Troubleshoot Windows RDP user account restriction
Last validated:
Users in a Windows domain environment might encounter the following error when attempting to connect to another machine using Remote Desktop Protocol (RDP):
A user account restriction (for example, a time-of-day restriction)
is preventing you from logging on. For assistance, contact your system
administrator or technical support.
This can occur in an environment where the following is true:
- MagicDNS is enabled in the tailnet.
- The remote machine is accessed by its unqualified name or MagicDNS domain name instead of the FQDN in the Active Directory domain.
- An example of an unqualified name is
win11e. - An example of a MagicDNS name is
win11e.example.ts.net. - An example of a FQDN in Active Directory is
win11e.example.com.
- An example of an unqualified name is
- Kerberos authentication is required due to NTLM authentication restrictions in the domain.
- A service principal name (SPN) is not configured for the remote machine.
We recommend using the setspn command to register an SPN. To do this, run the following command as a domain administrator:
setspn -S TERMSRV/win11e.example.ts.net WIN11E
In the example above, win11e.example.ts.net is the hostname in the tailnet, and WIN11E is the account name in Active Directory.