Disabling RDP Network Level Authentication (NLA) remotely via the registry


So I logged into a server that was setup by another administrator using RDP to configure some software.  For whatever reason it is requesting a reboot, so I let it reboot before I start my work.  After the server comes back up I attempt to connect and get a “The connection cannot continue because the identity of the remote computer cannot be verified” error.

From experience I knew this means that Network Level Authentication (NLA) is enabled.  NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option.  Since I have no console level access I’d have to wait for an onsite technician to change it to allow for “less secure” connectivity.

But I can remote into another server on the same local network and connect to the registry.  A quick google search failed to identify the key/value to change so I did some digging and testing and found it.

To disable NLA remotely:

  1.  Open regedit on another computer on the same network.
  2. Under the File menu click “Connect Network Registry…”
  3. Enter your computer name and click Ok.  If this fails to connect you may be out of luck.
  4. Scroll down in the left pane to find the newly added server. Navigate to this Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  5. Find the value “SecurityLayer” and change the data to 0  (that is a zero).
  6. Voila, I was able to remote in without issue.
Advertisements

18 thoughts on “Disabling RDP Network Level Authentication (NLA) remotely via the registry

  1. I tried this but was getting the error could not connect because NLA is enabled, searched a bit more and found if you change UserAuthentication = 0 in the same key that fixes this error.

    1. Not working on a Windows 7 machine that has Group Policies applied. Could be this more restrictive and modifications on Windows registry are not applied? Thanks.

  2. the above error is because of ssl encryption enabled and there could be an error with the certificates on one of the sides so the identity could not be verified. The NLA Setting regards to the UserAuthentication key and has nothing to do with the SecurityLayer 🙂

    1. You are correct that the error is caused by problems with the certificates, but most small to midsize businesses don’t have an internal CA so the client side certificate frequently doesn’t exist. As I say in the post ” NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option.”

  3. I have two Windows 10 Insider Preview VMs. Although neither VM’s control panel showed NLA enabled, one VM would only allow me to connect with NLA (fortunately I was able to do this by piggy-backing through the other VM). Resetting this registry key fixed the issue. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s