Remote Desktop 6.0, Network Level Authentication not work on OS prior Vista…


 


Just a small tip for people using Remote Desktop very often, like me.


Microsoft released new version of Remote Desktop, on version 6.0 , which has more support on the ease of use of Terminal Service. one of the features I like very much is the support for connecting local device to remote site, like, a local smartcard reader to remote site and to login some places in remote place using smartcard beside you.


But to use Remote Desktop service in Vista isn’t as intuitive as before now. as the network security is strengthen, you gotta do some settings to let your Vista machine be able to be terminal serviced from any “safe” place or safe connection source. this includes the settings of Vista’s enhanced firewall. things will get more complicated if your Vista machine is under a Domain and Domain Admin put some restrictions on your firewall rule. I’ll post the settings for Vista firewall to enable RDP connection when I have time later.


for now, one should be aware that after RDP6.0, there is a function called Network Level Authentication (NLA), which seems to be only available after Vista. so if you set your Vista RDP to only accept NLA connection, you’ll fail your connection when you termical service to your Vista from WinXP or Windows 2003 Server, like this dialogue box:


rdpvista1.jpg


So, where to turn on or turn off NLA in Vista? it’s at Control Panel -> System -> Remote Settings:


rdpvista2.jpg


if you want to be able to terminal service from WinXP or Windows 2003 servers, using the second setting. if you only RDP using Vista machines, you can set the third setting to turn on NLA, which should be more safe on handling your connections…


FYI


Technorati Tags: microsoft , windowsvistaremote desktopRDPNLA


 

Comments (5)

  1. SecurityEnthusiast says:

    Just to prevent misunderstanding, since people tend to follow advice given on MSDN blogs — you should NOT turn off NLA on Vista anymore.

    Instead, upgrade your Remote Desktop client on XP, 2K3, or Mac OS X.  The new versions, released in the past year, all support NLA.

  2. SecurityEnthusiast:

    Yes, you are right. when this post was composed there were still lots of XP client running old version of Remote Desktop Client, also , the new version was not been as an optional windows update patch yet.

    for now, when running windows update on XP or 2003 clients, there are optional patch contains new version of Remote Desktop which supports NLA without no problems, install that to strength your security.

  3. EPMerc says:

    Actually, its the other way around, my Xp desktop can remotely access my vista laptop. However, when I attempt to remotely access my xp desktop using my vista laptop, I get the following  message during logon: "The local policy of this system does not permit you to logon interactively".

    I will appreciate an instructional solution, please. thank you.

  4. rcmtech says:

    In order to get XP SP3 to be able to RDP to an NLA-enabled machine (Vista or Server 2008 or higher with NLA enabled) you not only need the latest RDP client on the XP machine but also have to do a couple of registry changes to actaully get the NLA support to be enabled. Please see this for details: rcmtech.wordpress.com/…/rdp-from-xp-to-server-2008-and-higher-nla