CredSSP errors when attempting to use RDP Web Client

Hi,

STATUS_ACCOUNT_RESTRICTION [0xc000006e] is normally returned by the server when the user can be properly authenticated, but the user is not a member of the Remote Desktop Users local group on the destination RDP server. Can you verify that it is possible to connect to the same server using the same user using mstsc or another RDP client first?

Best regards,

The account is a Domain Administrator. I can connect normally through Remote Desktop Manager and the RDP client.

I think it may be related to that account being a member of the Active Directory "Protected Users" group, which protects the credentials from caching?

This would make sense - in this case, Kerberos is mandatory. Did you configure the KDC proxy in Devolutions Gateway to allow the RDP web client to authenticate with Kerberos?

https://docs.devolutions.net/kb/devolutions-gateway/how-to-articles/use-nla-rdp-connection/

Best regards,

After adding the KDC proxy, I'm getting this error: [CredSSP] CredSSP Caused by: InvalidToken: ASN1 DER error: TruncatedData

This cryptic error is a symptom that the outgoing connection from Devolutions Gateway to the KDC server has failed. We've improved this error handling in the next release with a better error message.

The KDC server can be formatted as a URL, maybe try being explicit, here's what it looks like for my lab environment:

Server: tcp://IT-HELP-DC.ad.it-help.ninja:88
Realm: ad.it-help.ninja

Also make sure you're using the correct Kerberos realm. If it still fails I would recommend looking at the logs in Devolutions Gateway to catch the outgoing connection failure.

Best regards,