Security and speed of servers have always been a problem, and every year their relevance is only growing. Due to this, Microsoft company has moved from the original server-side authentication model to network-level authentication.
What is the difference between these models?
Previously, when connecting to Terminal Services, the user created a session with the server through which the latter would load a screen to enter credentials for the user. This method consumes server resources even before the user has verified their legitimacy, allowing an illegal user to completely overwhelm server resources with multiple login requests. A server that is unable to process these requests denies requests to legitimate users (DoS attack).
Network-Level Authentication (NLA) forces the user to enter credentials in a client-side dialog box. By default, if there is no network level certificate of authentication check on the client side, then the server will not allow the connection and it will not happen. NLA requests the client computer to provide its authentication credentials before creating a session with the server. This process is also called front-end authentication.
NLA was introduced back in RDP 6.0 and was supported initially Windows Vista. From version RDP 6.1 - supported by servers running the operating system Windows Server 2008 and above, and customer support is provided by operating Windows systems XP SP3 (you need to enable the new security provider in the registry) and higher. The method uses the CredSSP (Credential Security Support Provider) security provider. When using the remote desktop client for another operating system- you need to find out about its NLA support.
Advantages of NLA:
- Does not require significant server resources.
- Additional level for protection against DoS attacks.
- Speeds up the mediation process between client and server.
- Allows you to extend the NT "single login" technology to work with a terminal server.
- Other security providers are not supported.
- Not supported by client versions lower than Windows XP SP3 and server versions lower than Windows Server 2008.
- Required manual setting registry on each Windows XP SP3 client.
- Like any “single login” scheme, it is vulnerable to the theft of “the keys to the entire fortress.”
- There is no option to use the "Require password change at next login" feature.
If you are using Windows XP when connecting to the server, you may receive the error: “ Remote computer requires network level authentication, which this computer do not support".
This error occurs because Windows XP did not initially implement network-level authentication. this opportunity developers implemented it in subsequent operating systems. An update file was also released later KB951608 which corrected this error and allowed Windows XP to implement network-level authentication.
In order for you to be able to connect to a remote desktop server from your computer running Windows XP, you need to install Service Pack 3 (SP3), and then do the following:
On the official Microsoft website on the Russian page https://support.microsoft.com/ru-ru/kb/951608 download the automatic fix file. Scroll down the page and click the “Download” button in the “Help in solving the problem” section.
An English page is also available to you. https://support.microsoft.com/en-us/kb/951608 where you can download this file by clicking the “Download” button in the “How to turn on CredSSP” section
After the file download is complete, run it for execution. After launch this file You will see a program window. In the first step, check the “I Accept” box. In the second step, click the “Next” button
Once the installation is complete, you will see the following window with the notification “This Microsoft Fix it has been processed.” All you have to do is click “Close.”
After you click the “Close” button, the program will tell you that you need to restart your computer for the changes to take effect, click “Yes” to restart.
Solve the problem yourself without downloading a file
If you have administrative skills, you can make changes to your computer's registry manually without having to download a patch file.
1. Click the button Start, select item Run, enter the command regedit and press the key Enter
Open the registry editor.
Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Open the Security Packages parameter and look for the word tspkg there. If it is not there, add it to the existing parameters.
Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
Open the SecurityProviders parameter and add credssp.dll to the existing providers if it is missing.
Close the registry editor.
Now you need to reboot. If this is not done, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:
That's all.
Windows 2008 server administrators may encounter the following problem:
Connecting via rdp protocol to your favorite server from a Windows XP SP3 station fails with the following error:
Remote Desktop is disabled.
The remote computer requires network-level authentication that the computer does not support. Contact for help system administrator or contact technical support.
And although the promising Win7 threatens to eventually replace its grandmother WinXP, the problem will remain relevant for another year or two.
Here's what you need to do to enable network layer authentication:
Open the registry editor.
Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Open the parameter Security Packages and look for the word there tspkg. If it is not there, add it to the existing parameters.
Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
Open the parameter SecurityProviders and add to existing providers credssp.dll, if there is none.
Close the registry editor.
Now you need to reboot. If this is not done, then when we try to connect, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:
Remote Desktop Connection
Authentication error (code 0x507)
That's all.
Loading...
