Seeing the message “We can’t sign into your account” when trying to log into a Windows Server 2019 Remote Desktop Services (RDS) host can stop any admin in their tracks. Suddenly, no one can access the applications and virtual desktops they need to work.
When RDS authentication fails and locks users out, IT scrambles to fix the issue immediately before impacting productivity any further. The culprit could be anything from network outages to Kerberos misconfigurations between Active Directory and RDS servers.
Luckily, there are several effective troubleshooting steps that get to the bottom of “we can’t sign in” errors. By methodically working through connectivity checks, account validation, and credential data resets, admins can get their login roadblock resolved and remote access flowing smoothly again.
Check Connectivity Between RDS Server and Domain Controller
Issues with connectivity between your Windows Server 2019 RDS host and the Active Directory domain controller can prevent proper authentication and authorization. First, confirm that network connectivity exists between the RDS host and domain controller.
You can do this by pinging the domain controller hostname/IP from the RDS server and vice versa. If ping fails, inspect the network infrastructure between the machines. Resolve any firewall or routing issues preventing communication over ports like 389/TCP (LDAP) and 88/TCP (Kerberos authentication).
Once connectivity is restored, attempt remote logins again to see if it resolves the sign-in issue.
Verify Correct LDAP Protocol Settings
If network connectivity checks out between the Windows Server 2019 RDS host and DC, next double check LDAP settings. Open the registry editor on the RDS server and browse to “HKLM\System\CurrentControlSet\Control\Lsa\LDAP”
Several important settings live here, like ldapServerName which points to the DC hostname/IP. The default port 389 should be set properly too.
Rectify any incorrect LDAP configuration values to align with your AD environment. Inconsistent settings here can clearly cause remote login failures.
Force Replication of Credential Data
Sometimes the RDS machine can fall out of sync with credential data sitting on domain controllers.
Attempt to force replication of the credentials database with the following commands run from an elevated command prompt on the RDS host:
nltest /sc_reset:domainname
nltest /dsgetdc:domainname
Hopefully, this sync activity gets the account details needed for remote logins to work again.
Extend AD Schema for Later OS Versions
If your domain controllers run newer Windows Server versions like 2022 versus the 2019 RDS host, there may be missing attributes in the schema causing issues.
You can update the AD schema on the DCs to support later Windows iterations with:
schmmgmt /extendschema
Extend the schema and attempt remote logins again after replication occurs.
Review and Reconfigure Kerberos Settings
For secure Windows authentication mechanisms to operate correctly between 2019 RDS and Active Directory, Kerberos configuration must be sound.
Use the Group Policy editor gpedit.msc to review settings under Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.
Double check tickets are not being rejected due to unrealistic expiration policies. Also, confirm encryption types match between AD and RDS.
Reset the Secure Channel
As another domain trust troubleshooting step, resetting the secure channel can help synchronize security credentials between the RDS host and authentication controllers.
Execute the below from an elevated prompt:
netdom resetpwd /s:DCname /ud:Domain\user /pd:*
Supply a DC hostname, admin username and password when running the above. Then attempt remote logins again.
Review Event Viewer Security Log
The Windows Event Viewer Security log on domain controllers and the RDS host contain rich diagnostic data around Kerberos, CredSSP, and other authentication issues.
Inspect security event logs for credential errors, bad usernames/passwords, account lockouts, etc. that can point to the root cause of failed RDS remote logins.
Reset RDS Machine Account
If no other troubleshooting steps have yielded a solution, resetting the domain machine account used by the Windows Server 2019 RDS host could help.
Run the commands below from an elevated prompt:
netdom remove rdsHostName /domain:domainName
netdom add rdsHostName /domain:domainName
Here you’d substitute real RDS hostname and AD domain details. This resets cached account credentials to sync new password data.
Create a New RDS Host Machine Account
If resetting the RDS host machine account fails to resolve remote login problems, the final resort could be creating an entirely new machine account:
netdom remove rdsHostName /domain:domainName
netdom join rdsReplacementName /domain:domainName
Then rebuild the RDS role using the new active machine account. This has a good chance to replace corrupt credentials preventing remote logins.
Conclusion
Troubleshooting Remote Desktop Services login issues in Windows Server 2019 often requires a combination of network, authentication, and system configuration fixes.
Work through connectivity verification, LDAP and Kerberos policy reviews, credential sync efforts, event log analysis, and machine identity resets until “we can’t sign into your account” errors disappear for good.
With the right tuning, Windows administrators can get RDS host servers and Active Directory communicating smoothly again allowing remote desktop application and host access critical for today’s businesses.