Getting "Local Security Authority cannot be contacted" error message when logonHours restricted

windows-server-2012 remote-desktop-services

I'm trying to define logonHours for Remote Desktop users on Windows Server 2012; Network Level Authentication is required for remote connections. When an account with restricted logonHours (defined in ActiveDirectory) tries to connect at a denied time, the client (Remote Desktop Connection) responds with: 

An authentication error has occurred.
The Local Security Authority cannot be contacted.

If the account tries to login at allowed times, everything works fine. If Network Level Authentication is not required, then the client connects to the server, which denies the logon, but displays the much nicer error message "Your account has time restrictions..."

Is there some way to still require NLA, but present the friendlier notice about time restrictions? Am I missing a policy setting or some other configuration?


The RDP client will display a nice, usable error message if you run it from a machine that is joined to a trusting domain, and the RDP client must be able to resolve the hostname of the RDP server (session host).

  • The RDP client must be joined to a domain that trusts the domain that the RDP server is in
  • Date and time must be synchronized
  • Connect to the RDP server using the host name or FQDN, not its IP address

This error will occur if any of the above requirements are not met.

In this case, this is actually caused by the additional security provided by NLA. This is a feature. A computer that is not trusted by the domain of the RDP server should not be able to gain any kind of information on the account being used.

The error message "Local Security Authority cannot be contacted" prevents information being leaked on whether the user account is invalid, expired, untrusted, time-restricted, or anything else an attacker may use to identify valid accounts, to untrusted computers running the RDP client.


Found same message appeared from a failed Win 7 RDP connection to a Win 2012 R2 server. I tested a connection to same server using the same account from my macbook using Royal TSX for RDP and got a warning that the password had expired. Reset password and the user was able to log on via their Win 7 RDP session.


You are asking for an application-layer error message but you want a network-layer security feature. You can't have your cake and eat it too.

The network layer cannot connect to the application layer. So the message you receive is completely accurate.

Related

Unable to discover iSCSI targets
Why would a server lockup knock other servers off the network?
Move AWS Resources to another Account
How to tunnel all Internet traffic via SoftEther?
Networking doesn't initialize properly when pxebooting Linux Mint (live CD) using cifs, but works with nfs
Multiple Reverse SSH Tunnels using Single Port
Windows Firewall - blocking IP address ranges en masse - performance considerations?
Postgresql Provided user name and authenticated user name do not match
Can browse, but can't ping
What does SBS 2011 do "under the hood" when you give a user admin access?
Source IP rate limiting in iptables: hashlimit vs recent
nginx - connect() failed upstream under load testing