1.Make a password to start with one number.
2. See the logs (Journal-Security) (although they are unlikely to help)
3. If it allows you to enter a username / password, then it's definitely not a fusee.
4. Maybe it's about authentication, but it's also unlikely.

Are you pasting your username and password from the clipboard?
It happened a couple of times and it didn't work. But when the handles entered - everything is in order.
Magic, not otherwise ...
By the way, another solution is to save an RDP connection to some server (required to save the password), and then edit this file with notepad - put the necessary data of the "problem" server. It can help too.

Check / update the version of the RDP client, try to log in using the same computer (laptop) from LAN via wire, and then via the Internet (for example, via a neighbor's Wi-Fi).
Check the settings of the router - maybe there is something with a forwarder, etc.

If I correctly understood the essence of the problem (different connection subnets), then try enabling the Routing and Remote Access Service (RRAS) on the server and clients. For example, on Windows 7, Windows 8, it is disabled by default, which does not allow using a shared Internet connection for subnets.

firstly. try logging in like this:
%domain%\%login%, if it is a workgroup, then you need to substitute the hostname of the server you are connecting to in the place of the domain, exactly as it is indicated in the "computer name" field on the rdp server.
2. check if there is a route on the final RDP server to the network from which the connection is coming, because packets will reach, but the machine may not know where to send them.

Here they write about something similar, with solutions:
serverfault.com/questions/145768/strange-rdp-remote-desktop-problem
Found by Google for "windows 2008 rdp remote failed password".

It could also be a matter of routing.
Might help someone indirectly. I also have a server on Windows, but routing and firewall on KERIO
It turned out that in the KERIO rule, the incoming interface was specified - "Any" (it seems logical). At the same time, I got to the server without any problems, but there was a whack that the password was incorrect. What is inside the network (before adding the rule everything worked here), what is from the outside.
I changed the rule to incoming with "Internet interfaces" and it all worked.

Got a similar error. But somewhat different source data.
There is a win server, it runs wireguard as a vpn. On the router, port forwarding is enabled before wireguard and the rules are set in the firewall. Created a number of config files for connecting to VPN by keys. I log in from the outside (from the mobile Internet) from my laptop, successfully cling to the VPN and go to the destination server via RDP as a domain user. I transfer a similar config file to a colleague. A person successfully tries to VPN (100% verified) gets an error that he enters incorrect data. In windows events, the error is "4625 unknown name or password". We rechecked passwords, names, everything was entered correctly (it used to be stupid because, for example, there was a space at the end, but this time this is clearly not the problem). The domain name is also entered correctly. As a result, I was able to log into the server using a local user (clearly specifying the host name instead of the domain). Users from the domain do not connect. For some reason the server is not perceived by domain users. And the strange thing is that I normally log in from my laptop, connecting via the mobile Internet of the beeline. A colleague's network adapters are configured by default, the router is also on banal settings. What is the secret here?
I will add, the error code in the log is 0xC000006D, the substate 0xC000006A means the correct name, but the wrong password. I repeat, I tried several users, checked the entered characters. Thus the user not in the domain comes normally, and domain users do not enter. Passwords in both cases with numbers.
Addition. I figured out that it is also impossible to access the host from the problem PC using the open TCP ports of the remote desktop gateway, i.e. the gateway does not even try to fulfill the login/password request. Also, from a problem PC, you cannot log in through a mobile operator. You can't log in as a domain user. One conclusion can be drawn. There are some settings on the problem PC that do not satisfy group policies. At the same time, windows server gives a specific error that the password is not correct. Here are the results. By the way, one of the reasons not to do Active Directory, especially in small organizations.
Disabled network level checking on the server (NLA) - did not help.
Up - disable at the network level on the server and RDP login check must be configured in group policies. After that, the entrance is carried out from problem clients. UDP is also disabled in this mode.