Remote Desktop Fails to Connect to Gateway 0xC000035B

A new Windows 10 Pro 1803 computer could not establish a connection through a Server 2016 machine running Remote Desktop Gateway. The Win10 machine showed this error:

RDP Connection Issue 1

The server’s Security event log had a 4625 Audit Failure event with Status 0xC000035B:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          12/14/2018 1:49:08 PM
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyServer.mydomain.local
Description:
An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		User1
	Account Domain:		mydomain

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	WIN10PRO-LAPTOP
	Source Network Address:	xxx.xxx.xxx.xxx
	Source Port:		60469

Detailed Authentication Information:
	Logon Process:		
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

KB2903333 identifies this as a channel binding issue because the client is forcing NTLMv1. It recommends setting the LmCompatibilityLevel registry value to 3 or higher. (The article incorrectly refers to the LmCompatibility registry value. The correct name is LmCompatibilityLevel.)

I was skeptical of this as the cause because another off-site computer has LmCompatibilityLevel of 0 and connects through the same gateway without issues.

LmCompatibilityLevel can also be set in Local Security Policy by changing the Network security LAN Manager authentication level:

RDP Connection Issue 2

I changed that to Send NTLMv2 response only:
RDP Connection Issue 3

This changed the registry value HKLM\SYSTEM\CurrentControlSet\Control\LsaLmCompatibilityLevel to 3:

RDP Connection Issue 4

Once I’d made that change (no reboot required), I was able to log on from this computer through the gateway to an office computer.

What is still unclear is why this setting is only required on some client computers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.