Let’s face it , most Active Directory Domains were created a long long time ago. And while most of these are now migrated to newer versions , Group Policies sometimes were left as is. These Group Policy objects are what I like to call “Lingering GPO Settings” 🙂
This case was both simple and complicated , a client had a brand new installation of Windows Server 2012 R2 Remote Desktop Services and various clients connecting to it. Some of those clients were unable to connect to the gateway for no obvious reason. Only a couple of warnings logged on the Microsoft-Windows-TerminalServices-RDPClient/Operationall logs:
- RDPClient_Gateway: An error was encountered when transitioning from AAStateCreatingOutChannel to AAStateError in response to 3 (error code 0x800703E5).
- RDPClient_Gateway: An error was encountered when transitioning from AAStateInitializingTunnel to AAStateError in response to 6 (error code 0x800703E5).
The problem laid within a Group Policy setting that was configured quite some time ago. This policy forced the client to use “Send LM & NTLM Responses” on Computer Configuration->Windows Settings->Security Settings->Security Options->Network Security: LAN Manager Authentication Level. Changing that to “Send NTLMv2 response only” immediately enabled those clients to connect.
So while sometimes an error may seem Remote Desktop related make sure you check all of the underlying technology to ensure security protocol compliance and proper operation.