A few days ago I was in a training class out of the office with one of my work colleague. During the class he tried to connect to work using our Citrix (SRA) portal when he realized that his computer at work (freshly re-installed with Windows 8.1) was not allowing him to connect because of the Network Level Authentication.
Error message: “The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.”
Before I talk about the workaround and the PowerShell script we used to fix that, let’s investigate in order to understand the problem.
What is Network Level Authentication ?
Network Level Authentication is a technology used in Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.
Originally, if you opened a RDP (remote desktop) session to a server it would load the login screen from the server for you. NLA delegates the user’s credentials from the client through a client side Security Support Provider and prompts the user to authenticate before establishing a session on the server. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.
Network Level Authentication was introduced in RDP 6.0 and supported initially in Windows Vista. It uses the new Security Support Provider, CredSSP, which is available through SSPI since Windows Vista.
The advantages of Network Level Authentication are:
* It requires fewer remote computer resources initially. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full remote desktop connection as in previous versions.
* It can help provide better security by reducing the risk of denial-of-service attacks.
* The client computer must be using at least Remote Desktop Connection 6.0.
* The client computer must be using an operating system, such as Windows 8.1, Windows 8, Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
* The Remote Desktop Session Host "server" must be running
* Windows Client: Vista or newer (Vista, 7, 8, 8.1)
* Windows Server: 2008 R1 or newer (2008R1, 2008R2, W2012R1, W2012R2)
Workaround using the UI
Go to Control Panel / System and Security / System and select Remote Settings
In the Remote tab, in the remote Remote Desktop group you will have to uncheck “Allow remote connections only from computers running Remote Desktop with Network Level Authentication (recommended)”
|Windows 8/8.1/2012 Remote tab|
|Windows Vista/7/2008 Remote Tab|
The user will then be able to connect to the server or workstation.
Using PowerShell One-Liners
We used the class Win32_TSGeneralSetting to get the information of the current NLA setting.
Quick answer, you can do this using the following commands:
$ComputerName = "SERVER01" # Getting the NLA information (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired # Setting the NLA information to Disabled (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) # Setting the NLA information to Enabled (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1)