2FA breaks with RDP and restricted admin mode?

  • Last Post 18 February 2016
gkirkpatrick posted this 16 February 2016

Greetings all,   We have a customer that uses 2FA (not sure what kind specifically) with RDP to administer their servers. They recently have been mandated to use restricted admin mode with RDP. When they do so, 2FA breaks… apparently they don’t even get prompted for the second factor, and (I believe) the authentication fails. The users, workstations, and servers are all in the same domain.   Has anyone seen a similar problem? Can you explain how 2FA fits into the RDP authentication flow in this sort of scenario?   -gil    

Order By: Standard | Newest | Votes
PARRIS posted this 16 February 2016

Gil, Are the servers 2012 R2? Regards, Mark Parris Active Directory & Azure Consultancy MVP Enterprise Mobility | MCM Directory ServicesMobile: +44 7801 690596


gkirkpatrick posted this 17 February 2016

Hi Mark,


2008 and 2012 (not R2)





JamesM posted this 18 February 2016

If you haven’t, you might take a look at

https://digital-forensics.sans.org/blog/2014/11/13/protecting-privileged-domain-accounts-restricted-admin-and-protected-users.   https://msdn.microsoft.com/en-us/library/cc240500.aspx

 notes for restricted admin mode “client requires credential-less logon over CredSSP (also known as "restricted admin mode"). If the server supports this mode then it is

acceptable for the client to send empty credentials in the TSPasswordCreds structure defined in [MS-CSSP] section<2>

.  There were a couple talks at TechEd 2014 that went into details but I couldn’t find the details on them in my notes. 


If the MFA solution depends on having the credential, it won’t get it with restricted admin mode.  My impression is that restricted admin mode would also bypass

(break) those solutions that rely on a custom GINA.