Recently we setup a new Terminal server Windows Server 2012 R2 for a client, as a practice we always provide temporary passwords to user and when they login for the first time it prompts them to reset the password. Everything went well from Terminal server configuration to Licensing. However when the users started to login they got a strange error
“An authentication error has occurred””The local security authority cannot be contacted”
We were troubleshooting the error and realised that if we clear ” Reset pwd at Next login” from users property in Active Directory Users and computers, basically to not force them to reset the password then they are able to login just fine. So we did implement that as a temporary solution but for sure kept looking for the real reason.
After some research I figured that Windows 2012 has another level of protection enabled by default when we enable remote desktop, which is Network Level Authentication (NLA).
Few words about Network Level Authentication
Network Level Authentication is an authentication method that can be used to enhance RD Session Host server security by requiring that the user be authenticated to the RD Session Host server before a session is created.
Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software.
Network Level Authentication (NLA) Requirement
The client computer must be using an operating system, such as Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
More About NLA Here
How to Fix it
Fortunately the solution to my problem was quite Simple, which is disable the added protection of NLA on the server , here is how
- Login to the Windows 2012 R2 server with an Admin account
- Open command prompt as with elevated privileges i.e. right click Run as Admin
- Type Start Sysdm.cpl and hit enter, you should have system properties, probably can also open it from control Panel
- Click on remote tab and uncheck the last box on the Page “Allow Connections only from computers running Remote Desktop with Network Level Authentication (Recommended)” , refer the image below
If this doesnt fix your issue and you need urgent support, feel free to reach our paid support here , Else Happy Googling 🙂
Latest posts by Shishir Chandrawat (see all)
- Exchange 2010 Std: Mailbox server has reached the maximum database limit of 5 Error RcrExceedDbLimitException - December 12, 2016
- Exchange 2010: Unable to add Mailbox Database copies on DAG member servers, Error: An error occurred while processing a request on server - December 12, 2016
- Unable to Mount Microsoft Exchange DAG Database, Error: Failed to determine the mount status of the active database copy - December 12, 2016