I recently enabled network level authentication for RDP on some servers to close a security audit point and found a problem with accounts that have computers configured under the userWorkstations attribute in AD. This is set on the account tab using the log on to button. If the account used for RDP to a remote machine isn't allowed to logon to the local machine then RDP will fail with an error "the local security authority cannot be contacted." It didn't strike me as the most obvious thing as I assumed all authentication would be with the remote machine for NLA but it appears the use must authenticate locally first to create the RDP session.
No comments:
Post a Comment