Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
Will Sysinternals consider adding the capability to disable NLA authentication on a per server basis?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 64%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EME%3C/text%3E%3C/svg%3E)
Matt Evanson
1
Reputation point
The mstsc client supports this with the RDP file option enablecredsspsupport:i:0.
While I recognize that NLA model is the recommended model to avoid denial of service (resource consumption), there are scenarios where Credential Providers are used to provide MFA or alternate authentication mechanisms.
This creates a problem, because if the server is set to SecurityLayer = 1 or SecurityLayer = 2, there is no mechanism by which an RDP client with CredSSP support enabled can pass the local prompt to get the Credential Provider driven authentication.
That means one must use the Security Layer = 0 which is the legacy RDP protocol and doesn't provide a way to verify the server (SecurityLayer = 2 with CredSSP disabled still allows TLS authentication of the server).
Sysinternals
Sign in to answer