About Network Level Authentication
Network Level Authentication (NLA) is an authentication tool used in Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDPClient), introduced in RDP 6.0 in Windows Vista. NLA is sometimes called front authentication as it requires the connecting user to authenticate themselves before a session can be established with the remote device.
Starting a remote session on a device (for example, a server) requires many processes to run in the background, which can use up CPUresources on the remote device. This can be prevented by requiring the connecting user to authenticate themselves first. Any failed attempt made by an unauthorized user will prevent a connection from being established and, consequently, will not use the device's CPU resources. Requiring user authentication before the remote session also offers a layer of defense against Denial of Service (DoS) attacks.
When a user attempts to establish a connection to a device with NLA enabled, NLAwill delegate the user's credentials from the client through a client-side Security Support Provider to the server for authentication before creating a session. Only once the user authentication is successful will the connection be established.
How to...
Enable / Disable Network Level Authentication
NLA can be enabled or disabled on the target device by accessing one of the paths below:
- Settings app > System > Remote Desktop >toggle Enable Remote Desktop ON > click Confirm at the window that appears > Advanced Settings > select Require computers to use Network Level Authentication to connect (recommended)
- Start menu > Control Panel > System and Security > Allow remote access >Remote tab > Remote Desktop >select Allow remote connections to this computer and Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
- Start menu > Control Panel > System and Security > System > Remote settings >Remote tab > Remote Desktop >select Allow remote connections to this computer and Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
Open an RDPsession with a device with NLA enabled
- Log into the Agent Browser. Refer to Log in to the Agent Browser.
- Connect to a server. Refer to Connect to a device.
- Click Tools > Windows RDP or click the Remote Desktop Protocol icon
. - You will now be prompted to authorize yourself in order to establish the connection. Enter your Username and Password.
- Select Use Network Level Authentication.
NOTE The option to use NLA will be grayed out on incompatible devices.
- Select Remember passwords for this device if you want your password to be remembered for future RDPsessions.
- Click Log in to establish the connection.
- The connection will be established if the user authentication was successful.
NOTE The Agent Browser lets you save RDP credentials upon launching an RDP session to a device. When opting to Remember passwords for this device, the credentials are saved in a file under the current user profile. This file can only be used by the Datto RMM Agent and the local user profile that created it. Attempting to reuse this file under a different user profile on the same device or a different device will fail and may lead to Agent instability.
When stored, user credentials are encrypted. The encryption is coded within the Agent and it uses a combination of the following:
• Windows Data Protection API
• Password-based key derivation
• The password-derived key is used with Triple DES
FAQs
Network Level Authentication (NLA) is a feature of Remote Desktop Services (RDP Server) or Remote Desktop Connection (RDP Client) that requires the connecting user to authenticate themselves before a session is established with the server.
Is it safe to disable Network Level Authentication? ›
It can help provide better security by reducing the risk of denial-of-service attacks. So if the network level authentication protects your computer then why disable it ?. If you're remotely connecting to a PC on your home network from outside of that network, turn off the NLA option.
How do I fix Network Level Authentication? ›
9 Ways to Fix "The Remote Computer Requires Network Level Authentication"
- Check Your Internet.
- Troubleshoot Your Network.
- Disable NLA Using System Properties.
- Using PowerShell to Disable the NLA.
- Disable NLA Using Windows Registry.
- Use the Local Group Policy Editor To Configure NLA Settings.
- Delete "Default.rdp" File.
For NLA to work, the client's computer must be using at least Remote Desktop Connection 6.0. In addition, the operating system needs to support the Credential Security Support Provider protocol, which is also called CredSSP. This requires the system to run Windows XP SP3 or later.
What is Network Level Authentication error? ›
The remote computer that you are trying to connect to require Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.
What happens if I disable NLA? ›
However, NLA was designed to allow users who have authenticated themselves to the network before they can connect to your computer, so as to protect your computer. Once you disable it, your computer will be at risk of malicious users and software.
What happens if we disable NLA? ›
Without NLA the client has no method to prove the remote server is the same as what you've typed in. This applies to all forms of credentials, not just passwords.
Do you need Network Level Authentication? ›
Before you can start a remote desktop session, the user will need to authenticate themselves – ie, prove that they are who they say they are. Using network level authentication means that a false connection can't be made, which would use up CPU and cause a strain on the resources of the network.
Why is NLA needed? ›
About Network Level Authentication
NLA is sometimes called front authentication as it requires the connecting user to authenticate themselves before a session can be established with the remote device.
How do I turn off NLA remotely? ›
- On the RD Session Host server, open Remote Desktop Session Host Configuration. ...
- Under Connections, right-click the name of the connection, and then click Properties.
- In the General tab, un-tick the Allow connections only from computers running Remote Desktop with Network Level Authentication check box.
NLA is authentication that takes place during rdp authentication. The rdp client connect to the rdp host on port 3389 tcp.
What is allow connections only from computers with Network Level Authentication? ›
If you want to restrict who can access your PC, choose to allow access only with Network Level Authentication (NLA). When you enable this option, users have to authenticate themselves to the network before they can connect to your PC.
How do I authenticate a network device? ›
Flow of Network Device Access Authentication
- The user enters the AD email address as the user name and the OTP code as the password to gain access to a network device.
- The network device forwards the credentials to the RADIUS server via a load balancer endpoint for authentication.
There could be plenty of reasons for facing an authentication error on your device. Most of the time, it occurs whenever a Wifi router seems to malfunction. Furthermore, if your phone has been recently updated, then chances are that there could be an issue with its drivers.
How do I disable Network Level Authentication on a VM? ›
In the Azure portal, go to Virtual Machines and select the Azure VM on which you want to disable NLA. On the left pane, select Run Command under Operations. From the list of run commands, select “DisableNLA.”
How do I fix network authentication failed Windows 10? ›
Reset Network Settings to Fix WiFi Authentication Issues
- Launch the Settings app using your preferred way.
- Click on the option that says Network & Internet.
- Click on Status in the left sidebar.
- Click on Reset now to start resetting your network settings.
NLA has several benefits, including: It initially requires fewer remote computer resources by preventing the initiation of a complete remote desktop connection until the user is authenticated, which reduces the risk of denial-of-service attacks.
What is the impact of network level authentication? ›
Before you can start a remote desktop session, the user will need to authenticate themselves – ie, prove that they are who they say they are. Using network level authentication means that a false connection can't be made, which would use up CPU and cause a strain on the resources of the network.
What is the purpose of network authentication? ›
Network authentication is the process of vetting users that request secure access to networks, systems, or devices. This process determines user identity and can be found from username and password credentials and other technologies like authentication apps or biometrics.
What are the benefits of network level authentication? ›
Top 4 benefits of network-level authentication
- Improved security. ...
- Defense against brute force and denial-of-service attacks. ...
- Streamlined access control. ...
- Compliance with industry regulations.
.
