Why do I get an NLA error when I use RDP to connect to WorkSpaces?

7 minuti di lettura
2

When I try to connect to Amazon WorkSpaces, I receive an "Unable to connect" error. When I use Remote Desktop Protocol (RDP) to troubleshoot the issue, I get a Network Level Authentication (NLA) error.

Resolution

If you use RDP to log in to a WorkSpace, then you might receive one of the following errors:

  • "An authentication error has occurred. The Local Security Authority cannot be contacted."
  • "The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box."

To resolve these errors, take the following actions.

Check the connectivity to the domain controller

If the WorkSpace can't communicate with the domain controllers, then you might not be able to RDP to log in the WorkSpace. To troubleshoot connectivity issues, complete the following steps:

  1. Make sure that the _workspacesMembers security group allows outbound traffic to the domain controllers. By default, the security group allows all outbound traffic.
  2. Configure the network ACL rules to allow outbound traffic from WorkSpaces to the domain controllers on the Active Directory Ports. Also, you must allow inbound traffic from domain controllers to WorkSpaces on ephemeral ports.
  3. If you use a firewall, then adjust the firewall rules to allow the communication between the WorkSpace and domain controller.

Turn off NLA

RDP login errors can occur if NLA is turned on for your WorkSpace. To turn off NLA, you can use Network Registry, registry values, or the Microsoft Remote Procedure Call (RPC). After you turn off NLA, reboot the WorkSpace from console.

Note: If you use AWS Systems Manager to manage WorkSpaces, then you can turn off NLA with the Systems Manager Session Manager. For more information, see How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?

Prerequisites:

  • You must activate and authenticate through PowerShell remoting. PowerShell remoting is activated by default on Windows Server platforms. For more information, see Chapter 8 - PowerShell remoting on the Microsoft website.
  • In the WorkSpaces security group, you must allow inbound traffic on the following ports: TCP port 445 (SMB traffic required to modify the remote registry), TCP 135 (RPC), and TCP 5985 (remote PowerShell/WinRM).
  • The RemoteRegistry service must be running on the source Workspace or the joined Amazon Elastic Compute Cloud (Amazon EC2) instance, and also on the remote Workspace.

To find the WorkSpace computer name of the affected WorkSpace, complete the following steps:

  1. Open the WorkSpaces console.
  2. Choose the affected WorkSpace
  3. Copy the value in Computer Name to a text file for use in later steps. For example, WSAMZN-ABCDE.

To log into PowerShell, complete the following steps:

  1. Log in to a working WorkSpace. Or, log in to an EC2 instance joined to the domain in same subnet as the administrator AWS account. The user must have local administrator rights to the remote WorkSpace. By default, domain admins have local administrator permissions.
  2. Open PowerShell as an administrator.

Use the Network Registry to turn off NLA

Complete the following steps:

  1. To check the RemoteRegistry service status on the source WorkSpace or EC2 instance, run the following command:

     Get-Service -Name RemoteRegistry | Start-Service
     
     #Validate the service status
     
     Get-Service -Name RemoteRegistry
     
     #Output should be as below
     
     Status   Name               DisplayName
    ------   ----               -----------
    Running  RemoteRegistry     Remote Registry
  2. To connect to the PowerShell remote session with affected Workspace, run the following command:

    $credential = Get-Credential -Credential domain\username
    
    Enter-PSSession -ComputerName WorkSpace Computer Name -Credential $credential

    Note: Replace domain with your Active Directory domain name and username with the WorkSpaces user who has local administrator rights into the remote Workspace. Also, replace WorkSpace Computer Name with your WorkSpace computer name.

  3. To check the RemoteRegistry service status on the remote WorkSpace, run the following command:

     Get-Service -Name RemoteRegistry | Start-Service
     
     #Validate the service status
     
     Get-Service -Name RemoteRegistry
     
     #Output should be as below
     
     Status   Name               DisplayName
    ------   ----               -----------
    Running  RemoteRegistry     Remote Registry
  4. To set up the Windows firewall to allow traffic over the TCP port 445, run the following command:

    netsh advfirewall firewall add rule name= "RemoteRegistryAccess" dir=in action=allow protocol=TCP localport=445
  5. To open the Registry Editor, in a command prompt, type regedit.exe, and then press Enter.

  6. Open the context (right-click) menu for File option, and then choose Connect Network Registry.

  7. For WorkSpace Computer Name, enter your WorkSpace computer name.

  8. Choose Check names.

  9. For Enter the object name to select, enter the following registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Then, choose OK.

  10. For Key: SecurityLayer, enter 0, and for Key: UserAuthentication, enter 0.

Edit the registry values to turn off NLA

Complete the following steps:

  1. To connect to the PowerShell remote session, run the following command:
    $credential = Get-Credential -Credential domain\username
    
    Enter-PSSession -ComputerName WorkSpace Computer Name -Credential $credential
    Note: Replace domain with your Active Directory domain name and username with the WorkSpaces user who has local administrator rights into the remote Workspace. Also, replace WorkSpace Computer Name with your WorkSpace computer name.
  2. To turn off NLA, run the following command:
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\terminal server\winstations\rdp-tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

Use Microsoft RPC to turn off NLA

To update the registry key, run the following command:

(Get-WmiObject -class Win32_TSGeneralSetting -Namespace root\cimv2\terminalservices -ComputerName WorkSpace Computer Name -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

Note: Replace WorkSpace Computer Name with your WorkSpace computer name.

Check whether the WorkSpaces Computer Object was deleted

If the WorkSpaces Computer Object was deleted from the Active Directory, then you receive the NLA error. To resolve this issue, restore the WorkSpace computer:

  1. Restore the WorkSpaces Computer Object from Active Directory. For more information, see Restore-ADObject on the Microsoft website.
  2. Reboot the affected WorkSpace.

Check the DNS server IP addresses

If you update the DNS server IP addresses in AD Connector before you update the associated WorkSpace, then you receive the NLA error. To resolve this issue, complete the following steps:

  1. Open the source WorkSpace or the joined EC2 instance.

  2. To connect to the PowerShell remote session for the remote WorkSpace, run the following command:

    $credential = Get-Credential -Credential domain\username
    
    Enter-PSSession -ComputerName WorkSpace Computer Name -Credential $credential

    Note: Replace domain with your Active Directory domain name and username with the WorkSpaces user who has local administrator rights into the remote Workspace. Also, replace WorkSpace Computer Name with your WorkSpace computer name.

  3. To update the DNS server with the new IP addresses, run the following command:

    Set-ItemProperty -Path HKLM:\SOFTWARE\Amazon\SkyLight -Name DomainJoinDNS -Value "10.0.0.0,10.0.0.00" 

    Note: Replace 10.0.0.0 and 10.0.0.00 with the new DNS server IP addresses.

  4. To restart the SkyLightWorkspaceConfig service, run the following command:

     Get-Service SkyLightWorkspaceConfigService | Restart-Service
  5. If you still can't use RDP to connect to the WorkSpace, then reboot the affected WorkSpace.

If you completed the steps in the resolution and still can't resolve the NLA error or RDP connection issue, then you must rebuild the WorkSpace.

Related information

Update DNS servers for WorkSpaces Personal

Troubleshoot authentication errors when you use RDP to connect to Azure VM on the Microsoft website

AWS UFFICIALE
AWS UFFICIALEAggiornata 4 mesi fa