Enabling Network Level Authentication : Windows XP Remote Desktop
If you still have any Windows XP machines left out there, then you will encounter an error message when you try to use the XP RDC client to connect to a Windows 2008 Server: The remote computer requires Network Level Authentication, which your computer does not support.
Network Level Authentication is an authentication method that can be used to enhance RD Session Host server security by requiring that the user be authenticated to the RD Session Host server before a session is created.
Network Level Authentication completes user authentication before you establish a remote desktop connection and the logon screen appears. This is a more secure authentication method that can help protect the remote computer from malicious users and malicious software. The advantages of Network Level Authentication are:
- It requires fewer remote computer resources initially. The remote computer uses a limited number of resources before authenticating the user, rather than starting a full remote desktop connection as in previous versions.
- It can help provide better security by reducing the risk of denial-of-service attacks.
- The client computer must be using at least Remote Desktop Connection 6.0.
- The client computer must be using an operating system, such as Windows 7, Windows Vista, or Windows XP with Service Pack 3, that supports the Credential Security Support Provider (CredSSP) protocol.
- The RD Session Host server must be running Windows Server 2008 R2 or Windows Server 2008.
First, the Windows XP machine has to be at Service Pack 3.
Secondly, update the Remote Desktop Connection client to version 7 using this link:
Remote Desktop Connection 7.0
http://support.microsoft.com/kb/969084/en-us
Now, the more complicated steps that require a registry edit:
1. Click Start, click Run and then type regedit. Press ENTER.
2. In the left hand navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. In the right hand details pane, right-click Security Packages, and then click Modify.
4. In the Value data box there will probably be other entries in a list; arrow down to the bottom of the list and add a line that says: tspkg . Leave the other entries that are specific to other SSPs, and then click OK.
5. In the left hand navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
6. In the right hand details pane, right-click SecurityProviders, and then click Modify.
7. In the Value data box there will be a list of DLLs, each separated by a comma; arrow over to the end of the list, type a comma after the last entry, and then type credssp.dll. Leave the existing entries intact that are specific to other SSPs, and then click OK.
8. Exit Registry Editor.
9. After you have edited the registry, you'll need to restart the computer.
Once these steps are complete and the computer has rebooted, you should now be able to successfully connect your Windows XP Pro system to a Windows 2008 Server via Remote Desktop Connection using Network Level Authentication. Don't forget that if the XP Pro PC is not joined to the domain, you may need to type the domain name and then user name for server login, ie: \\ServerName\LoginUserName.
