none
Disable NLA for Win 2008 R2 RDS?

    Question

  • Does anyone know if it is possible to disable NLA while maintaning TLS for server authentication?

    My scenario:

    We are using hardware tokens for two-factor authentication to our RDS server. I'd like to use TLS for server authentication, but when TLS is enabled apparently the option to use NLA (if the client supports it) is also enabled. With NLA enabled, users have to enter the network username and password, followed by their username (again) and the PIN from the hardware token, followed by their password (again). From a useability standpoint, this is not very good, so I would like to disable the front-end NLA authentication. I've only been able to accomplish this by downgrading from TLS to RDP Security Layer -- but then I lose the ability to validate the RDS server. Hence, I'm looking for a way to completely disable NLA while maintaining the TLS security layer.

    I know it is possible to disable CredSSP in the Windows clients' RDP files, but most of the remote devices that connect are not corporate systems -- some are employee's PCs, Macs, and even iPads. Since all of these devices support NLA and are outside the realm of IT control, I really need a server-side solution. 

    Are there any ways to accomplish this?

    Thanks!

    rz

    Thursday, March 31, 2011 3:17 PM

All replies

  • Hi,

     

    First, as far as I know, we can disable the Network Level Authentication option on the RD session host server as following:

     

    On the remote tab of the system properties to set the setting to "allow connections only computers running any version of remote desktop (less secure), and then the RDP client will automatically detect whether the host has NLA or not.

     

    Second, the GPO settings for NLA can be found here:

    Computer Configuration->Windows Settings->Security Settings->Network List Manager Policies

     

    As you said, it’s changed from TLS to RDP Security Layer, communication between the server and the client will use native RDP encryption. If you select RDP Security Layer, you cannot use Network Level Authentication.

     

    You can also refer to the following article:

    WS2008: Network Level Authentication and Encryption

    http://blogs.technet.com/b/askperf/archive/2008/02/16/ws2008-network-level-authentication-and-encryption.aspx

     

    More information:

    Configure Network Level Authentication for Remote Desktop Services Connections

    http://technet.microsoft.com/en-us/library/cc732713.aspx

     


    Technology changes life……
    Sunday, April 3, 2011 3:53 PM
    Moderator
  • Hi,

    whether your problem has been solved. Looking forward to your feedback.


    Technology changes life……
    Wednesday, April 6, 2011 6:48 AM
    Moderator
  • Dollar,

    No, my problem has not been solved. Everything that I have seen simply shows how to not make NLA a requirement for logging in, but I have not seen a way to completely disable NLA. In my case, the clients support NLA and therefore they try to use it. I want to eliminate NLA from being used (while maintaining TLS), whether or not the clients support it.

    Thanks,

    Robert

     

    Thursday, April 14, 2011 4:37 PM
  • Hello,

    I too am looking for an answer to this.  I'm currently running an RDP server and my users who have Windows 7 on their local computers cannot get into their new accounts because they are unable to change their passwords from the initial password I've set upon first login.  Everything said here and anywhere else I've looked, only has the option to allow lesser forms of connection.  I need it to force NLA not to be used regardless of whether the RDP client can support it or not.  There isn't even an option in the Windows 7 version of the client to turn it off.  So what turned out to be a simple process that used to work well (under XP), is now an administrative nightmare to simply get users initially on the system.  

    Thanks

    Thursday, April 21, 2011 5:22 PM