Nla Microsoft

Posted on |



If you are trying to connect to a computer remotely, but an error message is appearing continuously, you might not be able to connect to that remote computer. Although this error message should not appear, Windows shows such a warning when the required authentication doesn’t meet. When you are trying to connect to a computer remotely, your host computer must have the correct permission or that remote PC should have the correct settings. Otherwise, you will end up getting such a problem all day long. Sometime, you might get “The remote computer requires Network Level Authentication (NLA)” error message after restoring the PC using a system restore point.

  1. Microsoft Nla Ports
  2. Nla Microsoft Office
  3. Mla Microsoft Word 2016

At least one article suggests restarting the NLA service. That doesn’t work because the Network List Service depends on the NLA service, and the Network List Service, for some reason, can’t be stopped. The only sure way that I have found to force the NLA service to re-detect the domain is to stop and restart the network adapter.

  1. Solution 1: Disabling NLA using Properties. Network Level Authentication is good. It provides extra security and helps you, as a network administrator control who can log into which system by just checking one single box. If you choose this, make sure that your RDP client has been updated and the target is domain authenticated.
  2. Microsoft, however, dismissed the RDP bug as a feature, saying, After investigating this scenario, we have determined that this behavior does not meet the Microsoft Security Servicing Criteria for Windows. What you are observing is Windows Server 2019 honoring Network Level Authentication (NLA).
  3. As clearly stated on the original post, NLA is supported according to this: I've already read 10 different versions of what you linked too. Their scenarios don't apply to my issue, NLA is supported on all systems, problem systems and non problem systems alike.

The exact error message looks like this-

The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.

However, many people have got another error message, which is caused by the same thing. The other error message is-

The remote computer that you are trying to connect to requires network level authentication (NLA), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System Properties dialog box.

No matter what remote desktop tool you are using, you will keep getting a similar error message until or unless you make the mandatory changes.

To fix The remote computer requires Network Level Authentication issue on Windows 10/8/7, follow these following solutions-

  1. Tweak Remote Desktop security settings
  2. Disable NLA using Group Policy Editor
  3. Disable Network Level Authentication using Registry Editor
  4. Turn off NLA using PowerShell

In a nutshell, you need to disable the Network Level Authentication or loosen up the settings so that the remote computer can connect to the host machine without any error.

Solution #1: Tweak Remote Desktop security settings

By default, your Windows machine allows connections only from computers that have Network Level Authentication. This inbuilt security function lets you block all the unwanted connections when you have a large local area network, and your computer is open for share. You can change the network location from public to private and vice versa as per your requirement. However, the same settings can cause the issue as mentioned earlier. Therefore, you can try to disable this option and check if the problem remains or not. Following the following steps to allow connections without NLA.

  • Open This PC on your computer.
  • Right-click on empty space and select Properties.
  • On your right-hand side, you should find an option called Advanced system settings. You need to click on this option.
  • Switch from Advanced tab to Remote
  • Alternatively, you can press Win + R, type sysdm.cpl and hit the Enter button.
  • Make sure Allow remote connections to this computer option is selected. If not do choose this option and remove the tick from the checkbox called Allow connections only from computers running Remote Desktop with Network Level Authentication.
  • Click the Apply and OK buttons to save your change.

After that, try to connect to the remote computer.

Solution #2: Disable NLA using Group Policy Editor

You can disable the Network Level Authentication with the help of Group Policy Editor. This is much more user-friendly, and you do not need any expert knowledge to get it done. The only drawback is you cannot get Local Group Policy Editor on Windows 10 Home version. Even if you sideload Group Policy Editor, you might not get the similar option in that third-party app. Therefore, this method is applicable to Windows 10 Pro and Enterprise users only.

  • Open Local Group Policy Editor. You can search for it in the Taskbar search box. Or you can enter gpedit.msc in the Run prompt.
  • After opening it, navigate to this path-
  • On your right-hand side, you should find a setting named Require user authentication for remote connections by using Network Level Authentication. Double-click on this setting to open the Properties.
  • Make sure the Disabled is selected. If not, do choose that option and click the OK button to save your change.

Solution #3: Disable Network Level Authentication using Registry Editor

Network Level Authentication can be blocked via Registry Editor as well. However, you need to do that on the remote computer. This is quite easy when your host computer is connected to the remote computer via Local Area Network. In any case, if your Windows registry editor is disabled accidentally or by the syatem administartor, first enable the Windows registry editor. The advantage of this method is you can get Registry Editor on any version of Windows 10/8/7.

  • Open Registry Editor. You can either search for it in the Taskbar search box, or you can enter regedit in the Run prompt.
  • Go to File > Connect Network Registry.
  • Enter the name of the remote computer and click the Check Names You should find the remote computer’s Registry Editor on your host computer.
  • After opening Registry Editor of the remote computer, navigate to this path-
  • Here you can find two keys i.e. SecurityLayer and UserAuthentication. Open one after one and set the value to zero(0).
  • After that, open PowerShell and enter this command-
Microsoft

After that, if you can connect to the remote computer via Remote Desktop.

Solution #4: Turn off NLA using PowerShell

Microsoft Nla Ports

To turn off or disable Network Level Authentication with the help of Windows PowerShell, you need the remote computer name. Otherwise, this is not possible to get started with this method. If you have collected that, go ahead and follow these steps.

Nla
  • Open Windows PowerShell with administrator privilege. For that, search for ‘powershell’ in the Cortana search box > right-click on the corresponding result > select Run as administrator.
  • Enter the following commands one after one-

    Do not forget to replace the remote-computer-name with the actual name.

  • Restart computer.

Here is a list of powershell commands to uninstall and reinstall built-in Windows system core apps of your choice.

Final Word

To fix The remote computer requires Network Level Authentication error in Windows 10/8/7, you must have to disable or turn off Network Level Authentication (NLA). Otherwise, this is not possible to connect to the remote computer even if both machines are in the same Local Area Network. You can try any aforementioned method to disable NLA. However, if you do not know what you are doing and you want to go through some simple steps, I would recommend you to use the first or second method.

Also useful:How to get WIndows XP HyperTerminal for Windows 10/8.1/7.

-->

This article can help you troubleshoot authentication errors that occur when you use Remote Desktop Protocol (RDP) connection to connect to an Azure virtual machine (VM).

Symptoms

You capture a screenshot of an Azure VM that shows the Welcome screen and indicates that the operating system is running. However, when you try to connect to the VM by using Remote Desktop Connection, you receive one of the following error messages:

  • An authentication error has occurred. The Local Security Authority cannot be contacted.
  • The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
  • This computer can't connect to the remote computer. Try connecting again, if the problem continues, contact the owner of the remote computer or your network administrator.
Nla

Cause

There are multiple reasons why NLA might block the RDP access to a VM:

  • The VM cannot communicate with the domain controller (DC). This problem could prevent an RDP session from accessing a VM by using domain credentials. However, you would still be able to log on by using the Local Administrator credentials. This problem may occur in the following situations:
    • The Active Directory Security Channel between this VM and the DC is broken.
    • The VM has an old copy of the account password and the DC has a newer copy.
    • The DC that this VM is connecting to is unhealthy.
  • The encryption level of the VM is higher than the one that’s used by the client computer.
  • The TLS 1.0, 1.1, or 1.2 (server) protocols are disabled on the VM.The VM was set up to disable logging on by using domain credentials, and the Local Security Authority (LSA) is set up incorrectly.
  • The VM was set up to accept only Federal Information Processing Standard (FIPS)-compliant algorithm connections. This is usually done by using Active Directory policy. This is a rare configuration, but FIPS can be enforced for Remote Desktop connections only.

Before you troubleshoot

Create a backup snapshot

To create a backup snapshot, follow the steps in Snapshot a disk.

Connect to the VM remotely

To connect to the VM remotely , use one of the methods in How to use remote tools to troubleshoot Azure VM issues.

Group policy client service

If this is a domain-joined VM, first stop the Group Policy Client service to prevent any Active Directory Policy from overwriting the changes. To do this, run the following command:

After the problem is fixed, restore the ability of this VM to contact the domain to retrieve the latest GPO from the domain. To do this, run the following commands:

If the change is reverted, it means that an Active Directory policy is causing the problem.

Workaround

As a work around to connect to the VM and resolve the cause, you can temporarily disable NLA. To disable NLA please use the below commands, or use the DisableNLA script in Run Command.

Then, restart the VM, and proceed to the troubleshooting section.

Once you have resolved the issue re-enable NLA, by runing the following commands, and then restarting the VM:

Troubleshooting

Troubleshoot Domain-joined VMs

To troubleshoot this problem:

  1. Check whether the VM can connect to a DC.
  2. Check the health of the DC.
Nla microsoft outlook

Note

To test the DC health, you can use another VM that is in the same VNET, subnet, and uses the same logon server.

Connect to the VM that has the problem by using Serial console, remote CMD, or remote PowerShell, according to the steps in the Connect to the VM remotely section.

  1. Determine the DC that the VM is attempting to connect to. run the following command in the console:

  2. Test the health of the secure channel between the VM and the DC. To do this, run the Test-ComputerSecureChannel command in an elevated PowerShell instance. This command returns True or False indicating whether the secure channel is alive:

    If the channel is broken, run the following command to repair it:

  3. Make sure that the computer account password in Active Directory is updated on the VM and the DC:

If the communication between the DC and the VM is good, but the DC is not healthy enough to open an RDP session, you can try to restart the DC.

If the preceding commands did not fix the communication problem to the domain, you can rejoin this VM to the domain. To do this, follow these steps:

  1. Create a script that’s named Unjoin.ps1 by using the following content, and then deploy the script as a Custom Script Extension on the Azure portal:

    This script forcibly removes the VM from the domain and restarts the VM 10 seconds later. Then, you need to clean up the Computer object on the domain side.

  2. After the cleanup is done, rejoin this VM to the domain. To do this, create a script that is named JoinDomain.ps1 by using the following content, and then deploy the script as a Custom Script Extension on the Azure portal:

Note

This joins the VM on the domain by using the specified credentials.

If the Active Directory channel is healthy, the computer password is updated, and the domain controller is working as expected, try the following steps.

Nla Microsoft Office

If the problem persists, check whether the domain credential is disabled. To do this, open an elevated Command Prompt window, and then run the following command to determine whether the VM is set up to disable domain accounts for logging on to the VM:

If the key is set to 1, this means that the server was set up not to allow domain credentials. Change this key to 0.

Troubleshoot standalone VMs

Check MinEncryptionLevel

In an CMD instance, run the following command to query the MinEncryptionLevel registry value:

Based on the registry value, follow these steps:

  • 4 (FIPS): Go to Check FIPs compliant algorithms connections.

  • 3 (128-bit encryption): Set the severity to 2 by running the following command:

  • 2 (Highest encryption possible, as dictated by the client): You can try to set the encryption to the minimum value of 1 by running the following command:

Restart the VM so that the changes to the registry take effect.

TLS version

Depending on the system, RDP uses the TLS 1.0, 1.1, or 1.2 (server) protocol. To query how these protocols are set up on the VM, open a CMD instance, and then run the following commands:

If the returned values are not all 1, this means that the protocol is disabled. To enable these protocols, run the following commands:

For other protocol versions, you can run the following commands:

Note

Mla Microsoft Word 2016

Get the SSH/TLS version x.x from the Guest OS Logs on the SCHANNEL errors.

Check FIPs compliant algorithms connections

Remote desktop can be enforced to use only FIPs-compliant algorithm connections. This can be set by using a registry key. To do this, open an elevated Command Prompt window, and then query the following keys:

If the command returns 1, change the registry value to 0.

Check which is the current MinEncryptionLevel on the VM:

If the command returns 4, change the registry value to 2

Restart the VM so that the changes to the registry take effect.

Microsoft

Next steps