none
Remote Desktop Connection: you must change your password before logging on the first time.

    Вопрос

  • I am using SSL 1.0 with certificate. This used to work where the user logged in and was able to change the initial password. I do not want to use regular RDP as this is a load balancing RDP server that external customers log in. It seems like after the last windows update it is not letting the initial user log in under these settings.

    Windows 2008 R2 Enterprise SP1

    Security Layer SSL 1.0

    Encryption Layer Client Compatible

    Using Certificate

    NLA unchecked.

    I wonder is this windows update messed the RDP TLS1.0

    Microsoft Security Bulletin MS13-029 - CriticalVulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)


    6 июня 2013 г. 12:31

Ответы

  • Hi,

    The scenario you described is because of the enhanced security system in Windows Server 2008 and R2 Terminal Services (RDS). The Network Level Authentication let the user authentication occurs earlier than connecting to the target server. To support this feature, the CredSSP must be enabled on the client sides. (The Windows Vista and Windows 7 have already enabled the feature by default.)

    To use Network Level Authentication, you must meet the following requirements:

    • The client computer must be using at least Remote Desktop Connection 6.0.
    • The client computer must be using an operating system, such as Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
    • The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.
    For more information on Windows Server 2008 NLA, please refer to:

     

    Configure Network Level Authentication for Remote Desktop Services Connections

    http://technet.microsoft.com/en-us/library/cc732713.aspx

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Все ответы

  • Hi,

    The scenario you described is because of the enhanced security system in Windows Server 2008 and R2 Terminal Services (RDS). The Network Level Authentication let the user authentication occurs earlier than connecting to the target server. To support this feature, the CredSSP must be enabled on the client sides. (The Windows Vista and Windows 7 have already enabled the feature by default.)

    To use Network Level Authentication, you must meet the following requirements:

    • The client computer must be using at least Remote Desktop Connection 6.0.
    • The client computer must be using an operating system, such as Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
    • The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.
    For more information on Windows Server 2008 NLA, please refer to:

     

    Configure Network Level Authentication for Remote Desktop Services Connections

    http://technet.microsoft.com/en-us/library/cc732713.aspx

    Regards,

    Clarence

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Clarence, I do not have NLA on and never had before and this was working.

    Something has changed in the last week

    TLS 1.0 and negotiation with NLA turned off used to work.

    7 июня 2013 г. 15:26
  • It seems impossible.NLA is a must.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    10 июня 2013 г. 7:48