Terminal Services client connection error 0xC000035B when you use LmCompatibility

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Essentials More

Symptoms


A Terminal Services client connection that uses Remote Desktop Protocol (RDP) 8.0 to connect through a Windows Server 2012 RD Gateway server fails and generates the following error message: 

This computer can't connect to the remote computer.
Additionally, Event 4625 is logged in the Security log on the Gateway server, and reports a 0xC000035B error. 

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/5/2013 4:20:00 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: RDGW.CONTOSO.COM
Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Myuser
Account Domain: Contoso
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000035B
Sub Status: 0x0

Cause


This problem occurs when the LmCompatibility registry value is configured to force the system to use NTLMv1. An LmCompatibility value of less than 3 forces the system to use NTLMv1. 

By default, Windows Server 2012 enforces channel bindings in RDP 8.0. Because these bindings are not sent when NTLMv1 is used, the authentication fails and generates the 0xC000035B "Client's supplied SSPI channel bindings were incorrect" error message. This indicates that the channel bindings are not valid. 

Resolution


Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. Before you modify it, back up the registry for restoration in case problems occur.

For information about how to edit the registry, see the "Changing Keys And Values" Help topic in Registry Editor. 

To resolve this problem, use one of the following methods.

Method 1

Adjust the LmCompatibility registry value on the client to not force NTLMv1 by setting it to a value of 3 or larger. For more information about the LmCompatibility registry value, see the following Microsoft Technet topic:

Method 2

Set the EnforceChannelBinding registry value to 0 (zero) to ignore missing channel bindings on the Gateway server. To do this, locate the following registry subkey, and use the given specifications:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core
Type: REG_DWORD
Name: EnforceChannelBinding
Value: 0 (Decimal)

Note By default, the EnforceChannelBinding value does not exist on the Gateway server. You must create this value.