The Remote Computer Requires Network Level Authentication (NLA)

KB ID 0001375

Problem

Seen when attempting to connect to a remote machine via Remote Desktop;

Cannot RDP Because of NLA

The remote computer that you are trying to connect to requires network level authentication (NLA), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System properties dialog box.

Also See: Windows RDP: ‘An authentication error has occurred’

Solution

Well the clue is in the error massage, RDP is enabled but it requires NLA authentication. e.g. This box has been selected.

RDP Enable NLA

Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated, and can see a domain controller. But what if that computer is on a remote site, and you need to get on it? Or it’s in the server room downstairs and you’re lazy like me!

Well the simplest way to get on is to use a LOCAL account on that machine, (if you know the username and password for a LOCAL account,) like so;

RDP with LOCAL credentials

Disable NLA Remotely (via Registry)

The drawback of this method is it usually requires a reboot (which we can do remotely, but if it’s a production server that will mean some downtime).

Open Regedit > File > Connect Network Registry > Search for and select your target machine > OK.

Connect to Remote Registrypng

Navigate to;

HKLM  >SYSTEM > CurrentControlSet > Control  >Terminal Server > WinStations > RDP-Tcp

Locate the following two values, and set them to 0 (zero)

  • SecurityLayer
  • UserAuthentication

Disable NLA Though Registry

Give it a try now, but I found I needed to reboot the target first, using the ‘restart-computer’ PowerShell Commandlet.

Reboot Computer With PowerShell

Disable NLA Remotely (via PowerShell)

I prefer this method as it works instantly, and can be reversed just as quick! Open an administrative PowerShell command window. Execute the following two commands;

$TargetMachine = “Target-Machine-Name

(Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0)

Disable NLA Though PowerShell Remotely

Disable NLA Remote Desktop Requirement Through Group Policy

If you want to ‘blanket disable’ NLA then group policy is the way to go;

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

Disable NLA Though Group Policy

Locate the ‘Require user authentication for remote connections by using Network Level Authentication’ and set it to disabled.

Disable NLA Though GPO

Then Force a Domain Group Policy Refresh,

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

4 Comments

  1. This is terrible advice. how about understanding and solving the problem and not just disabling security features to “make the error go away”?

    Post a Reply
    • Hi Mike,

      I do say in the article;

      >>Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated, and can see a domain controller.

      >>how about understanding

      I do understand, and have outlined the cause of the problem.

      Please bear in mind this article was written two years ago, simply everyone didn’t have post RDP 6.1 NLA capable clients, and this will have been written at the time that NLA became a requirement. Also not all RDP clients are Windows, If this causes several thousand thin clients to go down at 0900 hrs on a Monday morning, do you disable NLA or update a thousand Linux based thin Wyse/NUC/iGEL/HP clients the that have no central administration?

      >>This is terrible advice.

      Well you are entitled to your opinion I suppose, but some client’s simply don’t have the investment to update their client’s and have to disable features until that can be done. In the real world we can’t all stop working until we replace/update all our client machines.

      Either way I welcome all feedback, even if it’s negative.

      Regards
      Pete

      Post a Reply
  2. “Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated”

    So connections from a remote network, like through a Branch Office VPN, won’t work if the RDP client is not a part of your domain network?

    Post a Reply
    • Hi Eric, Not Necessarily, just because you’re not authenticated against a ‘local’ domain controller does not mean you are not authenticated.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *