While working for a client, I was experiencing a strange issue where when connecting from Windows 10, to a newly built Windows Server 2019 virtual machine in Azure, the credentials were not accepted.

Some initial investigation pointed to a local issue as other workstations could remote desktop to the same server using the local credentials provided.

I began to look at the issue in more detail using the Serial Access Console in Azure since I had no direct access to the VM, the command is below, you can look for successful logins with Event ID 4624, login failures are shown on 4625.

wevtutil qe security /c:1 /f:text /q:"Event[System[EventID=4625]]" | more

I noticed something which didn’t look right. First of all, we know the credentials are correct, they work from other workstations, yet the message was clear: “Unknown user name or bad password.”.

Notice under the Detailed Authentication Information section, that the authentication package is set to use NTLM. This value here indicates that the calling workstation is using a group policy setting that changes the behaviour of the LAN manager authentication provider.

You can find lots of information on this in the Microsoft documentation. Long story short, the client had this configured to Send NTLM response only, this prevented the negotiation for any other protocol.

You can look in the Local Security Policy, by loading up secpol.msc. Then browse to Local Policies and Security Options, then look for the option Network security: LAN Manager authentication level. By default, this is set to Not Defined, however, based on the settings I described above this is what it looks like locally.

When this setting is applied via group policy, the option to change this will be greyed out. You can test this by modifying the registry to remove the LmCompatibilityLevel value from the following path.

Warning: Ensure you create an appropriate backup of your registry before making any changes.

HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

Once the setting is deleted, try your remote desktop connection again, this should now work. Note that restarting your machine may not work, this is because if the setting is defined in group policy, the setting will simply apply again when rebooting.