A new Windows 10 Pro 1803 computer could not establish a connection through a Server 2016 machine running Remote Desktop Gateway. The Win10 machine showed this error:
The server’s Security event log had a 4625 Audit Failure event with Status 0xC000035B:
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 12/14/2018 1:49:08 PM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: MyServer.mydomain.local Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: User1 Account Domain: mydomain Failure Information: Failure Reason: An Error occured during Logon. Status: 0xC000035B Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WIN10PRO-LAPTOP Source Network Address: xxx.xxx.xxx.xxx Source Port: 60469 Detailed Authentication Information: Logon Process: Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
KB2903333 identifies this as a channel binding issue because the client is forcing NTLMv1. It recommends setting the LmCompatibilityLevel registry value to 3 or higher. (The article incorrectly refers to the LmCompatibility registry value. The correct name is LmCompatibilityLevel.)
I was skeptical of this as the cause because another off-site computer has LmCompatibilityLevel of 0 and connects through the same gateway without issues.
LmCompatibilityLevel can also be set in Local Security Policy by changing the Network security LAN Manager authentication level:
This changed the registry value HKLM\SYSTEM\CurrentControlSet\Control\LsaLmCompatibilityLevel to 3:
Once I’d made that change (no reboot required), I was able to log on from this computer through the gateway to an office computer.
What is still unclear is why this setting is only required on some client computers.