"The logon attempt failed, please enter new credentials." error occurs while accessing target server using Sectona Launcher
Problem Statement
Error occur while taking an RDP of target server via PAM using Sectona Launcher.
Error: “The logon attempt failed, please enter new credentials.”
Symptoms
There are two scenarios:
Case1: When on the target server "Always prompt for password" enabled.
Case2: Due to the mismatch of NTLM Security Protocol versions of LMCompatibilityLevel between Sectona Web Access server and the target servers, which means the Security Protocol Version on both the servers are different reason being the NTLM communication fails and the RDP cannot be initiated on target server.
In a Windows network, New Technology LAN Manager (NTLM) is a suite of Microsoft security protocol intended to provide authentication, integrity and confidentiality to users.
Solution
Case1: When on the target server "Always prompt for password" enabled.
For enabling access to the target server follow below actions:
- Disable Always Prompt for password policy
Below we have demonstrated using "Local Group Policy Editor" in case of AD account, change these values in the "Domain Group Policy Editor":
Disable the above-mentioned policies and run "gpupdate /force" in the command prompt to force update the policies and then try accessing again, now the server will be accessible and the user will be able to take RDP of the server.
Case2: Due to the mismatch of NTLM Security Protocol versions of LMCompatibilityLevel between Sectona Web Access server and the target servers, which means the Security Protocol Version on both the servers are different reason being the NTLM communication fails and the RDP cannot be initiated on target server.
If there is a Hardening Policy enforced on all the windows server and in that Hardening Policy, the LMCompatibility Level has been set on all the servers.
In this case LMCompatibilityLevel should be set same on all the servers including Sectona Web Access Server.
To check the LMCompatibilityLevel on the servers follow the below path:
Open registry editor > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Lsa > LmCompatibilityLevel
If the LMCompatibiltyLevel is different on all the Windows Servers, then configure the same value on all target Windows server including Sectona Web Access Server.
But if there is no such Hardening Policy consisting a specific configuration related to LMCompatibility Level then you can either disable this policy by configuring the value to ‘0’ or just delete the policy from the server.
Please contact us with any issues, questions or comments at: support@sectona.com.