MyAccess RDP Relay does not work if Network Layer Authentication (NLA) is enabled

  • 7020137
  • 31-May-2017
  • 25-Feb-2019

Environment

Privileged Account Manager

Situation

Unable to connect with rdp relay, connection won't work.
Possibly, not working after an Active Directory (AD) Domain update.
Attempting to connect via MyAccess RDP-Relay connection will prompt the following error:
The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.

Resolution

The Windows setting to require Network Level Authentication (NLA) must be disabled for the relay session to work. To disable Network Level Authentication (NLA) for a connection, please see the steps below:

  1. On the Remote Desktop Session Host server, open the System Properties > Remote tab:
    • From the Control Panel, select the System and Security category > System.
    • Select Remote Settings on the left.

  2. On the Remote tab, uncheck the Allow connections only from computers running Remote Desktop with Network Level Authentication check box and select OK.

Alternatively, another option in PAM is to leverage the Application SSO (AppSSO) feature with the following approaches:
Note: For more details, please refer to documentation.
  • (RemoteApp Mode) AppSSO server would need NLA disabled, but for all the targets NLA can be enabled.
  • (Direct Mode) NLA can be enabled for all the servers.

Cause

At the time of writing this document, NLA mandates one to enter credentials on the client side, which cannot be automated at this time, as it is currently outside of PAM control.

Status

Reported to Engineering

Additional Information

It is also possible to manage this configuration via Group Policy through the following GPO:
Computer Configuration | Policies | Administrative Templates | Windows Components | Remote Desktop Services | Remote Desktop Session Host | Security | Require User Authentication For Remote Connections By Using Network Level Authentication.