Tag Archives: powershell

Fix for Network Level Authentication (NLA) restriction with RDP

While doing some testing with a Windows virtual machine in Google Cloud, I suddenly received the terrible Network Level Authentication (NLA) message when trying to RDP:

The remote computer that you are trying to connect to requires network level authentication (NLA), but your windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the remote tab of the System Properties dialog box.

It’s easy enough to fix when a VM console is available, but cloud VMs do not have graphical consoles, so I had to take a different approach.

PowerShell, as usual

PowerShell can leverage WMI to make operating system configuration changes remotely as long as the needed ports are open and an administrator account is available.

Follow along for the easy fix to temporarily disable NLA in order to successfully RDP.

First, create a PSCredential object called $credential and with an administrator account (local or domain):

$credential = New-Object System.Management.Automation.PSCredential "instance-1\administrator", $(ConvertTo-SecureString "mysecurepasswd" -AsPlainText -Force)

Replace ‘instance-1’ with the hostname of the server or the AD domain, ‘administrator’ with the account username, and ‘mysecurepasswd’ with the password for the account.

Once the $credential object is created, use Get-WmiObject to check the value of UserAuthenticationRequired. When NLA is active, this value is set to ‘1’:

Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -computer instance-1 -filter "TerminalName='RDP-tcp'" -Credential $credential

Replace ‘instance-1’ with the hostname, IP, or FQDN of the server.

Result of WMI call showing UserAuthenticationRequired is set to 1 preventing RDP due to NLA

If UserAuthenticationRequired is set to ‘1’, disable it by setting it to ‘0’.

(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -computer instance-1 -filter "TerminalName='RDP-tcp'" -Credential $credential).SetUserAuthenticationRequired(0)

As before, change ‘instance-1’ with the hostname, IP, or FQDN of the server.

Note the parenthesis at the start of Get-WmiObject – the command is actually calling the SetUserAuthenticationRequired() method on the object returned by Get-WmiObject.

The SetUserAuthenticationRequired() method returned some data but it’s not clear if the value was set successfully or not.

Result of SetUserAuthenticationRequired() method call

Run the Get-WmiObject again and check the UserAuthenticationRequired value.

Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -computer instance-1 -filter "TerminalName='RDP-tcp'" -Credential $credential

Replace ‘instance-1’ with the hostname, IP, or FQDN of the server.

Result of WMI call showing UserAuthenticationRequired is set to 0 permitting RDP

Once I saw UserAuthenticationRequired was set to ‘0’, I was able to RDP again.

Based on: