T The Triage ManualTechnical Guides for IT Emergencies
P2 · Remote Access & VPN

VPN + RDP Remote Access Failures with User Profile Load Errors (CredSSP, RDS Licensing, ProfileList Corruption)

Remote users fail to connect via VPN or RDP, or authenticate successfully but land in a temporary profile with 'User Profile Service failed the sign-in'. Root causes span the transport layer (expired VPN gateway certificates, IKE/IPsec proposal mismatch, MTU/PMTU black holes), the session layer (CredSSP encryption oracle mismatch CVE-2018-0886, expired RDS licensing grace period, NLA failing due to unreachable DCs over tunnel), and the profile layer (NTUSER.DAT corruption leaving .bak entries in ProfileList). Resolution requires isolating the failure layer before applying targeted fixes: renew certificates and clamp MSS, patch CredSSP on both ends, reactivate RDS licensing, or repair the ProfileList registry SID key.

Indicators

Likely causes

Diagnostic steps

  1. Confirm VPN tunnel is up and RDP port reachable: Get-VpnConnection; Test-NetConnection -ComputerName <RDPHost> -Port 3389
    Isolates whether failure is at transport (VPN) layer or higher (session/profile)
  2. Review RDP/TerminalServices and User Profile Service event logs: Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' -MaxEvents 50 and Get-WinEvent -LogName Application | Where-Object {$_.ProviderName -like '*User Profile*'}
    Identifies specific failure mode: licensing, NLA, CredSSP, or profile load (Event 1511/1521/1530)
  3. Inspect ProfileList registry for orphaned or .bak entries against the affected user SID: Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList'
    Determines if profile is flagged corrupt and being redirected to a temporary profile
  4. Verify DNS resolution and DC reachability from inside the tunnel: nltest /dsgetdc:<domain.fqdn>; Resolve-DnsName <dc.fqdn>
    Confirms Kerberos/GPO/profile share access will succeed after VPN connect
  5. Check RDS licensing status on the session host: Get-RDLicenseConfiguration -ConnectionBroker <broker.fqdn>; open lsdiag.msc (RD Licensing Diagnoser)
    Rules out expired grace period or unreachable license server causing session denials
  6. Test MTU/fragmentation across VPN path with do-not-fragment ping: ping -f -l 1400 <RDPHost> (decrement in 10-byte steps until it succeeds)
    Detects PMTU black holes that break RDP after logon banner or during SMB profile load
  7. Verify CredSSP patch level and policy on both client and server: check installed KBs and registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle
    Confirms whether CVE-2018-0886 patch mismatch is causing the authentication error
  8. Capture packets during the failing connection: pktmon start --etw -p 0 or Wireshark on client interface, filter tcp.port==3389 and isakmp
    Provides evidence of where in the handshake or session the failure occurs

Resolution path

Prevention

Tools

References

vpnrdpremote-accessuser-profilecredsspcve-2018-0886rds-licensingnlawindowsprofilelistroaming-profilesmtu-mssfslogix