Forum Discussion
On-Prem RDS NLA troubleshooting
Thanks....I don't have the initial disconnect error message handy but it did not reference NLA.
But when trying to reconnect they see:
Remote Desktop Connection
The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
From a windows perspective NLA uses port 389 to connect to domain controller so I'd check that port is open and that problem members have a healthy domain controller listed for DNS on connection properties and no others such as router or public DNS.
.
- gregcharlandMay 14, 2020Copper Contributor
Thanks, but I'm not quite there.
I understand in the NLA part the client PC negotiates a connection with the RD server and uses CredSSP to authenticate the user before allowing the full RDP protocol connection.
But who's trying to connect, and to which DC?
Is the client PC negotiating with the local DC for a Kerebos ticket to present to the remote RDS server which then needs to traverse the domain trust back to the local DC to authenticate it?
I understand how everything fails when the VPN drops but I'd like to see if there's a way we can recover faster from VPN flaps....Thanks in advance,
Greg C
- Dave PatrickMay 15, 2020MVP
But who's trying to connect, and to which DC?
Client trys connecting to any domain controller. NLA = network location awareness so it can properly set the windows firewall profile.
- gregcharlandMay 15, 2020Copper ContributorThat doesn't line up with what I'm seeing....
the VPN drops for a minute
he local clients get disconnected from the remote domain RD server
VPN comes back up
local clients can't reconnect to the remote domain RD server for several minutes due to the NLA error
These same clients can access files and RDS servers on the in-house domain the entire time, so I don't think they have lost sight of their own DC or are re-configuring their firewall policies.
I'd really like to find a way to make the reconnection & re-authentication faster when the VPN comes back up....
Thx!
Greg C