terraform windows server 2016 in Azure and domain join issue logging in to domain with network level authentication error message

I successfully got a windows server 2016 to come up and join the domain. However, when I go to remote desktop login it throws an error about network level authentication. Something about domain controller cannot be contacted to perform Network Level Authentication (NLA).

I saw some video on work arounds at https://www.bing.com/videos/search?q=requires+network+level+authentication+error&docid=608000415751557665&mid=8CE580438CBAEAC747AC8CE580438CBAEAC747AC&view=detail&FORM=VIRE.

Is there a way to address this with terraform and up front instead?

To join domain I am using:

    name = "domjoin"
    virtual_machine_id = azurerm_windows_virtual_machine.vm_windows_vm.id
    publisher = "Microsoft.Compute"
    type = "JsonADDomainExtension"
    type_handler_version = "1.3"
    settings = <<SETTINGS
    {
    "Name": "mydomain.com",
    "User": "mydomain.com\\myuser",
    "Restart": "true",
    "Options": "3"
    }
    SETTINGS

    protected_settings = <<PROTECTED_SETTINGS
    {
    "Password": "${var.admin_password}"
    }
    PROTECTED_SETTINGS
    depends_on = [ azurerm_windows_virtual_machine.vm_windows_vm ]

Is there an option I should add in this domjoin code perhaps?

I can log in with my local admin account just fine. I see the server is connected to the domain. A nslookup on the domain shows an ip address that was configured to be reachable by firewall rules, so it can reach the domain controller.

Seems like there might be some settings that could help out, see here, possibly all that is needed might be:
"EnableCredSspSupport": "true" inside your domjoin settings block.

You might also need to do something with the registry on the server side, which can be done by using remote-exec.

For example something like:

resource "azurerm_windows_virtual_machine" "example" {
  name                  = "example-vm"
  location              = azurerm_resource_group.example.location
  resource_group_name   = azurerm_resource_group.example.name
  network_interface_ids = [azurerm_network_interface.example.id]
  vm_size               = "Standard_DS1_v2"

  storage_image_reference {
    publisher = "MicrosoftWindowsServer"
    offer     = "WindowsServer"
    sku       = "2019-Datacenter"
    version   = "latest"
  }

  storage_os_disk {
    name              = "example-os-disk"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_type = "Standard_LRS"
  }

  os_profile {
    computer_name  = "example-vm"
    admin_username = "adminuser"
    admin_password = "SuperSecurePassword1234!"
  }

  os_profile_windows_config {
    provision_vm_agent = true
  }

  provisioner "remote-exec" {
    inline = [
      "echo Updating Windows...",
      "powershell.exe -Command \"& {Get-WindowsUpdate -Install}\"",
      "echo Done updating Windows."
    ]

    connection {
      type        = "winrm"
      user        = "adminuser"
      password    = "SuperSecurePassword1234!"
      timeout     = "30m"
    }
  }
}

In order to set the correct keys in the registry you might need something like this inside the remote-exec block (I have not validated this code) :

Set-ItemProperty -Path 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-tcp' -Name 'SecurityLayer' -Value 0

In order to make the Terraform config cleaner I would recommend using templates for the Powershell script, see here

Hope this helps