Goal: Allow remote desktop access to untrusted domain servers for administrators with pre-authentication and Network Level Authentication enabled.
Servers/clients:
Windows 2008 R2 x64
Windows 7
Domains:
Domain1.site.com
Domain1.site.local
Trust: None
Notes:
Users VPN into the .local from workstations joined to the .com domain. A smart card enabled user account resides in both the .com and .local domain. Non-Windows DNS is setup to allow the .com and .local to resolve each other from the VPN or office locations. Firewall administrators are not seeing any blocked communication. From the domain1.site.com VPN and internal network users can log in ok to the domain1.site.com domain servers with a smart card via RDP. However, they can only log into domain1.site.local with RDP pre-authentication and Network Level Authentication disabled.
Troubleshooting:
1. Attempted RDP with different user accounts
2. Ran RDP as local administrator
3. Deleted and re-created user accounts to ensure they were correctly setup
4. Checked RDP "help" settings and it looks like NLA is supported
5. Required ports appear to be open and firewall admin does not see drops
6. Attempted access on different laptops
7. PKI appears to be working on both sides since users can authenticate in both domains (one to laptop and other to destination service with pre-auth and NLA disabled).
Questions:
Is this setup even possible since the both user accounts are technically in "domain1" (domain1/user)?
What are some key factors related to smart card which could cause the failure?
Any other thoughts would be appreciated. Thanks.