The remote computer requires network level authentication to be disabled. An authentication error occurred. The specified function is not supported. Disabling NLA for RDP on Windows

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the Security Packages parameter and look for the word tspkg there. If it is not there, add it to the existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the SecurityProviders parameter and add credssp.dll to the existing providers if it is missing.

Close the registry editor.

Now you need to reboot. If this is not done, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:

That's all.

Windows 2008 server administrators may encounter the following problem:

Connecting via rdp protocol to your favorite server from a Windows XP SP3 station fails with the following error:

Remote Desktop is disabled.

The remote computer requires network level authentication, which this computer do not support. Contact for help system administrator or contact technical support.

And although the promising Win7 threatens to eventually replace its grandmother WinXP, the problem will remain relevant for another year or two.

Here's what you need to do to enable network layer authentication:

Open the registry editor.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Open the parameter Security Packages and look for the word there tspkg. If it is not there, add it to the existing parameters.

Branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders

Open the parameter SecurityProviders and add to existing providers credssp.dll, if there is none.

Close the registry editor.

Now you need to reboot. If this is not done, then when we try to connect, the computer will ask us for a username and password, but instead of the remote desktop it will respond with the following:

Remote Desktop Connection

Authentication error (code 0x507)

That's all.

If you are using Windows XP when connecting to the server, you may receive an error: “The remote computer requires network-level authentication, which this computer does not support.”

This error arises due to the fact that initially network-level authentication was not implemented in Windows XP, this opportunity developers implemented it in subsequent operating systems. An update file was also released later KB951608 which corrected this error and allowed Windows XP to implement network-level authentication.

In order for you to be able to connect to a remote desktop server from your computer running Windows XP, you need to install Service Pack 3 (SP3), and then do the following:

On the official Microsoft website on the Russian page https://support.microsoft.com/ru-ru/kb/951608 download the automatic fix file. Scroll down the page and click the “Download” button in the “Help in solving the problem” section.

An English page is also available to you. https://support.microsoft.com/en-us/kb/951608 where you can download this file by clicking the “Download” button in the “How to turn on CredSSP” section

After the file download is complete, run it for execution. After launch this file You will see a program window. In the first step, check the “I Accept” box. In the second step, click the “Next” button

Once the installation is complete, you will see the following window with the notification “This Microsoft Fix it has been processed.” All you have to do is click “Close.”

After you click the “Close” button, the program will tell you that you need to restart your computer for the changes to take effect, click “Yes” to restart.

Solve the problem yourself without downloading a file

If you have administrative skills, you can make changes to your computer's registry manually without having to download a patch file.

1. Click the button Start, select item Run, enter the command regedit and press the key Enter

After installing the KB4103718 update on my Windows 7 computer, I cannot connect remotely to the server. Windows Server 2012 R2 via RDP remote desktop. After I specify the RDP server address in the mstsc.exe client window and click “Connect”, the error appears:

Remote Desktop Connection

An authentication error occurred.

The specified function is not supported.
Remote computer: computername

After I uninstalled the KB4103718 update and rebooted the computer, the RDP connection began to work fine. If I understand correctly, this is only a temporary workaround, next month a new cumulative update package will arrive and the error will return? Can you recommend anything?

Answer

You are absolutely right that it is pointless to solve the problem, because you thereby expose your computer to the risk of exploitation of various vulnerabilities that are covered by patches in this update.

You are not alone in your problem. This error can appear on any Windows or Windows Server operating system (not only Windows 7). For English users Windows versions 10, when trying to connect to an RDP/RDS server, a similar error looks like this:

An authentication error has occurred.

The function requested is not supported.

Remote computer: computername

The RDP error “An authentication error has occurred” may also appear when trying to launch RemoteApp applications.

Why is this happening? The fact is that you have installed on your computer current updates security (released after May 2018), which fixes a serious vulnerability in the CredSSP (Credential Security Support Provider) protocol used for authentication on RDP servers (CVE-2018-0886) (I recommend reading the article). However, on the side of the RDP / RDS server to which you connect from your computer, these updates are not installed, and the NLA (Network Level Authentication) protocol is enabled for RDP access. The NLA protocol uses CredSSP mechanisms to pre-authenticate users via TLS/SSL or Kerberos. Your computer, due to the new security settings introduced by the update you installed, simply blocks the connection to remote computer, which uses a vulnerable version of CredSSP.

What can you do to fix this error and connect to your RDP server?

1. Most correct way to solve the problem - installation latest updates Windows security on the computer/server you are connecting to via RDP;
2. Temporary method 1 . You can disable Network Level Authentication (NLA) on the RDP server side (described below);
3. Temporary method 2 . You can, on the client side, allow connections to RDP servers with an insecure version of CredSSP, as described in the article linked above. To do this you need to change the registry key AllowEncryptionOracle(REG ADD command
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 2) or change settings local politics Encryption Oracle Remediation/ Fix encryption oracle vulnerability), setting its value = Vulnerable / Leave vulnerability).

   This is the only way to access a remote server via RDP if you do not have the ability to log into the server locally (via the ILO console, virtual machine, cloud interface, etc.). In this mode, you will be able to connect to a remote server and install security updates, thus moving to the recommended method 1. After updating the server, do not forget to disable the policy or return the key value AllowEncryptionOracle = 0: REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters /v AllowEncryptionOracle /t REG_DWORD /d 0

Disabling NLA for RDP on Windows

If NLA is enabled on the side of the RDP server you are connecting to, this means that CredSPP is used to pre-authenticate the RDP user. You can disable Network Level Authentication in the system properties on the tab Remote access (Remote) , unchecking the “Allow connection only from computers running Remote Desktop with Network Level Authentication (recommended)” checkbox (Windows 10 / Windows 8).

In Windows 7 this option is called differently. On the tab Remote access you need to select the option " Allow connections from computers running any version of Remote Desktop (dangerous)/ Allow connections from computers running any version of Remote Desktop (less secure)".

You can also disable Network Level Authentication (NLA) using the Local Editor group policy - gpedit.msc(in Windows 10 Home, the gpedit.msc policy editor can be launched) or using the domain policy management console - GPMC.msc. To do this, go to the section Computer Configuration –> Administrative Templates –> ComponentsWindows–> Remote Desktop Services – Remote Desktop Session Host –> Security(Computer Configuration –> Administrative Templates –> Windows Components –> Remote Desktop Services – Remote Desktop Session Host –> Security), turn off policy (Require user authentication for remote connections by using Network Level Authentication).

Also needed in politics " Require a special level of security for remote RDP connections» (Require use of specific security layer for remote (RDP) connections) select Security Layer - RDP.

To apply the new RDP settings, you need to update the policies (gpupdate /force) or restart the computer. After this, you should successfully connect to the remote desktop server.

Security and speed of servers have always been a problem, and every year their relevance is only growing. Due to this, Microsoft company has moved from the original server-side authentication model to network-level authentication.

What is the difference between these models?
Previously, when connecting to Terminal Services, the user created a session with the server through which the latter would load a screen to enter credentials for the user. This method consumes server resources even before the user has verified their legitimacy, allowing an illegal user to completely overwhelm server resources with multiple login requests. A server that is unable to process these requests denies requests to legitimate users (DoS attack).

Network-Level Authentication (NLA) forces the user to enter credentials in a client-side dialog box. By default, if there is no network level certificate of authentication check on the client side, then the server will not allow the connection and it will not happen. NLA requests the client computer to provide its authentication credentials before creating a session with the server. This process is also called front-end authentication.

NLA was introduced back in RDP 6.0 and was supported initially Windows Vista. From version RDP 6.1 - supported by servers running the Windows Server 2008 operating system and higher, and client support is provided by operating systems Windows systems XP SP3 (you need to enable the new security provider in the registry) and higher. The method uses the CredSSP (Credential Security Support Provider) security provider. When using the remote desktop client for another operating system- you need to find out about its NLA support.

• Does not require significant server resources.
• Additional level for protection against DoS attacks.
• Speeds up the mediation process between client and server.
• Allows you to extend the NT "single login" technology to work with a terminal server.

• Other security providers are not supported.
• Not supported by client versions lower than Windows XP SP3 and server versions lower than Windows Server 2008.
• Required manual setting registry on each Windows XP SP3 client.
• Like any “single login” scheme, it is vulnerable to the theft of “the keys to the entire fortress.”
• There is no option to use the "Require password change at next login" feature.