So I logged into a server that was setup by another administrator using RDP to configure some software. For whatever reason it is requesting a reboot, so I let it reboot before I start my work. After the server comes back up I attempt to connect and get a “The connection cannot continue because the identity of the remote computer cannot be verified” error.
From experience I knew this means that Network Level Authentication (NLA) is enabled. NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option. Since I have no console level access I’d have to wait for an onsite technician to change it to allow for “less secure” connectivity.
But I can remote into another server on the same local network and connect to the registry. A quick google search failed to identify the key/value to change so I did some digging and testing and found it.
To disable NLA remotely:
- Open regedit on another computer on the same network.
- Under the File menu click “Connect Network Registry…”
- Enter your computer name and click Ok. If this fails to connect you may be out of luck.
- Scroll down in the left pane to find the newly added server. Navigate to this Key:
- Find the value “SecurityLayer” and change the data to 0 (that is a zero).
- Voila, I was able to remote in without issue.
20 thoughts on “Disabling RDP Network Level Authentication (NLA) remotely via the registry”
I tried this but was getting the error could not connect because NLA is enabled, searched a bit more and found if you change UserAuthentication = 0 in the same key that fixes this error.
yes it is worked!!!!
Not working on a Windows 7 SP1 machines that uses GPOs policies. Maybe the GPO is more restrictive than Windows registry?
Not working on a Windows 7 machine that has Group Policies applied. Could be this more restrictive and modifications on Windows registry are not applied? Thanks.
I believe I originally did this on a Windows 7 machine and other users have confirmed it worked on Windows 10. Could it be that the GPOs are forcing the setting?
It worked for me too. Thanks a lot from Spain. I was stuck with this issue.
Works great I also had to change UserAuthentication.
the above error is because of ssl encryption enabled and there could be an error with the certificates on one of the sides so the identity could not be verified. The NLA Setting regards to the UserAuthentication key and has nothing to do with the SecurityLayer 🙂
You are correct that the error is caused by problems with the certificates, but most small to midsize businesses don’t have an internal CA so the client side certificate frequently doesn’t exist. As I say in the post ” NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option.”
I have two Windows 10 Insider Preview VMs. Although neither VM’s control panel showed NLA enabled, one VM would only allow me to connect with NLA (fortunately I was able to do this by piggy-backing through the other VM). Resetting this registry key fixed the issue. Thanks!
It worked, thank you very much.
Do I need a reboot after performing this modification in the registry? Asking because with prod servers it needs to be considered, Thanks!
…I just realized it doesn’t, thanks! 😛
For the record, it seems I needed a reboot in 1 out of 3 machines, beats me why, but it works.
Worked for my server!! Thanks.
You can change the value UserAuthentication to 0 (zero) and you will be able to login.
It works with windows server 2016 with
thanks . it worked
windows 7 sp1
windows 10 2004
it happend after rejoining to domain