locked
RDP 6 - Network Level Authentication RRS feed

  • Question

  • Is there a way to turn off the Network Level Authentication in the RDP6 client?

    Supporting 2000 and 2003 servers and having to log in twice makes RDP 6 a pain...

    Wednesday, November 29, 2006 7:06 PM

Answers

  • no, this must be turned off on the host. 

    This is done on the remote tab of the system properties.  Set the setting to "allow connections only computers running any version of remote desktop (less secure)"

    The RDP client will automatically detect wether the host has NLA or not.

    I am not sure why you are getting two logon in prompts with Windows 2003 - that doesn't happen from my vista machine - check you settings on the 2000 server.

    Thursday, November 30, 2006 7:05 PM
  • We are aware of these issues. 

    Thanks for your patience and feedback.

    Alex Balcanquall

    Friday, January 12, 2007 12:37 AM

All replies

  • no, this must be turned off on the host. 

    This is done on the remote tab of the system properties.  Set the setting to "allow connections only computers running any version of remote desktop (less secure)"

    The RDP client will automatically detect wether the host has NLA or not.

    I am not sure why you are getting two logon in prompts with Windows 2003 - that doesn't happen from my vista machine - check you settings on the 2000 server.

    Thursday, November 30, 2006 7:05 PM
  • Can you please describe the scenario in which this happens for you when connecting to a Windows 2003 Server? Normally, once you enter the credentials at the client prompt (CredUI), they should be forwarded to the server and result in a logon without any other prompt.

    Thanks,

    Costin

    Saturday, December 2, 2006 2:20 AM
  • I can confirm that the double login occurs; but I believe I know why, as I have tested again two Windows Server 2003 systems: one requiring a "double login" and the other not.

    This issue appears to occurs if you have defined the "Always prompt client for password upon connection" via the Group Policy Object Editor.  This setting is located under the Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Encryption and Security node.

    Normally, this setting would prevent someone from automatically gaining access by launch an RDP profile (pre 6.0) with a saved password.  With 6.0, Microsoft eliminated this security hole, but now they've turned the authentication process into two-step process, with the client merely collecting the credentials (prior to connection) and passing it on to the server (upon connection).  This is where the problem occurs.  That first login prompt is before you even connect -- after which point the above defined policy kicks, the client is not allowed use preestablished credentials, and the server interrogates you for a user name and password.

    Note: you can always ignore the first login and simply click "OK", as you will be prompted to login by the target server, provided that you have left the "Server Authentication" option (on the RDP client Advanced tab) at "Always connect, even if authentication fails"

    I hope Microsoft does something about this -- especially since the client always adds additional information to the login name (i.e. username becomes server\username) when one goes to connect using the saved user name from the drop-down list, thereby causing authentication to fail.

    Sunday, December 3, 2006 3:35 AM
  • I am reading this, and thanks for the identification of were the error comes from.  for those that want to turn off the first logon screen alltogether, you can use the EnableCredSSPSupport:i:0 option in the default.rdp that you are using to connect (I made a bunch of .rdp files for all my servers).  Here is the thread on this;

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=975233&SiteID=17

    btw; here is a quick script to add a line to the end of the .rdp file if you have over a hundred .rdp files to change like i did.

    create a batch file and cut paste code into it.  edit the line you want added (no qoutes). drop into a local directory with your rdp files, and double click.  (USE AT YOUR OWN RISK, AND FOR GOODNESS SAKE TEST AND BACKUP FIRST!!!)

    rem append a line to a .rdp file batch.bat

    dir /b *.rdp > list1
    for /f %%P in (list1) DO more %%P > %%P.txt
    del /Q *.rdp
    dir /b *.txt > list2
    For /f %%N in (list2) DO -------LINE OF TEXT TO ADD HERE------- >>%%N
    ren *.txt *.rdp
    ren *.rdp *.
    pause

    Monday, December 4, 2006 8:57 PM
  • This "New" and "Improved" RDP client sucks.  As an IT consultant there is no way I am going to logon twice to make an RDP connection.  In my opinion Microsoft just 100 steps backward in the remote support arena.

    All I need to do know if figure out how to uninstall this piece of *** RDP client and move back to the original one that shipped with Windows XP.  OH wait, I never used the Windows XP client either DOH!!!

    This sucks!!!!  DO NOT INSTLL THE NEW RDP CLIENT!!!!!  There is nothing "New" or "Improved" about it!

    Eric Hanke

    Tuesday, December 5, 2006 5:03 PM
  •  Eric Hanke wrote:

    This "New" and "Improved" RDP client sucks.  As an IT consultant there is no way I am going to logon twice to make an RDP connection.  In my opinion Microsoft just 100 steps backward in the remote support arena.

    All I need to do know if figure out how to uninstall this piece of *** RDP client and move back to the original one that shipped with Windows XP.  OH wait, I never used the Windows XP client either DOH!!!

    This sucks!!!!  DO NOT INSTLL THE NEW RDP CLIENT!!!!!  There is nothing "New" or "Improved" about it!

    Eric Hanke

    Under XP:

    * Control Panel -> Add/Remove Programs

    * Check the "Show Updates" box at the top

    * Scroll down to Windows XP - Software Updates

    * Remove "Update for Windows XP (KB925876)"

     

    Regarding the "nothing new or improved" comment -- actually, there's many improvements, and the performance gain is pretty impressive (I can now use 1600x1200@32-bit over a 768kbit connection much more smoothly; with the stock XP RD client, I was having to drop to 16-bit just to get decent performance.  RD still beats the living pants off of VNC as far as performance and quality go).  I completely agree with you about the issues regarding the authentication dialogs and the security-through-obscurity method implemented (removing the ability to use a password in your .rdp shortcuts).

    I really hope the TS Devteam is reading this forum, because even though there's only a few of us yelling here, if you yell loud enough and in the right environment, people *will* listen.

    Wednesday, December 6, 2006 3:14 AM
  •  Jeremy Chadwick wrote:
    ...I completely agree with you about the issues regarding the authentication dialogs and the security-through-obscurity method implemented (removing the ability to use a password in your .rdp shortcuts).

    I do not know what your background in security is; therefore, I won't go there. Nevertheless, what you describe is NOT "security-through-obscurity". Security through obscurity is where you attempt to achieve security by, amongst other things, keeping the methods by which you have achieved such security secret. Therefore, it is security through undisclosed or little-known "methods" that constitutes security through obscurity. What you instead are advocating is complete insecurity.

    To illustrate the issue with the approach you are advocating, assume you encrypt a file, but along with the encrypted file you bundle the encryption key. Furthermore, you made the file into an auto-decrypting executable. All you have to do is double-click the executable and your files are decrypted without further intervention. Why then even bother encrypting the file in the first place?

    So then, with you terminal servers, why even bother requiring passwords? Wouldn't it be less of a hassle if you could setup a terminal server providing access into your organization's network to whomever whenever, because passwords are so loathsome? I'm assuming you have locks on your doors -- even on you car ignition (if you have one). If so, why do you burden yourself with all that meaningless "security-by-obscurity"?

    Realize that a lot of users do not understand information security. They ignorantly leave one door ajar and create a hole right into the very heart of their corporate network. Then, simply because they could not be bothered to take less than 30 seconds to authenticate themselves, they create a problem costing months and millions of dollars (recoverable or not).

    Don't think that your workstation password is enough to protect that .rdp file with saved password.  There are ways for unprivileged individuals to end-run operating system security.

    It is not my intention to flame you, and I do hope you will see the problem with effectively "bypassing " legitimate authentication mechanisms. The double "logon" issue: that's a Microsoft oversight that need to be rectified.

    Regards
    Wednesday, December 6, 2006 3:04 PM
  • After an "Automatic Update" I have a workstation (WinXP SP2) that is no longer able to use the Remote Desktop Connection at all.  Give the error 1000 and 1001 with a Sorry Need To Close description.  Nothing else to go on but that the Network Leverl Authorization is NOT enabled with the new version 6.

    Doesn't matter if it to a Win2000 or Win2003 server, just errors right off the bat Prior to asking for passwords.  You can ignore the Pop-up error and continue, but I chose to uninstall the new update.

    Is there a better way of finding out what the issue is than guessing?

     

    Friday, December 8, 2006 4:43 PM
  • Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices]
    "<connection's IP>"=dword:00000004

     

    Or you can modify registry per user to include their IP in that key :) *takes a bow* I know... I know... I'm good :D

    j/k

    But turns out new version checks a "trusted list" and if it's not there, it annoys the hell out of you until u add the IP there. This way, you add it there so it doesn't ask!!

    Friday, December 8, 2006 11:41 PM
  • We are aware of these issues. 

    Thanks for your patience and feedback.

    Alex Balcanquall

    Friday, January 12, 2007 12:37 AM
  • It has been over a year since this last post and I was curious if anything had been "fixed".   I don't want to upgrade to the RDP client 6.1 for XP and we are still in Server 2003.   Users are on XP Pro.     So, anyway to not have the double login?
    Wednesday, September 3, 2008 7:40 PM
  • Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\LocalDevices]
    "<connection's IP>"=dword:00000004

     

    Or you can modify registry per user to include their IP in that key :) *takes a bow* I know... I know... I'm good :D

    j/k

    But turns out new version checks a "trusted list" and if it's not there, it annoys the ____ out of you until u add the IP there. This way, you add it there so it doesn't ask!!


    If you change the to Hkey_local_machine it will work for all users.
    I.E.
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Default]
    "MRU0"="YourMachine IP or Name"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\LocalDevices]
    "YourMachine IP or Name"=dword:00000004

    Friday, October 2, 2009 4:15 PM