Forum Discussion
On-Prem RDS NLA troubleshooting
try to re-connect they generally get an NLA error.
What error?
- gregcharlandMay 07, 2020Copper Contributor
Thanks....I don't have the initial disconnect error message handy but it did not reference NLA.
But when trying to reconnect they see:
Remote Desktop Connection
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
- Dave PatrickMay 07, 2020MVP
From a windows perspective NLA uses port 389 to connect to domain controller so I'd check that port is open and that problem members have a healthy domain controller listed for DNS on connection properties and no others such as router or public DNS.
.
- gregcharlandMay 14, 2020Copper Contributor
Thanks, but I'm not quite there.
I understand in the NLA part the client PC negotiates a connection with the RD server and uses CredSSP to authenticate the user before allowing the full RDP protocol connection.
But who's trying to connect, and to which DC?
Is the client PC negotiating with the local DC for a Kerebos ticket to present to the remote RDS server which then needs to traverse the domain trust back to the local DC to authenticate it?
I understand how everything fails when the VPN drops but I'd like to see if there's a way we can recover faster from VPN flaps....Thanks in advance,
Greg C