Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Windows domain controller cannot be contacted to perform NLA

RRAS, VPN, TS/RDP, Routing and remote Access.

Windows domain controller cannot be contacted to perform NLA

Postby chicagotech » Thu Nov 09, 2017 5:24 pm

Situation: The client tries to RDP to a remote machine, but can’t and receive this message:

“The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.”

Resolution: 1. Download PSExec from TechNet. Run the code below updating the following values.

\\VMNAME – The name of the machine on which you want to disable NLA

VMNAME\ADMIN_ACCOUNT – The username of a local administrator on the machine on which you want to disable NLA, e.g. pc1\admin

psexec \\VMNAME -u VMNAME\ADMIN_ACCOUNT -p PASSWORD reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /f /v SecurityLayer /t REG_DWORD /d 0
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7096
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Windows domain controller cannot be contacted to perform NLA

Postby chicagotech » Thu Nov 09, 2017 5:29 pm

For Azure VMs, when you increase the size of the VM (adding CPU and Memory), the network configuration is reset. This means that if you have a static DNS defined inside the VM, it would be set to DHCP assigned which is the public DNS in Azure.

Use local admin account to log on to the virtual machine and set the DNS to point to your DC. Alternatively, assign the IP address of the DC/DNS under DNS servers of virtual network.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7096
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Windows domain controller cannot be contacted to perform NLA

Postby chicagotech » Thu Nov 09, 2017 5:36 pm

Three ways to skin this cat:

Remote Registry
1.Start > Run > Regedit. You may need to use "RunAs" to launch it using an account with admin priviliges on the target server.
2.File > “Connect Network Registry…”
3.Enter remote computer name and click OK.
4.Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
5.Select “SecurityLayer” and change the value to 0.



Remote PowerShell

$TargetServer = "Server_with_NLA_Enabled"
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

Group Policy
1.Create and apply GPO to the server(s) via the Group Policy Management Console.
2.Edit the GPO and navigate to the following setting:

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
3.Set the policy ""Require user authentication for remote connections by using Network Level Authentication" to DISABLED.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7096
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Re: Windows domain controller cannot be contacted to perform NLA

Postby chicagotech » Thu Nov 09, 2017 5:38 pm

In our case, it is "Allow connections only from computers running Remote Desktop with Network Level Authentication" checked. Go to the System Properties>uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication"
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7096
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to VPN, TS and Remote Access

Your Ad Here

Who is online

Users browsing this forum: No registered users and 3 guests