返回
-
标题
Account lockouts caused by subsequent Kerberos pre-authentication failures in RDP session after upgrading SPS to 8.0 LTS -
说明
After upgrading SPP and SPS to version 8.0 LTS or above, when using SPP-initiated RDP sessions, Active Directory account lockouts may occur when the following conditions are met:
- The client machine, the target server, and the SPS are all members of the AD domain.
- The user logs in to the client machine using an AD account.
- They attempt to access the target server using an AD account.
- SPS is accessed using its FQDN (Use Hostname for Launch is enabled from SPP under the session appliance settings).
- An account lockout policy is configured in Active Directory (by default, 5 failed attempts within 30 minutes).
- A corresponding number of successful logins are performed through the SPS in quick succession using the same account.
-
解决办法
STATUS:
Change Request # 494782 will address this issue in a future version of SPS pending a successful QA and Product Management approval.
WORKAROUND:
1) Disable Kerberos Authentication using a GPO on the target servers.
2) Use the IP address of SPS instead of the FQDN to force the RDP connection to use NTLM instead of Kerberos.
-
变更请求
494782