected Users security group have NTLM blocked at the domain level. mRemoteNG unconditionally sets ClearTextPassword on the RDP ActiveX control, causing CredSSP to fall back to NTLM — producing "A user account restriction is preventing you from logging in" — while mstsc succeeds via Windows SSO/Kerberos.

mRemoteNG already implements two Kerberos-based auth modes in RdpProtocol8 (UseRestrictedAdminRestrictedLogon, UseRCGDisableCredentialsDelegation + RedirectedAuthentication). The gaps being addressed:

  • RdpProtocol.cs / SetCredentials() — Skip setting ClearTextPassword when UseRestrictedAdmin or UseRCG is active. These modes use the current user's Kerberos ticket and never forward explicit credentials; setting a password is not only unnecessary but risks triggering an NTLM attempt before the extended properties take effect.
// Previously: password was always written, risking NTLM fallback
if (!connectionInfo.UseRestrictedAdmin && !connectionInfo.UseRCG)
{
    _rdpClient.AdvancedSettings2.ClearTextPassword = password;
}
  • Language.resx — Updated PropertyDescriptionUseRestrictedAdmin and PropertyDescriptionUseRCG to explicitly call out AD Protected Users / NTLM-disabled scenarios, Kerberos requirements, and pre-requisites (domain membership, admin rights on target) so users can self-diagnose and apply the correct setting.
Original prompt

This section details on the original issue you should resolve

<issue_title>AD group protected user</issue_title>
<issue_description>RDP-Connections don't work with mRemoteNG when the admin User is in the AD group protected user but the connection is sucessfull when using the windows mstsc

Protocol Event Disconnected. Host: ‘x.x.x.x’; Protocol: “RDP” Message: ‘A user account restriction (e.g. a restriction based on the time of day) is preventing you from logging in. Contact your system administrator or technical support for assistance.’

The Protected User group is a special security group which automatically applies protections to minimize credential exposure. Starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:

  • Disables NTLM authentication
  • Reduces Kerberos ticket lifetime
  • Mandates strong encryption algorithms, such as AES
  • Prevents password caching on workstations
  • Prevents any type of Kerberos delegation</issue_description>

Comments on the Issue (you are @copilot in this section)

@Kvarkas technically mRemoteNG don't managing this, its all from rdp protocol it self, but will try to look if something could be done

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@Kvarkas
Fix RDP connections for AD Protected Users by supporting Kerberos-onl…
5b59518 
…y modes

Co-authored-by: Kvarkas <3611964+Kvarkas@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix RDP connection issue with protected user in mRemoteNG Fix RDP auth failure for AD Protected Users (NTLM disabled) Feb 25, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Feb 25, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
D Maintainability Rating on New Code (required ≥ A)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

robertpopa22 added a commit to robertpopa22/mRemoteNG that referenced this pull request Mar 1, 2026
@robertpopa22 @claude
fix(rdp): skip password for RestrictedAdmin/RCG modes (AD Protected U…
aaf82f4 
…sers)

Backport of upstream copilot PR mRemoteNG#3176. When UseRestrictedAdmin or UseRCG
is enabled, credentials are forwarded via Kerberos — assigning a password
would cause NTLM fallback attempts that fail for AD Protected Users accounts.
Also improves property descriptions for these modes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
robertpopa22 added a commit to robertpopa22/mRemoteNG that referenced this pull request Mar 1, 2026
@robertpopa22 @claude
docs: update README with v1.82.0 progress + enhance iis-verify
d77f158 
README: update issue counts (843 triaged, 697 addressed = 83%),
needs_human 0, upstream PR backports (mRemoteNG#3177/mRemoteNG#3176/mRemoteNG#3154/mRemoteNG#3171),
SQL schema fix. Remove outdated "74 needs_human" section.

iis-verify: add Qodo review check, upstream PR status, issues
triage status to quality verification report.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@robertpopa22 robertpopa22 mentioned this pull request Mar 2, 2026
Open
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Kvarkas Kvarkas

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AD group protected user

2 participants

@Kvarkas