Share via

NLA and Remote Desktop

lolix3 171 Reputation points
2023-05-03T09:04:43.5866667+00:00

Hi,

When a user object in AD has "Log On To" restrictions , the "client" computer must be allowed. Because of NLA.

So far, so good.

But there one exception : Thin-clients.

Our DELL-Wyse connect through RDP, have NLA enabled. They are not part of the "Log On To" list and opening a Remote Desktop session from them is possible.

(On the hosts side, the GPO "Require user authentication for remote connections by using Network Level Authentication" is enabled).

So, why connections form thin-clients are allowed ?

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,226 Reputation points
    2023-05-04T15:31:48.6033333+00:00

    Hello there,

    Did you make an inbound outbound rule or any specific exceptions in your GPO?

    Usually, this behaviour might occur if The TLS 1.0, 1.1, or 1.2 (server) protocols are disabled. The VM was set up to disable logging on by using domain credentials, and the Local Security Authority (LSA) is set up incorrectly.

    You can have a quick configuration check here Configure Network Level Authentication for Remote Desktop Services Connections

    https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-for-remote-desktop-services-connections.aspx

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.