As we described earlier, the first thing to check in case of connectivity problems is the client-side routing and networking. If you can see the client appears in the monitoring console, that usually means that the client-side networking is ok. The first tunnel is "easy" for the client to establish, because it's a simple interaction between the URA client and server. The second tunnel is more complicated, because it requires the client to communicate with a domain controller through the first tunnel.
Establishing the second tunnel could fail for several reasons. First, if something is blocking the traffic from going through to the domain controllers, the Kerberos authentication would not complete. Second, if there's something wrong with the credentials that the client is using, the Kerberos authentication will fail and the tunnel won't be established. The trick is finding out which is it that we're dealing with.
The first step in looking into this is trying to access...