We're in the process of incrementally upgrading our PCs to Windows 7, and several times now have been unable to open an RDP connection to the upgraded machine to remotely administer them. At some point we realised that Network Level Authentication was the culprit, and subsequently disabled it in the images we've deployed since.
This morning I had another machine that I could not connect to, having tried the following:
- Remote desktop via our RDS server (2008R2)
- Remote desktop into another Windows 7 machine on the same LAN/subnet & try opening a connection from there
AFAICT nmap
showed port 3389 not open.
The machine in question is several hundred kilometres away, so physical access is to perform a local login is somewhat difficult (and I'd prefer not to hand out the local login details to get the user to fix it).
"Group Policy" is non-existent for two reasons: the machine is not domain connected,
Since we're using FOG for imaging & management, it would probably be possible to deploy a registry hack or batch/powershell script to disable it; does anyone have any suggestions on a possible solution?
Network Level Authenticaiton (NLA) requires authentication take place on both the host initiating the session and the remote host. This means there are several username/hostname variable combinations that must all play nicely:
This has some implications that can prevent Remote Desktop with NLA from working:
If the local host initiating the Remote Desktop session does not support NLA. This would be Windows versions prior to Vista without at least version 6.1 of RDC. This also implies hosts like Linux that use a client that doesn't support NLA.
If the local account initiating the Remote Desktop session can't authenticate locally. Typically this happens if you're using an account that can't login to the local host initiating the session or it has restricted privileges. For domain accounts, see the Workstations Allowed / Workstations Restricted list for the user account via "net use /domain". If the account is restricted to a set of hosts, both the local host and remote host must be in the list for RDP to work with NLA.
I've finally had the problematic machine returned to me (it was a laptop), and discovered that Remote Desktop was completely disabled; sometimes there's just no substitute for physical access to determine what's causing a problem.