Questions[network-level-auth](server)

I am running a Windows Server 2012 R2 server that admins and users can access via Remote Desktop Connection. I have set up the users and Local Security Policy so that on each user's first login, and every 90 days thereafter, they will be prompted to change their password.

However, whenever the user's account is in a state where the password must be reset, as soon as they try to connect using RDP they get the following error message from the Remote Desktop Connection client (v10.0):

You must change your password before logging on the first time. Please update your password or contact your system administrator or technical support.

When using the Remote Desktop Connection Manger client (v2.7) instead, the same happens, though the error is slightly different:

The user password must be changed before logging on for the first time

The server is stand alone, not on a domain. Network Level Authentication is required to be enabled because of security compliance requirements. The server has no console access as it's a cloud virtual machine.

I have been unsuccessful in finding any way workaround for this whatsoever, without compromising on the NLA security configuration. Have I missed something obvious? Any answers or comments would be gratefully received. Thank you.

We're in the process of incrementally upgrading our PCs to Windows 7, and several times now have been unable to open an RDP connection to the upgraded machine to remotely administer them. At some point we realised that Network Level Authentication was the culprit, and subsequently disabled it in the images we've deployed since.

This morning I had another machine that I could not connect to, having tried the following:

• Remote desktop via our RDS server (2008R2)
• Remote desktop into another Windows 7 machine on the same LAN/subnet & try opening a connection from there

AFAICT nmap showed port 3389 not open.

The machine in question is several hundred kilometres away, so physical access is to perform a local login is somewhat difficult (and I'd prefer not to hand out the local login details to get the user to fix it).

"Group Policy" is non-existent for two reasons: the machine is not domain connected,

Since we're using FOG for imaging & management, it would probably be possible to deploy a registry hack or batch/powershell script to disable it; does anyone have any suggestions on a possible solution?

Without any change (except Windows Updates), one of my stand alone W2K8 R2 servers has become unconnectable from Remote Desktop (Win 7). RDP gets stuck on 'Securing Remote Connection' and just never completes.

I can however connect to the same server using a 3rd party RDP client - Royal TS - which allows me to specifically disable Network Level Authentication. Connecting with NLA enabled in Royal TS exhibits the same problem as Win7 RDP client.

The W2K8 R2 server is configured to allow non NLA RDP sessions. Not a member of a domain, not a DNS server, etc. It's a standalone web server.

So, my question is what could cause RDP to fail like this with no other changes?

UPDATE In a bizarre twist, the problem has magically resolved itself with no changes on either end.

I have a suspicion there may have been some kind of DNS issue within the hosting center - based on comments I've found through google from others experiencing similar kinds of problems.

I'm running Windows XP Professional SP3 x86, trying to connect to a system with Windows 7 Ultimate SP1 x64.

Recently, I updated the Remote Desktop Connection software on the XP system in hopes of using Network Level Authentication (NLA) for my connections to the Windows 7 box. After the update, I connected to the Windows 7 box over RDP and enabled NLA believing that the updated client should support it.

After disconnecting and attempting to reconnect, I'm presented with the following error:

The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.

So, I checked the About page in Remote Desktop Connection to make sure the update had applied. This is what I see.

Remote Desktop Connection
Shell Version 6.1.7600
Control Version 6.1.7600
© 2007 Microsoft Corporation. All rights reserved.
Network Level Authentication not supported. Remote Desktop Protocol 7.0 supported.

I thought NLA was supposed to be a part of RDP 7.0 clients. Is there a component I'm missing somewhere?

To summarize the rambling below: How do I connect (using Remote Desktop Connection) from Windows XP SP3 to Windows Server 2008 R2 (or Windows 7) without clicking the checkbox on the server that says Allow connections from computers running any version of Remote Desktop (less secure)?

So, I've discovered that newer versions of Windows have "more secure" versions of remote desktop on them, that requires network level authentication to work securely. Unfortunately, Windows XP RDC doesn't support NLA, and the the intertubes have surprisingly little to say about actually making it work without clicking the checkbox that says Allow connections from computers running any version of Remote Desktop (less secure). Now I don't really consider "use the less secure version" to be an acceptable answer ("What's that, can't make ssh work? Yea, I solved that by just using telnet instead."). Upgrading to Windows 7 is not an acceptable answer either, cause while I agree that Windows 7 is "pretty darn cool", it isn't all that practical to tell other people in my organization "just go upgrade" when they want to connect securely via RDC to a particular system.

Even Server Fault seems to come up with very little to say on the topic, which really surprised me (the closest I could find was this question, which was almost there, but not really). It amazes me how many admins are perfectly willing to click the "less secure means it will work" button, so I went on a hard target search of every hen house, dog house, and out house on the intarwebs to find the answer. After days of searching I came up blank (ok, maybe it was more like 20 minutes, but it felt like days). So I started drafting this question on SF, got distracted, and never posted it.

Today I came to finish the question, applied a little more google-fu before doing so, and stumbled upon the answer, which I'm recording here for posterity (although I'll wait like 20 minutes before posting the answer in case one of you out there already knows it, so you can have the credit and gain the rep for a correct answer).