We are testing SAML SSO (via. Azure AD) in a test environment. We have everything setup exactly according to the documentation, and overall it's working well. This is on the latest RAS version - 188.8.131.5266, Client 184.108.40.20662. We've come across one nagging issue - a single server won't allow users to login. When users try to connect to that server (HTML5 or Client), it throws the generic error 'To Sign-in remotely, you need the right to sign in through Remote Desktop Services'... If they hit OK on the error message - they're at the login screen with the NLAUser already put in. This is only affecting a single server (2022, only setup a few weeks ago). Other 2022 servers work fine (at first we thought it could be a problem with WS2022). This server is in the same OU and has the same policies as all of our other servers. We've confirmed the NLAUser account is added to the local 'Remote Desktop Users' group, but is also in the GPO that DENIES login via. Remote Desktop services (as per documentation). Again - this is working fine on all other machines. We're scratching our heads at this one. We've tried clearing GPO, clearing the local secpol database... Remove/re-add the NLAUser... Reapply GPO...Rebooted a million times, remove and re-added the Parallels SH agent (as well as PC agent - this machine doesn't allow logins as a Session host server or via. the PC Agent). Nothing apparent in the security logs. We set the enrollment server to verbose logging - nothing apparent in there. Any ideas as to why this single server is acting this way? I'd like to try and troubleshoot this issue, in case it happens again. We could replace the server and set it up again, but it's got a critical application on it that's a PITA to re-install. Thoughts or ideas?