VPN + RDP Remote Access Failures with User Profile Load Errors (CredSSP, RDS Licensing, ProfileList Corruption)
Remote users fail to connect via VPN or RDP, or authenticate successfully but land in a temporary profile with 'User Profile Service failed the sign-in'. Root causes span the transport layer (expired VPN gateway certificates, IKE/IPsec proposal mismatch, MTU/PMTU black holes), the session layer (CredSSP encryption oracle mismatch CVE-2018-0886, expired RDS licensing grace period, NLA failing due to unreachable DCs over tunnel), and the profile layer (NTUSER.DAT corruption leaving .bak entries in ProfileList). Resolution requires isolating the failure layer before applying targeted fixes: renew certificates and clamp MSS, patch CredSSP on both ends, reactivate RDS licensing, or repair the ProfileList registry SID key.
Indicators
- VPN client fails to establish tunnel or disconnects shortly after authentication phase completes
- RDP connection prompts for credentials repeatedly or returns 'An authentication error has occurred' (CredSSP)
- User signs in but receives 'You've been signed in with a temporary profile' notification
- Event ID 1511 (User Profile Service): 'Windows cannot find the local profile' — user logged on with temp profile
- Event ID 1521 / 1530: 'Windows detected your registry file is still in use by other applications'
- RDP session drops with 'The remote session was disconnected because there are no Remote Desktop License Servers available'
- Slow logons over VPN (>60s) with Group Policy or roaming profile sync timing out
- RDP connects, credentials accepted, then session tears down after logon banner (PMTU black hole symptom)
Likely causes
- Expired or misconfigured VPN gateway certificate, or IKEv1/IKEv2 phase1/phase2 policy mismatch after firmware upgrade
- RDS licensing grace period (120 days) expired, or RD License Server unreachable from session host
- CredSSP encryption oracle remediation (CVE-2018-0886) patch level mismatch between client and server
- NTUSER.DAT corruption — ProfileList entry for user SID has been suffixed .bak and a duplicate temp SID created
- DNS resolution failing over split-tunnel VPN — client cannot reach internal DCs for Kerberos or GPO
- MTU/MSS fragmentation across VPN tunnel silently breaking RDP or SMB traffic post-authentication
- Roaming profile share unavailable, offline, or ACLs stripped preventing profile load
- Network Level Authentication requires Kerberos pre-auth but client cannot reach a DC through the tunnel
Diagnostic steps
-
Confirm VPN tunnel is up and RDP port reachable: Get-VpnConnection; Test-NetConnection -ComputerName <RDPHost> -Port 3389Isolates whether failure is at transport (VPN) layer or higher (session/profile)
-
Review RDP/TerminalServices and User Profile Service event logs: Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' -MaxEvents 50 and Get-WinEvent -LogName Application | Where-Object {$_.ProviderName -like '*User Profile*'}Identifies specific failure mode: licensing, NLA, CredSSP, or profile load (Event 1511/1521/1530)
-
Inspect ProfileList registry for orphaned or .bak entries against the affected user SID: Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'Determines if profile is flagged corrupt and being redirected to a temporary profile
-
Verify DNS resolution and DC reachability from inside the tunnel: nltest /dsgetdc:<domain.fqdn>; Resolve-DnsName <dc.fqdn>Confirms Kerberos/GPO/profile share access will succeed after VPN connect
-
Check RDS licensing status on the session host: Get-RDLicenseConfiguration -ConnectionBroker <broker.fqdn>; open lsdiag.msc (RD Licensing Diagnoser)Rules out expired grace period or unreachable license server causing session denials
-
Test MTU/fragmentation across VPN path with do-not-fragment ping: ping -f -l 1400 <RDPHost> (decrement in 10-byte steps until it succeeds)Detects PMTU black holes that break RDP after logon banner or during SMB profile load
-
Verify CredSSP patch level and policy on both client and server: check installed KBs and registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracleConfirms whether CVE-2018-0886 patch mismatch is causing the authentication error
-
Capture packets during the failing connection: pktmon start --etw -p 0 or Wireshark on client interface, filter tcp.port==3389 and isakmpProvides evidence of where in the handshake or session the failure occurs
Resolution path
- VPN layer: renew/replace expired gateway certificates, align IKEv1/IKEv2 phase1 and phase2 proposals between client and gateway, and enable MSS clamping (typically 1350) on the gateway to eliminate PMTU black holes
- CredSSP: apply latest CredSSP cumulative update on both client and server, then set HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle = 2 (Mitigated) on both ends via GPO to ensure estate consistency
- RDS licensing: reactivate the RDS License Server (Remote Desktop Licensing Manager), reinstall CALs if corrupted, then run Set-RDLicenseConfiguration -LicenseServer <server> -Mode PerUser -ConnectionBroker <broker>
- Corrupt profile: back up C:\Users\<user>; in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList locate the affected SID — if two entries exist (SID and SID.bak), delete the entry without .bak and rename SID.bak by removing the suffix; if only SID.bak exists, rename it to remove .bak; reboot and let the profile rebuild
- DNS over VPN: push internal DNS suffixes and DC IPs via VPN client policy (Set-VpnConnection -DnsSuffix / gateway config); disable split-DNS if internal names are leaking to public resolvers
- NLA isolation: on the RDS host temporarily disable NLA (UserAuthentication = 0) to confirm Kerberos/DC reachability is the blocker; once DC reachability restored, re-enable NLA (UserAuthentication = 1)
- Roaming profile share: verify share and NTFS ACLs grant the user Full Control on their profile folder and that the file server is reachable through the tunnel
Prevention
- Monitor VPN gateway certificate expiry and RDS License Server health with alerts 30+ days ahead of expiry
- Enforce roaming profile size limits and deploy FSLogix Profile Containers or User Profile Disks to eliminate NTUSER.DAT corruption from unclean logoffs
- Standardise CredSSP patch level across the estate and centrally manage AllowEncryptionOracle via GPO to prevent client/server drift
- Configure VPN clients with internal DNS suffixes and push DC IPs via client policy so Kerberos and GPO always succeed over the tunnel
- Set MSS clamping (1350) on VPN gateways to avoid PMTU black holes affecting RDP and SMB profile loads
- Automate RDS License Server activation monitoring and CAL utilisation reporting to detect grace-period expiry before user impact
Tools
- Event Viewer (User Profile Service, TerminalServices, CAPI2 logs)
- regedit / reg.exe (ProfileList manipulation)
- PowerShell VPN and RDS cmdlets (Get-VpnConnection, Get-RDLicenseConfiguration, Set-RDLicenseConfiguration)
- nltest and Resolve-DnsName (domain controller and DNS validation)
- Wireshark / pktmon (VPN/RDP packet capture)
- RD Licensing Diagnoser (lsdiag.msc)
- gpresult /r (Group Policy application check)