While connecting Windows Server 2012(or R2) using RDP you might notice error which says “An authentication error occurred. The Local Security Authority cannot be contacted”. In this post we will see how to get rid of this error and have some PowerShell solution so that you can deploy this across to your servers.
Basically this problem happens when RDP configuration on Windows Server 2012 enforces you to use Network Level Authentication(NLA) to connect using RDP client. It is a security feature introduced starting from Windows Vista/Windows Server 2008. You can read more about NLA at https://technet.microsoft.com/en-us/magazine/hh750380.aspx.
While NLA increases security and performance of the server, it prevents clients which doesn’t support NLA or the ones in broken state from connecting via RDP. If you decided to disable NLA, then follow below steps.
On the server where you want to disable NLA to allow RDP connections.
- Go to Start -> Run -> type “sysdm.cpl” and Press Enter
- It opens System Properties. Now go to Remote tab
- Uncheck Allow Connections only from computers running Remote Desktop with Network Level Authentication (recommended) checkbox.
- Click on Apply and try to RDP again to the server.
It should work without issues this time. Below screenshot shows the option that I am explaining in above steps.
Now you know how to address this error on single server. But how to do it on multiple server or you want to make it part of your build process? There is a way using PowerShell.
The Win32_TSGeneralSetting WMI class in Root\CIMv2\TerminalServices namespace provides a method called SetUserAuthenticationRequired() to enable or disable above check box.
To disable NLA:
$TSObj = Get-WMIObject -Class Win32_TSGeneralSetting -Namespace Root\CIMV2\TerminalServices $TSObj.SetUserAuthenticationRequired(0)
To enable NLA:
$TSObj = Get-WMIObject -Class Win32_TSGeneralSetting -Namespace Root\CIMV2\TerminalServices $TSObj.SetUserAuthenticationRequired(1)
Above commands enables or disables NLA for RDP on local computer. If you want to perform these actions on remote computer, just use -ComputerName parameter with Get-WMIObject cmdlet.
Like the way we can enable/disable NLA, we can also check what is the current state of it. There is a Property called UserAuthenticationRequried which stores 0 or 1 that indicates it is disabled or enabled respectively.
$TSObj = Get-WMIObject -Class Win32_TSGeneralSetting -Namespace Root\CIMV2\TerminalServices $TSObj.UserAuthenticationRequired
Hope this helps.
Disabling security is not a solution to this problem which only affects certain accounts at different intervals.