Since upgrading from 4.1.7 to 4.2.0 RDP connections using domain accounts for auto-login fail for some target accounts and some target servers. The built-in RDP access method works for servers that allow connections from the PAM RDP client, but this client is not compatible with the Force Updated Clients setting for CredSSP encryption oracle remediation.

PAM 4.2.0

There was a problem with the PAM Proxy not always providing the domain name associated with the target account to the Windows Server. The Windows event (Security) logs on the RDP server would show audit failures for the account with failure reason "Unknown user name or bad password.", status 0xC000006D and substatus 0xC0000064. The latter says that the user was not found, even though the user name was correct. This happened because PAM didn't provide the domain name and the RDP server looked for a local user with that name.

This problem is fixed in 4.2.1+, see the following item on page Resolved Vulnerabilities and Issues in 4.2.1:

35793620    DE617336    RDP proxy for some users sometimes failing to connect with a bad username or password. However, after several attempts, the RDP connection is successful.