Policy to show logon failures does not work with RD-logons

Hi folks.

We recently applied applied the following policy:
Computer config - adm. templates - windows components - windows logon
options - display information about previous logons during user logon

Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
workstation (vista sp2), the logon screen shows the last succesful logon and
the last logon failure. However, if we use RDP to logon, it only shows the
current logon attempt - it does not show logon failures even if we produce
some.

Now for the part that makes me believe it's simply a bug: If I take xp and
use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
install), everything works as expected. I suspect the rdp client 6 and 7 use
a different way to authenticate that simply cannot work with this policy.

Consequence: that policy is useless. Attackers that use RDP will not get
noticed that way.

Feel free to reproduce.

Comments?

If you are on a DFL of Windows 2008 then you are correct, it sounds like it
should work. I wonder if it has to do with the fact that you are using a
legacy client. Are you on DFL 2008? Read paragraph 3, how does this answer
work in to your environment?


This policy setting controls whether or not the system displays information
about previous logons and logon failures to the user.

For local user accounts and domain user accounts in Microsoft Windows
Server "Longhorn" functional level domains, if you enable this setting, a
message appears after the user logs on that displays the date and time of
the last successful logon by that user, the date and time of the last
unsuccessful logon attempted with that user name, and the number of
unsuccessful logons since the last successful logon by that user. This
message must be acknowledged by the user before the user is presented with
the Microsoft Windows desktop.

For domain user accounts in Windows Server 2003, Windows 2000 native, or
Windows 2000 mixed functional level domains, if you enable this setting, a
warning message will appear that Windows could not retrieve the information
and the user will not be able to log on. Therefore, you should not enable
this policy setting if the domain is not at the Windows Server "Longhorn"
domain functional level.

If you disable or do not configure this setting, messages about the previous
logon or logon failures are not displayed.



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
news:882E2503-41CD-42D9-AB13-351F7280BF2B@microsoft.com...
> Hi folks.
>
> We recently applied applied the following policy:
> Computer config - adm. templates - windows components - windows logon
> options - display information about previous logons during user logon
>
> Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
> workstation (vista sp2), the logon screen shows the last succesful logon
> and
> the last logon failure. However, if we use RDP to logon, it only shows the
> current logon attempt - it does not show logon failures even if we produce
> some.
>
> Now for the part that makes me believe it's simply a bug: If I take xp and
> use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
> install), everything works as expected. I suspect the rdp client 6 and 7
> use
> a different way to authenticate that simply cannot work with this policy.
>
> Consequence: that policy is useless. Attackers that use RDP will not get
> noticed that way.
>
> Feel free to reproduce.
>
> Comments?

Hi Paul.

I am not on a legacy client. We are on vista sp2 with mstsc 6 or 7, oth have
the same problem, the legacy client on xp with mstsc 5.2 does NOT have the
problem.
The DFC is of course 2008 because [as you qoute yourself ;)]
"For domain user accounts in Windows Server 2003, Windows 2000 native, or
Windows 2000 mixed functional level domains, if you enable this setting, a
warning message will appear that Windows could not retrieve the information
and the user will not be able to log on"

Please try to reproduce it.

Kind regards
Askesebrot

"Paul Bergson [MVP-DS]" wrote:

> If you are on a DFL of Windows 2008 then you are correct, it sounds like it
> should work. I wonder if it has to do with the fact that you are using a
> legacy client. Are you on DFL 2008? Read paragraph 3, how does this answer
> work in to your environment?
>
>
> This policy setting controls whether or not the system displays information
> about previous logons and logon failures to the user.
>
> For local user accounts and domain user accounts in Microsoft Windows
> Server "Longhorn" functional level domains, if you enable this setting, a
> message appears after the user logs on that displays the date and time of
> the last successful logon by that user, the date and time of the last
> unsuccessful logon attempted with that user name, and the number of
> unsuccessful logons since the last successful logon by that user. This
> message must be acknowledged by the user before the user is presented with
> the Microsoft Windows desktop.
>
> For domain user accounts in Windows Server 2003, Windows 2000 native, or
> Windows 2000 mixed functional level domains, if you enable this setting, a
> warning message will appear that Windows could not retrieve the information
> and the user will not be able to log on. Therefore, you should not enable
> this policy setting if the domain is not at the Windows Server "Longhorn"
> domain functional level.
>
> If you disable or do not configure this setting, messages about the previous
> logon or logon failures are not displayed.
>
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
> news:882E2503-41CD-42D9-AB13-351F7280BF2B@microsoft.com...
> > Hi folks.
> >
> > We recently applied applied the following policy:
> > Computer config - adm. templates - windows components - windows logon
> > options - display information about previous logons during user logon
> >
> > Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
> > workstation (vista sp2), the logon screen shows the last succesful logon
> > and
> > the last logon failure. However, if we use RDP to logon, it only shows the
> > current logon attempt - it does not show logon failures even if we produce
> > some.
> >
> > Now for the part that makes me believe it's simply a bug: If I take xp and
> > use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
> > install), everything works as expected. I suspect the rdp client 6 and 7
> > use
> > a different way to authenticate that simply cannot work with this policy.
> >
> > Consequence: that policy is useless. Attackers that use RDP will not get
> > noticed that way.
> >
> > Feel free to reproduce.
> >
> > Comments?
>
>
> .
>

I don't have a lab at this moment to bring in an RODC but I think I know
someone else who might. I will ask them to take a look and see is they can
reproduce this. Can't promise anything though.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
news:807E41B0-5AA8-406C-AAED-D8CA17D0E2DD@microsoft.com...
> Hi Paul.
>
> I am not on a legacy client. We are on vista sp2 with mstsc 6 or 7, oth
> have
> the same problem, the legacy client on xp with mstsc 5.2 does NOT have the
> problem.
> The DFC is of course 2008 because [as you qoute yourself ;)]
> "For domain user accounts in Windows Server 2003, Windows 2000 native, or
> Windows 2000 mixed functional level domains, if you enable this setting, a
> warning message will appear that Windows could not retrieve the
> information
> and the user will not be able to log on"
>
> Please try to reproduce it.
>
> Kind regards
> Askesebrot
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> If you are on a DFL of Windows 2008 then you are correct, it sounds like
>> it
>> should work. I wonder if it has to do with the fact that you are using a
>> legacy client. Are you on DFL 2008? Read paragraph 3, how does this
>> answer
>> work in to your environment?
>>
>>
>> This policy setting controls whether or not the system displays
>> information
>> about previous logons and logon failures to the user.
>>
>> For local user accounts and domain user accounts in Microsoft Windows
>> Server "Longhorn" functional level domains, if you enable this setting, a
>> message appears after the user logs on that displays the date and time of
>> the last successful logon by that user, the date and time of the last
>> unsuccessful logon attempted with that user name, and the number of
>> unsuccessful logons since the last successful logon by that user. This
>> message must be acknowledged by the user before the user is presented
>> with
>> the Microsoft Windows desktop.
>>
>> For domain user accounts in Windows Server 2003, Windows 2000 native, or
>> Windows 2000 mixed functional level domains, if you enable this setting,
>> a
>> warning message will appear that Windows could not retrieve the
>> information
>> and the user will not be able to log on. Therefore, you should not enable
>> this policy setting if the domain is not at the Windows Server "Longhorn"
>> domain functional level.
>>
>> If you disable or do not configure this setting, messages about the
>> previous
>> logon or logon failures are not displayed.
>>
>>
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
>> news:882E2503-41CD-42D9-AB13-351F7280BF2B@microsoft.com...
>> > Hi folks.
>> >
>> > We recently applied applied the following policy:
>> > Computer config - adm. templates - windows components - windows logon
>> > options - display information about previous logons during user logon
>> >
>> > Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
>> > workstation (vista sp2), the logon screen shows the last succesful
>> > logon
>> > and
>> > the last logon failure. However, if we use RDP to logon, it only shows
>> > the
>> > current logon attempt - it does not show logon failures even if we
>> > produce
>> > some.
>> >
>> > Now for the part that makes me believe it's simply a bug: If I take xp
>> > and
>> > use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
>> > install), everything works as expected. I suspect the rdp client 6 and
>> > 7
>> > use
>> > a different way to authenticate that simply cannot work with this
>> > policy.
>> >
>> > Consequence: that policy is useless. Attackers that use RDP will not
>> > get
>> > noticed that way.
>> >
>> > Feel free to reproduce.
>> >
>> > Comments?
>>
>>
>> .
>>

Hello Askesebrot,

I am working on it to reprodcuce your problem. On Windows server 2003 SP2
with RDC6.0.6000 installed it works, also on Windows server 2008 SP2 with
RDC6.0.6002. I can mail you some pictures with both working options shown.

Until next week when i am back in my office i cannot test with Windows XP,
Windows Vista and Windows 7 the version 6.1.7600, i am limited with the connection
to my test environment from home.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi folks.
>
> We recently applied applied the following policy:
> Computer config - adm. templates - windows components - windows logon
> options - display information about previous logons during user logon
> Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
> workstation (vista sp2), the logon screen shows the last succesful
> logon and the last logon failure. However, if we use RDP to logon, it
> only shows the current logon attempt - it does not show logon failures
> even if we produce some.
>
> Now for the part that makes me believe it's simply a bug: If I take xp
> and use RDP client 5.2 (and not 6 that ships with vista or 7 that you
> can install), everything works as expected. I suspect the rdp client 6
> and 7 use a different way to authenticate that simply cannot work with
> this policy.
>
> Consequence: that policy is useless. Attackers that use RDP will not
> get noticed that way.
>
> Feel free to reproduce.
>
> Comments?
>

Thanks for helping out Meinolf!

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:uMe%23JH3mKHA.2544@TK2MSFTNGP04.phx.gbl...
>I don't have a lab at this moment to bring in an RODC but I think I know
>someone else who might. I will ask them to take a look and see is they can
>reproduce this. Can't promise anything though.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
> news:807E41B0-5AA8-406C-AAED-D8CA17D0E2DD@microsoft.com...
>> Hi Paul.
>>
>> I am not on a legacy client. We are on vista sp2 with mstsc 6 or 7, oth
>> have
>> the same problem, the legacy client on xp with mstsc 5.2 does NOT have
>> the
>> problem.
>> The DFC is of course 2008 because [as you qoute yourself ;)]
>> "For domain user accounts in Windows Server 2003, Windows 2000 native, or
>> Windows 2000 mixed functional level domains, if you enable this setting,
>> a
>> warning message will appear that Windows could not retrieve the
>> information
>> and the user will not be able to log on"
>>
>> Please try to reproduce it.
>>
>> Kind regards
>> Askesebrot
>>
>> "Paul Bergson [MVP-DS]" wrote:
>>
>>> If you are on a DFL of Windows 2008 then you are correct, it sounds like
>>> it
>>> should work. I wonder if it has to do with the fact that you are using
>>> a
>>> legacy client. Are you on DFL 2008? Read paragraph 3, how does this
>>> answer
>>> work in to your environment?
>>>
>>>
>>> This policy setting controls whether or not the system displays
>>> information
>>> about previous logons and logon failures to the user.
>>>
>>> For local user accounts and domain user accounts in Microsoft Windows
>>> Server "Longhorn" functional level domains, if you enable this setting,
>>> a
>>> message appears after the user logs on that displays the date and time
>>> of
>>> the last successful logon by that user, the date and time of the last
>>> unsuccessful logon attempted with that user name, and the number of
>>> unsuccessful logons since the last successful logon by that user. This
>>> message must be acknowledged by the user before the user is presented
>>> with
>>> the Microsoft Windows desktop.
>>>
>>> For domain user accounts in Windows Server 2003, Windows 2000 native, or
>>> Windows 2000 mixed functional level domains, if you enable this setting,
>>> a
>>> warning message will appear that Windows could not retrieve the
>>> information
>>> and the user will not be able to log on. Therefore, you should not
>>> enable
>>> this policy setting if the domain is not at the Windows Server
>>> "Longhorn"
>>> domain functional level.
>>>
>>> If you disable or do not configure this setting, messages about the
>>> previous
>>> logon or logon failures are not displayed.
>>>
>>>
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>> 2008, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewsGroup This
>>> posting is provided "AS IS" with no warranties, and confers no rights.
>>>
>>> "Askesebrot" <Askesebrot@discussions.microsoft.com> wrote in message
>>> news:882E2503-41CD-42D9-AB13-351F7280BF2B@microsoft.com...
>>> > Hi folks.
>>> >
>>> > We recently applied applied the following policy:
>>> > Computer config - adm. templates - windows components - windows logon
>>> > options - display information about previous logons during user logon
>>> >
>>> > Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
>>> > workstation (vista sp2), the logon screen shows the last succesful
>>> > logon
>>> > and
>>> > the last logon failure. However, if we use RDP to logon, it only shows
>>> > the
>>> > current logon attempt - it does not show logon failures even if we
>>> > produce
>>> > some.
>>> >
>>> > Now for the part that makes me believe it's simply a bug: If I take xp
>>> > and
>>> > use RDP client 5.2 (and not 6 that ships with vista or 7 that you can
>>> > install), everything works as expected. I suspect the rdp client 6 and
>>> > 7
>>> > use
>>> > a different way to authenticate that simply cannot work with this
>>> > policy.
>>> >
>>> > Consequence: that policy is useless. Attackers that use RDP will not
>>> > get
>>> > noticed that way.
>>> >
>>> > Feel free to reproduce.
>>> >
>>> > Comments?
>>>
>>>
>>> .
>>>
>
>

Hello Askesebrot,

Also with RDC 7600 from Windows 7 and XP Pro Sp3 it works as expected and
shows it.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi folks.
>
> We recently applied applied the following policy:
> Computer config - adm. templates - windows components - windows logon
> options - display information about previous logons during user logon
> Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
> workstation (vista sp2), the logon screen shows the last succesful
> logon and the last logon failure. However, if we use RDP to logon, it
> only shows the current logon attempt - it does not show logon failures
> even if we produce some.
>
> Now for the part that makes me believe it's simply a bug: If I take xp
> and use RDP client 5.2 (and not 6 that ships with vista or 7 that you
> can install), everything works as expected. I suspect the rdp client 6
> and 7 use a different way to authenticate that simply cannot work with
> this policy.
>
> Consequence: that policy is useless. Attackers that use RDP will not
> get noticed that way.
>
> Feel free to reproduce.
>
> Comments?
>

Hi Meinolf. Thanks to you that you look after it.

I am sure we are not talking about the same thing, because for me it does
not work
-in our productive domain
-in my 2 test domains, one of those is a clean installation, no settings
made, 2008 SP2
-on a clean installed 2008 RTM (without AD)
The domains are of course at 2008 functional level.

Again: I am connecting from vista (or win7 or 2008) using the latest RDP
client 6.1.7600 but it's the same with 6.0.6002. It does not show logon
failures.
"There have been no unsuccesful interactive logon attempts with this account
since your last interactive logon"
So tell me, what are you doing to make it work?

The only way I can make it work is use the legacy RDP 5.2.3790 - works
everywhere. Or of course login sitting at the machine- this works, too.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Askesebrot,
>
> Also with RDC 7600 from Windows 7 and XP Pro Sp3 it works as expected and
> shows it.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hi folks.
> >
> > We recently applied applied the following policy:
> > Computer config - adm. templates - windows components - windows logon
> > options - display information about previous logons during user logon
> > Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
> > workstation (vista sp2), the logon screen shows the last succesful
> > logon and the last logon failure. However, if we use RDP to logon, it
> > only shows the current logon attempt - it does not show logon failures
> > even if we produce some.
> >
> > Now for the part that makes me believe it's simply a bug: If I take xp
> > and use RDP client 5.2 (and not 6 that ships with vista or 7 that you
> > can install), everything works as expected. I suspect the rdp client 6
> > and 7 use a different way to authenticate that simply cannot work with
> > this policy.
> >
> > Consequence: that policy is useless. Attackers that use RDP will not
> > get noticed that way.
> >
> > Feel free to reproduce.
> >
> > Comments?
> >
>
>
> .
>

Hello Askesebrot,

I did nothing special, i use the default setting on RDC on each version.
Configured the GPO and that's it. Then i used multiple times a wrong password
to get something logged and it works, exactly the amount of wrong password
tries are shown on each version as described earlier.

Check out this pictures if we are talking about the same:
http://cid-009d8c87dbea5514.skydrive...se.aspx/MVP-DS

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi Meinolf. Thanks to you that you look after it.
>
> I am sure we are not talking about the same thing, because for me it
> does
> not work
> -in our productive domain
> -in my 2 test domains, one of those is a clean installation, no
> settings
> made, 2008 SP2
> -on a clean installed 2008 RTM (without AD)
> The domains are of course at 2008 functional level.
> Again: I am connecting from vista (or win7 or 2008) using the latest
> RDP
> client 6.1.7600 but it's the same with 6.0.6002. It does not show
> logon
> failures.
> "There have been no unsuccesful interactive logon attempts with this
> account
> since your last interactive logon"
> So tell me, what are you doing to make it work?
> The only way I can make it work is use the legacy RDP 5.2.3790 - works
> everywhere. Or of course login sitting at the machine- this works,
> too.
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Askesebrot,
>>
>> Also with RDC 7600 from Windows 7 and XP Pro Sp3 it works as expected
>> and shows it.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi folks.
>>>
>>> We recently applied applied the following policy:
>>> Computer config - adm. templates - windows components - windows
>>> logon
>>> options - display information about previous logons during user
>>> logon
>>> Basically, it works. Whenever we logon to a server (2008 R1 SP2) or
>>> workstation (vista sp2), the logon screen shows the last succesful
>>> logon and the last logon failure. However, if we use RDP to logon,
>>> it
>>> only shows the current logon attempt - it does not show logon
>>> failures
>>> even if we produce some.
>>> Now for the part that makes me believe it's simply a bug: If I take
>>> xp and use RDP client 5.2 (and not 6 that ships with vista or 7 that
>>> you can install), everything works as expected. I suspect the rdp
>>> client 6 and 7 use a different way to authenticate that simply
>>> cannot work with this policy.
>>>
>>> Consequence: that policy is useless. Attackers that use RDP will not
>>> get noticed that way.
>>>
>>> Feel free to reproduce.
>>>
>>> Comments?
>>>
>> .
>>

OK, so we are are indeed doing the same.
As it is happening with a clean installation of 2008 with absolutely no
settings made but that policy, it can only be a client-side-problem. But what
could it be? We don't use non-default rdp-settings, do you? Simply input the
server name, that's all, no further use of certificates, no vpn, no TS
gateway.
Also, as stated already in the first posting, not only logon failures are
missing, but also succesful logons. The info screen only shows the current
succesful logon time.
Where does this get logged and why should I lose the ability to log it when
I use RDP [and WHY could it work with the legacy client?] - very strange.

"Meinolf Weber [MVP-DS]" wrote:

> Hello Askesebrot,
>
> I did nothing special, i use the default setting on RDC on each version.
> Configured the GPO and that's it. Then i used multiple times a wrong password
> to get something logged and it works, exactly the amount of wrong password
> tries are shown on each version as described earlier.
>
> Check out this pictures if we are talking about the same:
> http://cid-009d8c87dbea5514.skydrive...se.aspx/MVP-DS
>
> Best regards
>
> Meinolf Weber

Getting closer!
I am now able to reproduce the correct behavior! After providing wrong
credentials, I simply close the rdp client, reopen it and provide the correct
credentials - tada, it shows the last logon to be incorrect. Ain't that sweet?

Of course if I logoff and use the "standard" way, providing wrong creds, not
closing it and then correct creds, the problem returns immediately.