The Remote Desktop connection settings for Windows Server 2008, and I believe Windows Vista, includes 3 levels of service:

  • Don’t allow connections to this computer
  • Allow connections from computers running any version of Remote Desktop (less secure)
  • Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)

windows_server_2008_remote_desktop_properties

At first blush, you would probably choose the “more secure” option. Practically, this mainly means that it only allows connections from the latest Remote Desktop software in Windows Vista. It is probably another attempt by Microsoft to force consumers and businesses into upgrading to Windows Vista. But… I digress.

When connecting with an older Terminal Services (TS) client in XP or even Vista, you will get this message:

“Remote computer requires Network Level Authentication, which your computer doesn’t support”

the-remote-computer-requires-network-level-authentication11

Not all is lost. There are two ways around this. The first and most obvious solution is to select the less secure option and disabled Network Level Authentication (NLA). If you are in an environment that does not allow this change, or there are some other circumstances where you need to keep Network Level Authentication enabled, you can get a Remote Desktop connection from Windows XP.

The first step is to download the latest Remote Desktop Client for Windows XP. As of the writing of this article, the latest version is 6.1.

For XP SP3: here

For XP SP2: here

That is not it. For XP, you need to enable CredSSP – Credential Security Service Provider.

CredSSP is a new Security Service Provider (SSP) that is available in Windows XP SP3 by using the Security Service Provider Interface (SSPI). CredSSP enables a program to use client-side SSP to delegate user credentials from the client computer to the target server.

Directions on how do do this are available at Microsoft here:

http://support.microsoft.com/kb/951608/

The quick and dirty summary:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. In the navigation pane, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. In the details pane, right-click Security Packages, and then click Modify.
  4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
  5. In the navigation pane, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
  6. In the details pane, right-click SecurityProviders, and then click Modify.
  7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
  8. Exit Registry Editor.
  9. Restart the computer.

For more information on CredSSP including how to deploy this setting using Group Policy, see the CredSSP page here.

Let me know if you have any other tips or a simpler way to connect to the more secure version of Remote Desktop.

3 comments
  1. Pingback: Dave Drager
  2. But what about Windows XP SP2? Is there anything that can be done to connect to Windows 2008 (with network level authentication) without having to upgrade to SP3?

  3. But what about Windows XP SP2? Is there anything that can be done to connect to Windows 2008 (with network level authentication) without having to upgrade to SP3?

Comments are closed.

You May Also Like

Easy Search and Replace in Multiple Files on Linux Command Line

I recently came across a typo that existed in a bunch of…

Simple Sysadmin Trick: Using tcpdump To Sniff Web Server Traffic

Sometimes, you just have to look into the raw data to see…

Opera 9.5 alpha “Kestral” – I’m Impressed

The Opera team has announced that Opera 9.5 Alpha is now available.…

Centos, Logrotate, and noexec

This seems like a pretty rare bug but annoying anyway. On my…