The Remote Computer Requires Network Level Authentication (NLA)

KB ID 0001375

Problem

Seen when attempting to connect to a remote machine via Remote Desktop;

The remote computer that you are trying to connect to requires network level authentication (NLA), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System properties dialog box.

Also See: Windows RDP: ‘An authentication error has occurred’

Solution

Well the clue is in the error massage, RDP is enabled but it requires NLA authentication. e.g. This box has been selected.

Now, if you want NLA that’s fine, make sure your RDP client has been updated, and you, and the target, are domain authenticated, and can see a domain controller. But what if that computer is on a remote site, and you need to get on it? Or it’s in the server room downstairs and you’re lazy like me!

Well the simplest way to get on is to use a LOCAL account on that machine, (if you know the username and password for a LOCAL account,) like so;

WARNING/DISCLAIMER

This article was written at a time when clients may not have had up to date RDP clients that supported NLA, that’s no longer the case (If you are in a sole Windows environment, and you are updating your clients). Simply disabling NLA is NOT a solution. I’m really getting tired of people posting comments saying ‘This is a bad article’ and ‘I don’t understand’. Well how about you have 500 linux based thin clients that use RDP software that does not support NLA? Before posting a criticism please take some time to work in, and support a few different environments guys. And appreciate that you are here because you couldn’t fix it yourself, so you clicked on the link to come here, to read information that I’m providing for free, in my own time, to help you out.

Disable NLA Remotely (via Registry) 

Read above disclaimer before proceeding

The drawback of this method is it usually requires a reboot (which we can do remotely, but if it’s a production server that will mean some downtime).

Open Regedit > File > Connect Network Registry > Search for and select your target machine > OK.

Navigate to;

[box]HKLM  > SYSTEM > CurrentControlSet > Control  >Terminal Server > WinStations > RDP-Tcp[/box]

Locate the following two values, and set them to 0 (zero)

  • SecurityLayer
  • UserAuthentication

Give it a try now, but I found I needed to reboot the target first, using the ‘restart-computer’ PowerShell Commandlet.

Disable NLA Remotely (via PowerShell)

Read above disclaimer before proceeding

I prefer this method as it works instantly, and can be reversed just as quick! Open an administrative PowerShell command window. Execute the following two commands;

[box]

$TargetMachine = “Target-Machine-Name

(Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter “TerminalName=’RDP-tcp'”).SetUserAuthenticationRequired(0)

[/box]

Disable NLA Remote Desktop Requirement Through Group Policy

Read above disclaimer before proceeding

If you want to ‘blanket disable’ NLA then group policy is the way to go;

[box]Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security[/box]

Locate the ‘Require user authentication for remote connections by using Network Level Authentication’ and set it to disabled.

Then Force a Domain Group Policy Refresh,

Related Articles, References, Credits, or External Links

NA

12 thoughts on “The Remote Computer Requires Network Level Authentication (NLA)

  1. This is terrible advice. how about understanding and solving the problem and not just disabling security features to “make the error go away”?

    • Hi Mike,

      I do say in the article;

      >>Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated, and can see a domain controller.

      >>how about understanding

      I do understand, and have outlined the cause of the problem.

      Please bear in mind this article was written two years ago, simply everyone didn’t have post RDP 6.1 NLA capable clients, and this will have been written at the time that NLA became a requirement. Also not all RDP clients are Windows, If this causes several thousand thin clients to go down at 0900 hrs on a Monday morning, do you disable NLA or update a thousand Linux based thin Wyse/NUC/iGEL/HP clients the that have no central administration?

      >>This is terrible advice.

      Well you are entitled to your opinion I suppose, but some client’s simply don’t have the investment to update their client’s and have to disable features until that can be done. In the real world we can’t all stop working until we replace/update all our client machines.

      Either way I welcome all feedback, even if it’s negative.

      Regards
      Pete

    • Mike Crowley – please advise why this is terrible advice – this is perfectly acceptable advice and I’m saying this as I work in a very restrictive environment. What is your level of knowledge when it comes to technology?

      • It’s awful advice. If you were having a problem with your key not working properly in your front door, would you just remove the lock and consider it “solved”? Because that’s exactly what this so called “fix” is.

          • I’ll toss in another example, where I’m pretty sure I’ll end up having to disable NLA.

            I have a VM on my personal machine. The VM is bound to my organization’s AzureAD, but the machine isn’t. I’m getting the NLA error, even though my desktop and the VM have NLA enabled, and I’m guessing it’s because the machine isn’t attached to the domain, so it can’t pass NLA.

            I’m a developer, mind, not an admin, so I only vaguely get this sort of thing, but it appears that NLA is blocking my use case here. That leaves me to either only use Hyper-V’s connection interface, or disable NLA so I can use RDP properly. I hate disabling security features, but sometimes it’s the only solution.

  2. “Now, if you want NLA thats fine, make sure your RDP client has been updated, and you, and the target are domain authenticated”

    So connections from a remote network, like through a Branch Office VPN, won’t work if the RDP client is not a part of your domain network?

    • Hi Eric, Not Necessarily, just because you’re not authenticated against a ‘local’ domain controller does not mean you are not authenticated.

  3. I was looking for a solution for the same error. Disabling the NLA was not an option for me as there is a policy in place to force this behavior. In my instance, I was able remove the workstation from the domain and add it back in. This corrected the error message. Hope it helps someone else out.

    • Matt please help me I’m in a race with a fellow colleague of mine. First to figure out how to add a computer to the domain via powershell/command prompt via smartcard and you have to use a username hint. I was super close with my line but username hint keeps getting in the way. I’m just trying to piece it together. Any guidance about username hint will be greatly appreciated! If you can write a powershell/command line that can remotely add a computer to the domain while using a smart card login and use proper password and username hint (username hint is the hardest) I will give you $20 not even kidding.

  4. Have you guys looked into using username hint for adding to domain by smart card? It’s a long stretch but is there a way to incorporate username hint into command prompt code?

  5. This is good for when you have a ec2 instance in AWS that has GPO’s that lock the machine down due to FTI requirements and it looses connection to the Domain… And your only way in is local account and RDP. So for all negative comments 😛

Leave a Reply

Your email address will not be published. Required fields are marked *