I have a network/domain corp.fabrikam.com with a domain controller, CA and RDP Server. I have a smartcard with a valid smart card logon certificate issued with subject CN=John Doe and SAN entry of Principal Namefirstname.lastname@example.org, issued by the CA. This lets me logon locally and remotely to all three servers from each other (i.e. within the domain).
Enterprise PKI health viewer reports all healthy, the CDP and AIA fields have HTTP as the primary location and are accessible anonymously etc. Everything seems fine.
I have a Windows 8 laptop on a domain corp.contoso.com logged in as email@example.com. This laptop is then taken to the network with domain corp.fabrikam.com (and for clarity unable to connect to corp.contoso.com at all).
If I try and RDP from the Windows 8 laptop (laptop.corp.contoso.com) to RDS-SH.corp.fabrikam.com and authenticate with the smart card, I get the error:
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
If I run a trace on Network Monitor, I can see the laptop trying to lookup SRV records for it's own (corp.contoso.com) domain controller. Why would it try and do this? Why would it need to contact it's own DC to connect and authenticate to a RDS-SH server on another domain/forest with no trust?
Do these two domain have its trust relationships?If not,pls try to disable the NLA on the server-side and then connect to see whether it works.
As I see ,if it is a test environment, pls try to use a workgroup computer to see whether it works.If it works,it is probably not supported using NLA by cross-domained computer to log onto another domain member without trust relationships.
Also,try to use win 7 client to see whether it is just a WIN 8 bug issue.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Sorry that didn't really answer my question.
There are no trusts between the domains at all, and yes NLA is turned on and is mandated by security policy.
Windows 7 does work as expected, but Windows 8 does not.
Why does NLA require and trusts between domains/forests?
How do we raise a bug in Windows 8 to resolve this?