On-Prem RDS NLA troubleshooting

%3CLINGO-SUB%20id%3D%22lingo-sub-1363776%22%20slang%3D%22en-US%22%3EOn-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363776%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20working%20to%20support%20integration%20of%20my%20customer%20with%20a%20new%20parent%20company.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20environment%2C%20we'll%20call%20this%20Site%20A%3A%20Windows%20Server%202016%20w%2FEssentials%20Role%2C%20Windows%202016%20w%2FMultiPoint%20Role%2C%20Windows%2010%20Pro%20desktops%20(1909).%20Local%20AD%20Domain%20runs%20AAD%20Connect%20using%20password%20hash%20sync.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20now%20connected%20using%20site-to-site%20VPN%20and%202-way%20forest%20trust%20to....%3C%2FP%3E%3CP%3E(We%20have%20site-to-site%20VPN%20to%20both%20Site%201%20and%20Site%202%20below)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETheir%20environment%3A%3C%2FP%3E%3CP%3ESite%201%3A%3C%2FP%3E%3CP%3E2x%20DCs%20Windows%20Server%202016%20Std%3C%2FP%3E%3CP%3E1x%20Terminal%20Server%20running%20Windows%20Server%202016%20DC%20*this%20is%20just%20a%20Windows%20Server%202016%20set%20up%20as%20a%20Session%20Host%2C%20there's%20no%20RD%20Gateway%2C%20Broker%2C%20etc%20because%20those%20things%20are%20hard%20%3CSHRUG%3E%3C%2FSHRUG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESite%202%3A%3C%2FP%3E%3CP%3E1x%20DC%20Windows%20Server%202012%3C%2FP%3E%3CP%3EMostly%20people%20connecting%20into%20our%20Multipoint%20server%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20users%20connect%20from%20the%20Windows%2010%20desktops%20and%20MultiPoint%20server%20(joined%20to%20our%20domain)%20into%20the%20Site%201%20Terminal%20Server%20(joined%20to%20the%20remote%20domain)%20and%20primarily%20run%20an%20Access%20app%20there.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20frequent%20basis%20our%20users%20get%20disconnected%20-%20they%20usually%20get%20the%20generic%20disconnected%20message....when%20they%20try%20to%20re-connect%20they%20generally%20get%20an%20NLA%20error.%20Anecdotally%20it%20appears%20to%20happen%20when%20Site%20A%20-%20Site%202%20VPN%20connection%20drops.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20using%20NLA%20the%20RDS%20server%20tries%20to%20communicate%20back%20to%20the%20domain%20to%20authenticate%20the%20machine%20that's%20trying%20to%20connect.....but%20every%20article%20I%20find%20about%20RDS%20and%20NLA%20is%20%22how%20to%20disable%20NLA%2C%22%20which%20we%20don't%20want%20to%20do.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAny%20resources%20or%20links%20discussing%20how%20to%20troubleshoot%20NLA%20in%20the%20RDS%20context%3F%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeyond%20that....would%20the%20RDS%20be%20trying%20to%20authenticate%20the%20client%20PCs%20via%20the%20trust%20through%20its%20own%20domain%2C%20or%20contacting%20our%20DC%20directly%3F%20Which%20domain%20should%20we%20be%20nltest-ing%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3CP%3E-Greg%20C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1363776%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERemote%20Desktop%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1363808%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1363808%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3Etry%20to%20re-connect%20they%20generally%20get%20an%20NLA%20error.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EWhat%20error%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371780%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371780%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks....I%20don't%20have%20the%20initial%20disconnect%20error%20message%20handy%20but%20it%20did%20not%20reference%20NLA.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20trying%20to%20reconnect%20they%20see%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERemote%20Desktop%20Connection%3C%2FP%3E%3CP%3EThe%20remote%20computer%20that%20you%20are%20trying%20to%20connect%20to%20requires%20Network%20Level%20Authentication%20(NLA)%2C%20but%20your%20Windows%20domain%20controller%20cannot%20be%20contacted%20to%20perform%20NLA.%20If%20you%20are%20an%20administrator%20on%20the%20remote%20computer%2C%20you%20can%20disable%20NLA%20by%20using%20the%20options%20on%20the%20Remote%20tab%20of%20the%20System%20Properties%20dialog%20box.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1371850%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1371850%22%20slang%3D%22en-US%22%3E%3CP%3EFrom%20a%20windows%20perspective%20NLA%20uses%20port%20389%20to%20connect%20to%20domain%20controller%20so%20I'd%20check%20that%20port%20is%20open%20and%20that%20problem%20members%20have%20a%20healthy%20domain%20controller%20listed%20for%20DNS%20on%20connection%20properties%20and%20no%20others%20such%20as%20router%20or%20public%20DNS.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390479%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51719%22%20target%3D%22_blank%22%3E%40Dave%20Patrick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%20but%20I'm%20not%20quite%20there.%3C%2FP%3E%3CP%3EI%20understand%20in%20the%20NLA%20part%20the%20client%20PC%20negotiates%20a%20connection%20with%20the%20RD%20server%20and%20uses%20CredSSP%20to%20authenticate%20the%20user%20before%20allowing%20the%20full%20RDP%20protocol%20connection.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20who's%20trying%20to%20connect%2C%20and%20to%20which%20DC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20the%20client%20PC%20negotiating%20with%20the%20local%20DC%20for%20a%20Kerebos%20ticket%20to%20present%20to%20the%20remote%20RDS%20server%20which%20then%20needs%20to%20traverse%20the%20domain%20trust%20back%20to%20the%20local%20DC%20to%20authenticate%20it%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20understand%20how%20everything%20fails%20when%20the%20VPN%20drops%20but%20I'd%20like%20to%20see%20if%20there's%20a%20way%20we%20can%20recover%20faster%20from%20VPN%20flaps....%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGreg%20C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391609%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391609%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20who's%20trying%20to%20connect%2C%20and%20to%20which%20DC%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3EClient%20trys%20connecting%20to%20any%20domain%20controller.%20NLA%20%3D%20network%20location%20awareness%20so%20it%20can%20properly%20set%20the%20windows%20firewall%20profile.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392872%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392872%22%20slang%3D%22en-US%22%3EThat%20doesn't%20line%20up%20with%20what%20I'm%20seeing....%3CBR%20%2F%3Ethe%20VPN%20drops%20for%20a%20minute%3CBR%20%2F%3Ehe%20local%20clients%20get%20disconnected%20from%20the%20remote%20domain%20RD%20server%3CBR%20%2F%3EVPN%20comes%20back%20up%3CBR%20%2F%3Elocal%20clients%20can't%20reconnect%20to%20the%20remote%20domain%20RD%20server%20for%20several%20minutes%20due%20to%20the%20NLA%20error%3CBR%20%2F%3E%3CBR%20%2F%3EThese%20same%20clients%20can%20access%20files%20and%20RDS%20servers%20on%20the%20in-house%20domain%20the%20entire%20time%2C%20so%20I%20don't%20think%20they%20have%20lost%20sight%20of%20their%20own%20DC%20or%20are%20re-configuring%20their%20firewall%20policies.%3CBR%20%2F%3E%3CBR%20%2F%3EI'd%20really%20like%20to%20find%20a%20way%20to%20make%20the%20reconnection%20%26amp%3B%20re-authentication%20faster%20when%20the%20VPN%20comes%20back%20up....%3CBR%20%2F%3E%3CBR%20%2F%3EThx!%3CBR%20%2F%3E%3CBR%20%2F%3EGreg%20C%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1394055%22%20slang%3D%22en-US%22%3ERe%3A%20On-Prem%20RDS%20NLA%20troubleshooting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1394055%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20suggest%20starting%20a%20case%20here%20with%20product%20support.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhub%2F4343728%2Fsupport-for-business%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhub%2F4343728%2Fsupport-for-business%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi, I'm working to support integration of my customer with a new parent company.

 

Our environment, we'll call this Site A: Windows Server 2016 w/Essentials Role, Windows 2016 w/MultiPoint Role, Windows 10 Pro desktops (1909). Local AD Domain runs AAD Connect using password hash sync.

 

Is now connected using site-to-site VPN and 2-way forest trust to....

(We have site-to-site VPN to both Site 1 and Site 2 below)

 

Their environment:

Site 1:

2x DCs Windows Server 2016 Std

1x Terminal Server running Windows Server 2016 DC *this is just a Windows Server 2016 set up as a Session Host, there's no RD Gateway, Broker, etc because those things are hard <shrug>

 

Site 2:

1x DC Windows Server 2012

Mostly people connecting into our Multipoint server

 

Our users connect from the Windows 10 desktops and MultiPoint server (joined to our domain) into the Site 1 Terminal Server (joined to the remote domain) and primarily run an Access app there.

 

On a frequent basis our users get disconnected - they usually get the generic disconnected message....when they try to re-connect they generally get an NLA error. Anecdotally it appears to happen when Site A - Site 2 VPN connection drops.

 

I understand using NLA the RDS server tries to communicate back to the domain to authenticate the machine that's trying to connect.....but every article I find about RDS and NLA is "how to disable NLA," which we don't want to do.

 

Any resources or links discussing how to troubleshoot NLA in the RDS context? 

 

Beyond that....would the RDS be trying to authenticate the client PCs via the trust through its own domain, or contacting our DC directly? Which domain should we be nltest-ing?

Thanks in advance!

-Greg C

7 Replies

try to re-connect they generally get an NLA error.

What error?

 

 

@Dave Patrick 

Thanks....I don't have the initial disconnect error message handy but it did not reference NLA. 

 

But when trying to reconnect they see:

 

Remote Desktop Connection

The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.

 

From a windows perspective NLA uses port 389 to connect to domain controller so I'd check that port is open and that problem members have a healthy domain controller listed for DNS on connection properties and no others such as router or public DNS.

 

 . 

 

 

@Dave Patrick 

Thanks, but I'm not quite there.

I understand in the NLA part the client PC negotiates a connection with the RD server and uses CredSSP to authenticate the user before allowing the full RDP protocol connection.

 

But who's trying to connect, and to which DC?

 

Is the client PC negotiating with the local DC for a Kerebos ticket to present to the remote RDS server which then needs to traverse the domain trust back to the local DC to authenticate it?

I understand how everything fails when the VPN drops but I'd like to see if there's a way we can recover faster from VPN flaps....

 

Thanks in advance,

 

Greg C


 

But who's trying to connect, and to which DC?

 

 


Client trys connecting to any domain controller. NLA = network location awareness so it can properly set the windows firewall profile.

 

 

That doesn't line up with what I'm seeing....
the VPN drops for a minute
he local clients get disconnected from the remote domain RD server
VPN comes back up
local clients can't reconnect to the remote domain RD server for several minutes due to the NLA error

These same clients can access files and RDS servers on the in-house domain the entire time, so I don't think they have lost sight of their own DC or are re-configuring their firewall policies.

I'd really like to find a way to make the reconnection & re-authentication faster when the VPN comes back up....

Thx!

Greg C

I'd suggest starting a case here with product support.

 

https://support.microsoft.com/en-us/hub/4343728/support-for-business