Currently we have a two DC Windows Server 2008 R2 Active Directory domain with about 200 users. Next to it, we have 9 loadbalanced Windows 2008 R2 servers. While RDP-connecting to these servers, quite often users are required to enter their credentials twice. The first time, users will get the message that the username or password is incorrect, even when they are correctly typed. When they do the samething right after the error message, the login succeeds.
Not log ago, we've installed a tool called AD Audit Plus, which logs and e-mails all the logon failures. Every time the first RDP-logon fails, we get two messages about Kerberos pre-authentication failure on a Bad password-event. One from the loadbalanced server and one from the domain controller.
I've done a complete AD- and DNS-health check and googled arround, but didn't come to a solution yet.
Does somebody have any experience with this issue?
Thanks,
Vincent
Best Answer
In my experience, Kerberos Pre-Auth failures are usually caused by time being out of sync between the client and the domain controller. Have to verified your NTP configurations are all up to snuff? Any time related errors in the event logs? Is there something that would be changing the time on the load balanced RDP servers (which are the clients in this case)?