Remote Desktop Network Level Authentication
Recently, I began getting failed connections from a Windows 7 Enterprise client to another Windows 7 Enterprise host where the host is requiring NLA. This has been a problem on and off for YEARS and I have found no link that can tell me to configure something
that I haven't already configured. Neither system underwent any configurations changes that I know of with the exception of Windows security updates/patches. In fact, some people in my company have the same issue while other do not. I can find no rhyme or
reason to it. Heres where I'm at:
"The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support."
But I do. when i click the upper left hand corner of my RDP client window and select "About", I see this:
"Remote Desktop Connection
Shell Version 6.1.7601
Control Version 6.1.7601
Network Level Authentication Supported.
Remote Desktop Protocol 7.1 supported."
And the above info is exactly what it says on the host.
Here's the SecurityProvider registry settings on the client:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="credssp.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SaslProfiles]
"GSSAPI"="Kerberos"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"Debuglevel"=dword:00000000
"Negotiate"=dword:00000000
"UTF8HTTP"=dword:00000001
"UTF8SASL"=dword:00000001
"DigestEncryptionAlgorithms"="3des,rc4"
Every link I have looked at tells me to look at those things. Anyone got something new? :)
Also if someone knows how to log the RDP failures that would be cool too. Presently I have turned on Audit Other Security Events in GPO but it doesn't tell me if someone attempted to authenticate with a less then desirable security protocol.
As a fix, for now, I have reduced the security requirements on the host to not require NLA. <-- This is the only consistent fix I have ever seen that works.
By the way, just about every link I see also starts talking about setting up RD session host service. I am not running Windows Server 2008. This a Windows 7 to Windows 7 problem
Hi,
On both Windows 7, Please go to System Properties,
Remote tab and make sure that Allow connections only from computers running Remote Desktop with Network Level Authentication
is unchecked.
If problem persists, please check if there was any Windows updates need to install, if so, try to install updates for test.
Roger Lu
TechNet Community Support
Similar Messages
-
We have enabled Network Level Authentication on all of our test servers. We are now having issues with 2 servers where folks are receiving an error stating that the remote computer Network Level Authentication which your computer does not support.
All clients are Windows 7 SP1, and can access other servers that have Network Level Authentication.
When comparing the servers to working servers, there doesn't appear to be any differences.
Any Ideas?
DJHi DJ,
From the current description it seem is the self-signed certificate corrupt, please perform the following action, open the Certificate Management mmc snap-in with the Local
Computer account. You will find the self-signed certificate in the 'Remote Desktop' store of the server.
Delete the certificate here.
For Windows 2003/ 2008, a server restart is required for this certificate to be re-generated.
On Windows 2008 R2, you can restart the Remote Desktop Services Configuration service to get the certificate re-generated.
The similar thread:
Configure Certificate for NLA...
https://social.technet.microsoft.com/Forums/windowsserver/en-US/d7d45464-dcb6-4dc6-b840-cb29578a9f23/configure-certificate-for-nla
Windows Server 2008 R2: Why Use Network Level Authentication?
https://technet.microsoft.com/en-us/magazine/hh750380.aspx
Secure RDS (Remote Desktop Services) Connections with SSL
https://technet.microsoft.com/en-us/magazine/ff458357.aspx
Configure Server Authentication and Encryption Levels
https://technet.microsoft.com/en-us/library/cc770833.aspx
I’m glad to be of help to you!
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Remote Desktop Connection - Windows Network Level Authentication
Hi
I'm trying to find a piece of Remote Desktop "Manager" software for Mac which supports Network Level Authentication (NLA). When NLA is enabled on a Windows Server I am unable to connect via CoRD or Royal TSX.
The reason I say "Manager" is because I have many, many windows servers I need to connect to and so I like to use software such as the above to save a list of all the servers for ease of access - this saves me having to type in the name of the server each time.
At the moment, for those servers with NLA enabled, I have to fire up Remote Desktop Connection for Mac and enter the name. I realise I could save this each time but then I would have LOADS of shortcuts.
Any ideas/proposals on pieces of software that can cater for this?
Thanks!Hi!
Royal TSX actually supports NLA but you have to use the FreeRDP plugin instead of CoRD and enable the setting in the advanced settings of your RDP connection.
cheers,
felix -
Configure Network Level Authentication for Remote Desktop client
We publish Remote Desktop in our Windows 2008 R2 terminal server.
However, in Windows 2008R2 , the remote desktop client will a lillte bit slow
I found out that if I modify the setting in default.rdp
authentication level:i:0
enablecredsspsupport:i:0
it will increase the speed a lot
however, how can I set all user use remote desktop will disable those feature as well?
ThanksHi Kenneth,
I suggest you to see similar thread "disable
Network Level Authentication Terminal Server 2008"
If above thread does not helps, seek help from RDS/TS experts in here.
Or wait until any of our moderator move this post to respective forum.
Thank you for understanding.
Regards, Ravikumar P -
AD "Log on to" restriction causes RDP connections with network level authentication to fail
I am running a Server 2008 R2 environment and have recently enabled network level authentication for RDP connections. Since the change, users who have their logons restricted to specific servers via AD, now get an error when logging on via RDP:
An Authentication error has occured
The Local security authority cannot be contacted
After investigating this error and reading technet I found that removing the "log on to" restriction within their user object solved the problem even tho they had rights to this server. Adding the users client PC name to the "Log on
to" list also solves this issue.
My question is, is there another way around this? We have an environment where some users may require an RDP connection from a client PC not on the same domain (over VPN) as the server. It will not be practical to add many different client PC names
to the log on to list and I don't understand why client PC's must be specified in the Log on to list and not just the actual server they are logging onto.
Any pointers appreciatedI have just come across this problem on one of my client’s domains; they have recently enforced a policy to “Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)” and users with “Log on To” restrictions
on their account are no longer able to RDP using their second account.
After a lot of fiddling around I finally resolved the problem by adding the connecting computer name into “Log on To” list. Ultimately it appears that Network Level Authentication (NLA) requires authentication to take place on both the host initiating
the connection and the remote host. -
NLA Disabled. Still can't RDP; "requires Network Level Authentication"
Had a server I could RDP onto without any issue running Hyper V.
I removed the Hyper V role.
I then rebooted and attempted to RDP onto the server and can't:
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using
the options on the Remote tab of the System Properties dialog box.
OK... Never needed before.
I checked the network settings remotely with netsh and confirmed correct DC as DNS. So I'm scratching my head why Microsoft are lying to me?
OK, so I check the NLA settings remotely, sure enough is enabled. So I disabled via remote registry, reboot the machine, confirm the registry is set to NLA disabled again remotely and attempt to connect.
And... Same message.
I can access any other of the 2012 R2 servers on my domain without issue. I can open AD or any other Domain tools from other servers with the same DC as the problem server as their primary DNS.
How can I get that message when both the DC is contactable and NLA is disabled?
How did removing a role cause this BS suddenly?Hi,
Thank you for posting in Windows Server Forum.
Which version of client RDP you are using?
You can use RDP v8.1 for better performance.
Apart from above, Use local admin account to log on to the virtual machine and set the DNS to point to your DC. Alternatively, assign the IP address of the DC/DNS under DNS servers of virtual network.
Also when trying to remote desktop check the option “Allow connection from computers running any version of Remote desktop (less secure)” under system properties.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Remote Desktop Gateway, Pluggable Authentication
Hi,
Where should I post questions regarding Remote Desktop Gateway and the Pluggable Authentication and Authorization (PAA) Framework? I’m trying to build a custom cookie based
authentication module.Ok, then I'd try asking them over here.
http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?category=vslanguages&filter=alltypes&sort=lastpostdesc
http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?category=windowsdesktopdev
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Remote Desktop networking question
can I use this program to connect to a computer at another location?
or is this software only for use on a network.. if so, what software can i use to connect from one spot to anotherOk, then how ?
I have all mac's on a class a 10.112.?.? address.
but also mac's on a 10.111.?.? address
how does ard see the mac's on the 10.111.?.? address
as the scanner only see's the mac's on the 10.112.?.?
thankyou -
Remote desktop to laptop running Window 7 from laptop running Windows 8.1 on same network
I am trying to remote desktop into my Windows 7.1 laptop with my Windows 8.1 laptop. They are both connected to the same network and I can ping each other with their dns names. I can even use Windows Explorer to explore the file system of each
laptop.
When I try to use Remote Desktop Connection I get the error message "The remote computer requires Network Level Authentication, which your computer does not support." How do I turn this on in Windows 8.1?
I was able to figure it out on my Windows 7 laptop which I can remote into my Windows 8.1 laptop.
Thanks for your help,
Fred
Fred SchmidWhen I uncheck the "Allow connections from computers running Remote Desktop with Network Level Authentication (recommended)", I still get the warning message:
"The identity of the remote computer cannot be verified. Do you want to connect anyway?"
But it allows me to connect.
What does that tell me?
Also, when I right click on the icon in the upper left corner of the Remote Desktop Connection window it says that Network Level Authentication is support on both computers.
Thanks for your help,
Fred Schmid
Hi,
From the details in the error prompt, We could understand that the RDP client is trying to validate the remote server’s certificate. The RDP client throws error prompt when it could not trust the certificate. The good thing is, the RDP client allows
us to bypass the certificate validation and connect to the server any way.
The Ideal solution for this is to apply the correct certificate on the server. The Microsoft support article (http://support.microsoft.com/kb/2000960) explains how to verify the selected certificate on
the server.
In my case, I don’t have the control over the servers. But I’m sure the servers I connect, are trust worthy. So, It is annoying to see this error message every time when I connect to the servers. And, every time I have to select the check box “Don’t
ask me again for connecting this computer“.
Kate Li
TechNet Community Support -
Remote Desktop to Windows 8 (in Azure) using a Windows Live Account
This took me a while to find this answer so posting it again in case it help anybody and also perhaps somebody has a suggestion of a better way to do it.
I spun up a Windows 8 Pro VM in Azure (using MSDN subscription) which gives me a local account to access it with via RDP. No problems there.
I want to use a Microsoft Account on this VM instead of a local account however, because I want to sync my OneDrive (reason: I have a lot of data in the Cloud via backup programs like Carbonite and CrashPlan that I want to move to my OneDrive as it
has unlimited space now, but don't want to use home or work network for that move as it will take months to move it all about. Cloud-to-Cloud initial data move seemed like it would be quicker hence I am doing it in Azure.)
I can't use OneDrive with the local account no matter what I tried so I had to log in as a Microsoft account.
I tried adding my Microsoft Account to this VM, making it Administrator and then switching the local account to that one but this process failed (even tried different accounts, one without 2-factor auth. enabled: nothing.)
I also tried RDPin in using the MicrosoftAccount\[email protected] rather than convert or link the local account but that didn't work either. "Your credentials didn't work." Even trying with just the email address didn't work. Nor did using
an app password (I have 2-factor enabled of course.)
The only way I was able to log in was to:
Under System properties of the Windows 8 Pro VM, under Remote tab uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication"
I follered these instructions to create and edit an RDP file on my local pc:
http://support.microsoft.com/kb/941641
Once I connected from my local pc with the modified RDP file to the Windows 8 Pro VM in Azure, I was prompted for the user to log in as by the VM, allowing me to select the Microsoft Account I had previously added instead of the local account which looked
the same as if you do it physically at the machine. This had not happened before and once I did, everything was fine after that :-)Hi,
Please use the original RDP file in another computer and install the certificate. And then use the new RDP for test
Karen Hu
TechNet Community Support -
Remote Desktop Connection With Custom Certificate on Windows 8.1 fails
I'm trying to establish a secured remote desktop connection without success.
The setting
There are some local pcs with windows 8.1 Pro and windows 7 Pro, no server-edition. I've created a self signed ca-certificate with openssl for Windows. I used this to sign custom certs for the local windows-pcs, which are installed at mmc -> certificate
snap-in for local computer -> My Certificates -> Certificates. The networkdriver has the right to read the key. The sha1-fingerprint of the custom signed certs are registered at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
-> SSLCertificateSHA1Hash = sha-1 hash of the custom local cert. Additionally the revocation-list is restrained to the local list by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp -> UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
= 1.
The results
The connection form win 8.1 to win 7 works. The connection info confirms that it is a veryfied connection. The connection to windows 8.1 fails after entering the credentials with error: No connection possible. Network Level Authentication is set, but other
level don't work as well. The log (Event Views -> Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-RemoteConnectionManager -> Admin) says "Remote Desktop Services has taken too long to load the user configuration
from server" and "The Local Security Authority Cannot Be Contacted" (error 0x80090304)
Aditional information
The connection via linux (remmina) works for win 7 and win 8.1, but I have no information about the encryption. It is the same with the Microsoft Remote Desktop Tool for Android.
Maybe it is accociatet with a different cert handling by Windows 8.1 but I couldn't find further information or a solution in the internet.
Best regards
abditusI solved the problem!
The default openssl certificate signature algorithm is md5RSA but it doesn't work with windows 8.1.
It is at least sha1RSA needed.
By adding "default_md = sha1" to the openssl.cnf you create certs with sha1RSA and it works fine.
Beste Gegards
abditus -
Remote desktop connection in windows 7 pro
I have a problem accessing remote desktop connection using windows 7 64 bit.
My remote desktop connection shell version 6.3.9600 shows the Network Level Authentication is not supported.
My other computer also win 7 pro 64 bit has a different shell version 6.2.9200 that supports Network Level Authentication.
How do I go backwards to shell 6.2.9200?
I have been trying use remote desktop using the more robust security and could not figure out why I could not log.
I have screen shots of the two shells and my system screensHi,
Configure Network Level Authentication
Click Start, click Run, type regedit, and then press ENTER.
In the navigation pane, locate and then click the following registrysubkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the details pane, right-click Security Packages, and then click Modify.
In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
In the navigation pane, locate and then click the following registrysubkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
In the details pane, right-click SecurityProviders, and then click Modify.
In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
Exit Registry Editor.
Restart the computer.
Hope this helps!
Andy Altmann
TechNet Community Support -
Pro Dock Remote Desktop Connection
I have a Thinkpad X1 Carbon (20A8S0450X) that uses a ThinkPad OneLink Pro Dock (4X10E52950) to drive two external monitors. Therefore, in normal operation, I have 3 screens visible. The main display is set to one of the external monitors.
I often use a separate PC and use Remote Desktop Connection to access the laptop above. When I finish the session after a period of time, and return to the laptop, the screens are all blank and will not reactivate. Unplugging the docking station from the laptop does not resolve the issue as the laptop monitor remains blank. I therefore have to perform a hard reset to reboot the laptop to continue using it.
Has anyone else experienced this problem? Is anyone able to assist with a resoltuion to this issue?
Thanks in advanceHi,
Configure Network Level Authentication
Click Start, click Run, type regedit, and then press ENTER.
In the navigation pane, locate and then click the following registrysubkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the details pane, right-click Security Packages, and then click Modify.
In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
In the navigation pane, locate and then click the following registrysubkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
In the details pane, right-click SecurityProviders, and then click Modify.
In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
Exit Registry Editor.
Restart the computer.
Hope this helps!
Andy Altmann
TechNet Community Support -
Remote Desktop Session Host on Server 2012 not domain-joined
I have a server 2012 which is running Remote Desktop Session Host role without the Connection Broker like described here:
http://support.microsoft.com/en-us/kb/2833839
Now the client would like the Network Level Authentication (NLA) disabled. And since server 2012 does not have the Remote Desktop Session Host Configuration tool, I have to use the server manager console.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/630cc818-69b0-4e1c-8d65-1b895b20e203/where-is-the-remote-desktop-session-host-configuration-tool-in-server-2012-?forum=winserverTS
But when I go to the remote Desktop Services of Server manager, it says “You are currently logged on as local administrator on the computer. You must be logged on as a domain user to manage servers and collections.”
So I tried finding some Powershell cmdlet could help me with the problem. I guess
Get-RDServer
or Set-RDSessionCollectionConfiguration would be the ones but I can’t seem to make them work.
Any help, or a hint that I going in the right direction or not?Hi,
Have you configure the certificate for your server?
Add the user under Remote Desktop user local group, configure FQDN name of server. Please see that if we are using RDS server in workgroup then most of the tools provided to make managing/configuring RDSH servers easier in 2012 will not work in a workgroup
configuration including some PowerShell command. You can check the below article for information.
Deploying a RDSH Server in a Workgroup – RDS 2012 R2
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Cannot get Remote Desktop to work on Windows 7
Ok. I am having issues trying to connect remotely using RDP. From what I know, the network was pre-configured from another IT group and was able to get it up and running. My company was commissioned to migrate his old PC (WINXP) to Windows 7. I have gone
through the steps of allowing remote desktop and following instructions:
To configure remote access, follow these steps:
1. In Control Panel, click System And Security, and then click System.
2. On the System page, click Remote Settings in the left pane. This opens the System Properties dialog box to the Remote tab.
3. To disable Remote Desktop, select Don’t Allow Connections To This Com¬puter, and then click OK.Skip the remaining steps.
4. To enable Remote Desktop, you have two options. You can:
Select Allow Connections From Computers Running Any Version Of Remote Desktop to allow connections from any version of Windows.
Select Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication to allow connections only from Windows 7 or later computers (and computers with secure network authentication).
5. Click Select Users. This displays the Remote Desktop Users dialog box.
6. To grant Remote Desktop access to a user, click Add. This opens the Select Users dialog box. In the Select Users dialog box, click Locations to select the computer or domain in which the users you want to work with are located. Type the
name of a user you want to work with in the Enter The Object Names To Select field, and then click Check Names. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching
again. Repeat this step as necessary, and then click OK.
7. To revoke remote access permissions for a user account, select the account and then click Remove.
8. Click OK twice when you have finished.
One thing that I found odd when he launched Remote Desktop from his home laptop is the IP entry:
Computer> [Public Router IP]:49250
Login> Domain\Admin
Password> *****
From the odd port number I would assume that was for port forwarding so I logged into his router and found exactly that. In port forwarding, he had the in/out as 49250 TCP to 192.168.30. I went into the firewall and enabled Remote Desktop in the inbound
rules.
As of right now, I can use Remote Desktop to remote into the server, and withing their server, I cam use Remote Desktop to remote into the workstation. I just can't remote into the workstation directly using the port 49250. Any suggestions on this, something
I have missing?
He has Norton Security installed on this computer and I tried adding Inbound/Outbound rules to its 'Smart Firewall' to allow remote desktop and the port.Thanks for the reply.
When I use Remote Desktop and use the Public IP of the router without the port number (49250), I am able to get into the server. However, when I try to use RDP with the [Public IP]:49250, it will not connect to the 192.168.0.30 workstation.
Right now the router is program to forward port 49250 requests to the 0.30 workstation.
I am going to work on the Inbound/Outbound Firewall settings today and see if this will resolve the issue.
Maybe you are looking for
-
Hi, The subject says my question completely. I just registered a new ipod, and it will not sync with the itunes database that I've exported / synced to my other ipods for years. I used a different Apple ID to register it, since both my husband and
-
Custom fields on confirm goods/services centrally
Hi Gurus, I am working in classic scenario of SRM 5.0. I have a requirement for which I need to add 2 custom fields on extended search screen of confirm goods/services centrally; I have tried implementing the note 672960 which did not helped me. Can
-
IChat AV progress but no cigar
I've been trying to troubleshoot the problem with iChat AV video chat for about 2 months. With the help of many posters to this forum I've made some progress and would like to share that information in the hope that someone may have additional insigh
-
Hi, I have a user created from EM. However, this user have limited priviliges (cannot create a table, cannot create within a tablespace). How to create a user with DBA priviliges? thx
-
"LabVIEW PDA - Palm OS Hardware?"
I'd like to get some feedback on what Palm OS PDA's are being used in conjunction with the LabVIEW PDA software. I've been tasked with creating a very compact application for monitoring a system, and we're interested in doing this through a Palm PDA