Advertisements

Disabling RDP Network Level Authentication (NLA) remotely via the registry


So I logged into a server that was setup by another administrator using RDP to configure some software.  For whatever reason it is requesting a reboot, so I let it reboot before I start my work.  After the server comes back up I attempt to connect and get a “The connection cannot continue because the identity of the remote computer cannot be verified” error.

From experience I knew this means that Network Level Authentication (NLA) is enabled.  NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option.  Since I have no console level access I’d have to wait for an onsite technician to change it to allow for “less secure” connectivity.

But I can remote into another server on the same local network and connect to the registry.  A quick google search failed to identify the key/value to change so I did some digging and testing and found it.

To disable NLA remotely:

  1.  Open regedit on another computer on the same network.
  2. Under the File menu click “Connect Network Registry…”
  3. Enter your computer name and click Ok.  If this fails to connect you may be out of luck.
  4. Scroll down in the left pane to find the newly added server. Navigate to this Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  5. Find the value “SecurityLayer” and change the data to 0  (that is a zero).
  6. Voila, I was able to remote in without issue.
Advertisements

16 comments so far

  1. Jesse on

    I tried this but was getting the error could not connect because NLA is enabled, searched a bit more and found if you change UserAuthentication = 0 in the same key that fixes this error.

    • am_7riel on

      yes it is worked!!!!

    • v0o0gu3 on

      Not working on a Windows 7 SP1 machines that uses GPOs policies. Maybe the GPO is more restrictive than Windows registry?

    • v0o0gu3 on

      Not working on a Windows 7 machine that has Group Policies applied. Could be this more restrictive and modifications on Windows registry are not applied? Thanks.

      • Marquis Calmes on

        I believe I originally did this on a Windows 7 machine and other users have confirmed it worked on Windows 10. Could it be that the GPOs are forcing the setting?

    • Carlos on

      It worked for me too. Thanks a lot from Spain. I was stuck with this issue.

  2. Coon on

    Works great I also had to change UserAuthentication.

    Thanks

  3. BobS on

    Brilliant!

  4. Manuel on

    the above error is because of ssl encryption enabled and there could be an error with the certificates on one of the sides so the identity could not be verified. The NLA Setting regards to the UserAuthentication key and has nothing to do with the SecurityLayer 🙂

    • Marquis Calmes on

      You are correct that the error is caused by problems with the certificates, but most small to midsize businesses don’t have an internal CA so the client side certificate frequently doesn’t exist. As I say in the post ” NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option.”

  5. Neil Rashbrook on

    I have two Windows 10 Insider Preview VMs. Although neither VM’s control panel showed NLA enabled, one VM would only allow me to connect with NLA (fortunately I was able to do this by piggy-backing through the other VM). Resetting this registry key fixed the issue. Thanks!

  6. […] Disabling RDP Network Level Authentication (NLA) remotely … – I have two Windows 10 Insider Preview VMs. Although neither VM’s control panel showed NLA enabled, one VM would only allow me to connect with NLA (fortunately … […]

  7. Zandonaide Torres on

    It worked, thank you very much.

  8. mavericksevmont on

    Do I need a reboot after performing this modification in the registry? Asking because with prod servers it needs to be considered, Thanks!

    • mavericksevmont on

      …I just realized it doesn’t, thanks! 😛

      • mavericksevmont on

        For the record, it seems I needed a reboot in 1 out of 3 machines, beats me why, but it works.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Advertisements
%d bloggers like this: