Environment
Privileged Account Manager
Situation
Unable to connect with rdp relay, connection won't work.
Possibly, not working after an Active Directory (AD) Domain update.
Attempting to connect via MyAccess RDP-Relay connection will prompt the following error:
The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.
Possibly, not working after an Active Directory (AD) Domain update.
Attempting to connect via MyAccess RDP-Relay connection will prompt the following error:
The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.
Resolution
The Windows setting to require Network Level Authentication (NLA) must be disabled for the relay session to be successful. While NLA does provide a security benefit, disabling it does not alone pose a major security risk, which could be further mitigated by restricting RDP access to the host with appropriate firewall policies.
To disable Network Level Authentication (NLA) for a connection, please see the steps below:
- On the Remote Desktop Session Host server, open the System Properties > Remote tab:
- From the Control Panel, select the System and Security category > System.
- Select Remote Settings on the left.
- On the Remote tab, uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication check box and select OK.
Alternatively, another option in PAM is to leverage one of the following approaches:
- Agentless RDP Web Relay: see Agentless Session Management in Windows for more information.
- Application SSO (AppSSO) feature with the following approaches:
Note: For more details, please refer to documentation.
- (RemoteApp Mode) AppSSO server would need NLA disabled, but for all the targets NLA can be enabled.
- (Direct Mode) NLA can be enabled for all the servers.
Cause
At the time of writing this document, NLA mandates one to enter credentials on the client side, which cannot be automated at this time, as it is currently outside of PAM control. It is not currently feasible for both credential injection and NLA to exist at the same time. It is not a supported practice by Microsoft. One of the disadvantages of requiring NLA is that there is no support for other credential providers.
Status
Reported to EngineeringAdditional Information
It is also possible to manage this configuration via Group Policy through the following GPO:
Computer Configuration | Policies |
Administrative Templates | Windows Components | Remote Desktop Services |
Remote Desktop Session Host | Security | Require User Authentication For Remote
Connections By Using Network Level Authentication.