Issue with get in to RDP server. Authentication issues (event 4634 and 4768).

Question

Issue with get in to RDP server. Authentication issues (event 4634 and 4768).

Denys Pasternak 85

Hello.

I have a server that's having trouble logging in for some (not all) domain users.

The server accepts credentials (correct), then loads the RDP session window, and then, on the username and password entry screen, reports that the username or password is incorrect. However, on the server, I see the login as contoso.com******@contoso.com, even though I entered user\contoso.com.

Some domain users can log in.

Logging in with a local account works fine.

Connecting to a shared directory or system directory using NTLM with the same domain credentials works.

The problem is with Keberos on this machine. It's no different from other similar RDP servers.

I checked the trust relationships with the domain controller and they are fine.

I checked for time discrepancies; there are no net discrepancies, and synchronization is working, even though the server is in a different time zone. I checked the domain controllers' availability, and everything is fine.

I'm seeing server-related errors on the domain controller:

Log Name: Security

Event ID: 4768

Task Category: Kerberos Authentication Service

Keywords: Audit Failure

Computer: controller.contoso.com

Description:

A Kerberos authentication ticket (TGT) was requested.

Account Information:

*Account Name:		host-a$*

*Supplied Realm Name:	contoso.LOCAL*

*User ID:			NULL SID*

*MSDS-SupportedEncryptionTypes:	-*

*Available Keys:	-*
```*Service Information:*

```sql
*Service Name:		krbtgt/contoso.LOCAL*

*Service ID:		NULL SID*

*MSDS-SupportedEncryptionTypes:	-*

*Available Keys:	-*
```*Domain Controller Information:*

```sql
*MSDS-SupportedEncryptionTypes:	-*

*Available Keys:	-*
```*Network Information:*

```typescript
*Client Address:		::ffff:10.0.10.250*

*Client Port:		59523*

*Advertized Etypes:	-*
```*Additional Information:*

```javascript
*Ticket Options:		0x40810010*

*Result Code:		0xE*

*Ticket Encryption Type:	0xFFFFFFFF*

*Session Encryption Type:	0x2D*

*Pre-Authentication Type:	-*

*Pre-Authentication EncryptionType:	0x2D*
```*Certificate Information:*

```sql
*Certificate Issuer Name:*		

*Certificate Serial Number:*	

*Certificate Thumbprint:*		
```*Ticket information*

```yaml
*Response ticket hash:		-*
```*Certificate information is only provided if a certificate was used for pre-authentication.*

**On RDP host side**

*The server responds, "Login or password is invalid." In the Event Log, I do see event 4625 (Audit Failure) - An account failed to log on.*

*Failure Reason: An Error occurred during Logon.*

*Status: 0xC000006D*

*Sub Status: 0x0*

*Account For Which Logon Failed:*

*Security ID: NULL SID*

*Account Name: myaccount@contoso.local*

*Account Domain: contoso.local*

*Although the login and password are correct, of course.*

I could try: re-creating the security channel, updating the server, explicitly enabling supported Keberos encryption, removing the server from the domain, and then re-adding it to the domain.

However, I won't have much time for this because this is a production server. I'd like to be clear on my next steps.

Thanks in advance for your advice.

2 answers

Your answer

Answer 1

Welcome to the Microsoft Q&A Platform and thank you for your question!

Based on your description, it seems you’re experiencing an authentication issue when connecting to an RDP or Azure Virtual Desktop (AVD) session. To ensure successful sign-in and connectivity, please review the following setup steps and requirements:

1. Set Up Prerequisites

Azure Subscription: Confirm you have an active Azure subscription.
Active Directory: Use Azure AD, hybrid AD, or Azure AD Domain Services, depending on your setup.
Virtual Network (vNET): Ensure proper connectivity between session hosts and required services. Configure VPN or ExpressRoute if connecting to on-premises resources.
User Accounts: Verify user accounts exist in Azure AD with matching UPNs.
Note: B2B (guest) accounts are not supported for AVD access.
Licensing: Assign valid Windows or Microsoft 365 licenses to all users accessing AVD.
Supported OS: Use supported session host images such as Windows 10/11 Enterprise multi-session or Windows Server 2019/2022.

2. Deploy AVD Host Pools and Session Hosts

Create Host Pool: In the Azure portal, create a host pool to group identical session hosts.
Register Session Hosts: Install the AVD agent and register each host using the provided registration key.
Configure App Groups: Create Desktop or RemoteApp app groups to define which resources users can access.

3. Assign Users to App Groups

Assign users or groups to the appropriate app group.
A user can only belong to one app group type (Desktop or RemoteApp) per host pool but may be assigned to multiple groups across different pools.

4. Configure Network and Security

Verify DNS and network settings allow domain joins and connectivity to AVD endpoints.
Apply Conditional Access, RBAC, and MFA policies as needed for security.

5. Grant Access and Test

Users can connect using the Remote Desktop client (Windows, macOS, iOS, Android) or a supported HTML5 browser.
Sign in using valid Azure AD credentials.

6. Monitor and Troubleshoot

Use AVD Diagnostics and Log Analytics to monitor sessions and identify authentication or connection errors.

Reference: Issue with get in to RDP server. Authentication issues (event 4634 and 4768). - Microsoft Q&A

Answer 2

Denys Pasternak 85

It was a problem related to trust relationships.

Daphne Huynh (WICLOUD CORPORATION) 505 Reputation points Microsoft External Staff Moderator

2025-11-03T02:14:03.6066667+00:00

Thank you for letting me know the update, I am glad to hear that you found the cause! If you need anything else, feel free to return to the QA Platform anytime.

Share via

Issue with get in to RDP server. Authentication issues (event 4634 and 4768).

2 answers

Your answer