I saw this while attempting to create a remote desktop connection to a Windows 2012 Server. (Though connecting to Windows 8 will be the same).
I’d only just set this server up, and knew I’d enabled RDP, and I was attempting to connect as the domain administrator, so at first I was a little perplexed.
Solution
If you have direct/local access to the machine you are trying to connect to.
1. Press Windows Key+R > In the run box type sysdm.cpl {enter} > Remote.
2. Remove the tick from “Allow connections only form computers running Remote Desktop with Network Level Authentication (recommended)”.
3. Try again.
If you do not have direct/local access to the machine you are trying to connect to.
1. On YOUR Machine > Windows Key+R > type regedit {Enter} > File > Connect Network Registry > Type in the details for the machine you are trying to connect to > OK.
2. Navigate to;
[box]
{remote-machine-name} > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Terminal Server > WinStations > RDP-Tcp[/box]
Locate the UserAuthentication value and change it to 1 (one) > OK > Exit the registry editor.
3. Try again.
Disable RDP Network Level Authentication via Group Policy
If the destination server is in a remote data centre or remote location, and you cannot access the System Properties, you can turn this option off with group policy, and wait a couple of hours.
1. On a DC > Start > Group Policy Management > Either create a new group policy object and link it to the OU containing the problem machine, or edit and existing one. (Here on my test network I’m going to edit the default domain policy – WARNING this will disable this feature on all machines in a production environment!
3. Locate the ‘Require user authentication for remote connections by using Network Level Authentication’ policy.
4. Set the policy to Disabled > Apply > OK > Close the Group Policy Management Editor.
5. How long before the Group Policy will affect the target machine? Group policies are processed when a machine starts up, after this they are processed again, (only if they have changed), the time period varies (so all clients do not update at the same time). The interval is 90 minutes, with a random offset off 30 minutes. So the maximum time it can possibly take is 2 hours (120 minutes). Note: this is the default setting, it can be manually changed up to (45 Days) 64,800 minutes, (though why would you do such a thing?)
Locate and change the “Allow users to connect remotely using Remote Desktop Service” policy.
Allow RDP on the Windows Firewall with Group Policy
Navigate to the following policy;
[box]
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules
[/box]
Right click > New rule > Change Predefines to “Remote Desktop” > Next > Next.
Allow the connection > Finish.
Allow users to connect via RDP though Group Policy
Any member of the machines ‘Remote Desktop Users’ group can log on via RDP, if you have a lot of machines you can create a global security group in active directory (mine below is called SG-Remote-Desktop-Users). And I’ve added it globally to all the computers local ‘Remote Desktop Users’ groups using ‘Restricted groups’.
Navigate to the following policy;
[box]
Computer Configuration > Windows Settings > Security Settings > Restricted Groups
[/box]
Right click > Add Group > Browse > Add your group > In the LOWER (This group is a member of) section click Add > Type in Remote Desktop Users > OK > OK.
2008 RDP Policy Location
Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections.
“Allow users to connect remotely using Terminal services”