Unable to connect to workstations after logging into firewall
I'll start this question in the Community before opening a ticket … Our office has a TZ400 Firewall and we are using the VPN. All users have some kind of 2FA, most via Microsoft Authenticator, one via email OTP. All this worked fine for a while then, not exactly sure what happened (possibly following an upgrade to the Active Directory Domain Controller), if a user's password or other such settings (OTP method, expires, …) are changed in the TZ400 in Users > Local Users & groups, they can still log into the VPN ok, but cannot connect to any Windows workstation via RDC. They get "Remote Desktop can't connect …". Any VPN user whose "Local Users & Groups" info has never been changed can still get into their workstations via the VPN connection.
If I bypass the TZ400/VPN and open up the RDC port directly, the user who can't RDC via the VPN can now do so, so it not like the computer itself is rejecting the user, nor that the computer is down or not connected to the LAN.
Any ideas on what is causing this problem? Something to do with name serving? I've tried everything I can think of. All users need to be able to log into their workstations via the VPN and for users who now cannot we need to leave leave the RDC port open to their workstations when they need to log in — bad.
(Firmware version: SonicOS Enhanced 6.5.4.13-105n)