Forum Discussion

gregcharland's avatar
gregcharland
Copper Contributor
May 06, 2020

On-Prem RDS NLA troubleshooting

Hi, I'm working to support integration of my customer with a new parent company.   Our environment, we'll call this Site A: Windows Server 2016 w/Essentials Role, Windows 2016 w/MultiPoint Role, Wi...
Active Directory
Remote Desktop
Windows Server
gregcharland's avatar
gregcharland
Copper Contributor
May 07, 2020

Dave Patrick 

Thanks....I don't have the initial disconnect error message handy but it did not reference NLA. 

 

But when trying to reconnect they see:

 

Remote Desktop Connection

The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

 

Dave Patrick's avatar
Dave Patrick
MVP
May 07, 2020

From a windows perspective NLA uses port 389 to connect to domain controller so I'd check that port is open and that problem members have a healthy domain controller listed for DNS on connection properties and no others such as router or public DNS.

 

 . 

 

 

  • gregcharland's avatar
    gregcharland
    Copper Contributor
    May 14, 2020

    Dave Patrick 

    Thanks, but I'm not quite there.

    I understand in the NLA part the client PC negotiates a connection with the RD server and uses CredSSP to authenticate the user before allowing the full RDP protocol connection.

     

    But who's trying to connect, and to which DC?

     

    Is the client PC negotiating with the local DC for a Kerebos ticket to present to the remote RDS server which then needs to traverse the domain trust back to the local DC to authenticate it?

    I understand how everything fails when the VPN drops but I'd like to see if there's a way we can recover faster from VPN flaps....

     

    Thanks in advance,

     

    Greg C

    • Dave Patrick's avatar
      Dave Patrick
      MVP
      May 15, 2020

       

      But who's trying to connect, and to which DC?

       

       

      Client trys connecting to any domain controller. NLA = network location awareness so it can properly set the windows firewall profile.

       

       

      • gregcharland's avatar
        gregcharland
        Copper Contributor
        May 15, 2020
        That doesn't line up with what I'm seeing....
        the VPN drops for a minute
        he local clients get disconnected from the remote domain RD server
        VPN comes back up
        local clients can't reconnect to the remote domain RD server for several minutes due to the NLA error

        These same clients can access files and RDS servers on the in-house domain the entire time, so I don't think they have lost sight of their own DC or are re-configuring their firewall policies.

        I'd really like to find a way to make the reconnection & re-authentication faster when the VPN comes back up....

        Thx!

        Greg C

Resources