The Remote Computer Requires Network Level Authentication (NLA)

KB ID 0001375

Problem

Seen when attempting to connect to a remote machine via Remote Desktop;

Cannot RDP Because of NLA

The remote computer that you are trying to connect to requires network level authentication (NLA), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System properties dialog box.

 

Solution

Well the clue is in the error massage, RDP is enabled but it requires NLA authentication. e.g. This box has been selected.

RDP Enable NLA

Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated, and can see a domain controller. But what if that computer is on a remote site, and you need to get on it? Or it’s in the server room downstairs and you’re lazy like me!

Well the simplest way to get on is to use a LOCAL account on that machine, (if you know the username and password for a LOCAL account,) like so;

RDP with LOCAL credentials

Disable NLA Remotely (via Registry)

The drawback of this method is it usually requires a reboot (which we can do remotely, but if it’s a production server that will mean some downtime).

Open Regedit > File > Connect Network Registry > Search for and select your target machine > OK.

Connect to Remote Registrypng

Navigate to;

HKLM  >SYSTEM > CurrentControlSet > Control  >Terminal Server > WinStations > RDP-Tcp

Locate the following two values, and set them to 0 (zero)

  • SecurityLayer
  • UserAuthentication

Disable NLA Though Registry

Give it a try now, but I found I needed to reboot the target first, using the ‘restart-computer’ PowerShell Commandlet.

Reboot Computer With PowerShell

Disable NLA Remotely (via PowerShell)

I prefer this method as it works instantly, and can be reversed just as quick! Open an administrative PowerShell command window. Execute the following two commands;

$TargetMachine = “Target-Machine-Name

(Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0)

Disable NLA Though PowerShell Remotely

Disable NLA Remote Desktop Requirement Through Group Policy

If you want to ‘blanket disable’ NLA then group policy is the way to go;

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

Disable NLA Though Group Policy

Locate the ‘Require user authentication for remote connections by using Network Level Authentication’ and set it to disabled.

Disable NLA Though GPO

Then Force a Domain Group Policy Refresh,

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *