Monday, April 12, 2010

Enabling Network Level Authentication in Windows XP

With the advent of Windows Vista, Windows 7, and Windows 2008, the Microsoft RDP client was updated to support NLA, or Network Level Authentication. Seen below, the selected option allows for the most secure RDP experience.



The downside of this is that if you run older clients, specifically, Windows XP - the newest RDP client doesn't support NLA, so you receive this error when attempting to connect.





The common workaround for this is to choose the less secure option of allowing connections from computers running any version of Remote Desktop. While this may be fine for some organizations, it might not be as well. I wanted a better work around since it would mean I needed to ask a customer to change this setting. I searched and found this AWESOME workaround here.


On the Windows XP workstation you use to RDP into the server/workstation:

  1. Click Start, click Run, type regedit, and then press ENTER.
  2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. In the details pane, right-click Security Packages, and then click Modify.
  4. In the Value data box, add tspkg on a new line. Leave any existing data that is specific to other SSPs, and then click OK.
  5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
  6. In the details pane, right-click SecurityProviders, and then click Modify.
  7. In the Value data box, add an additional comma, a space, and then credssp.dll - leave any data that is specific to other SSPs, and then click OK.
  8. Exit Registry Editor.
  9. Restart the computer


After rebooting, you will be able to RDP to newer OS's with the more secure NLA SSP.

From Simon G - here is a VBS script to do this in case you need to do it en masse.


const HKEY_LOCAL_MACHINE = &H80000002
lsaKey = "SYSTEM\CurrentControlSet\Control\Lsa"
lsaValue = "Security Packages"

hostname = "."

Set regObj = GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & hostname & "\root\default:StdRegProv" )

regObj.GetMultiStringValue HKEY_LOCAL_MACHINE, lsaKey, lsaValue, stringValues

size = Ubound( stringValues ) + 1

ReDim Preserve stringValues( size )
stringValues( size ) = "tspkg"


regObj.SetMultiStringValue HKEY_LOCAL_MACHINE, lsaKey, lsaValue, stringValues

secProvKey = "SYSTEM\CurrentControlSet\Control\SecurityProviders"
secProvValue = "SecurityProviders"

regObj.GetStringValue HKEY_LOCAL_MACHINE, secProvKey, secProvValue, theValue

theValue = theValue & ", credssp.dll"

regObj.SetStringValue HKEY_LOCAL_MACHINE, secProvKey, secProvValue, theValue

3 comments:

Simon G said...

I choose to enable this too on my customers IS. Using a bit of vbs do the trick :


const HKEY_LOCAL_MACHINE = &H80000002
lsaKey = "SYSTEM\CurrentControlSet\Control\Lsa"
lsaValue = "Security Packages"

hostname = "."

Set regObj = GetObject( "winmgmts:{impersonationLevel=impersonate}!\\" & hostname & "\root\default:StdRegProv" )

regObj.GetMultiStringValue HKEY_LOCAL_MACHINE, lsaKey, lsaValue, stringValues

size = Ubound( stringValues ) + 1

ReDim Preserve stringValues( size )
stringValues( size ) = "tspkg"


regObj.SetMultiStringValue HKEY_LOCAL_MACHINE, lsaKey, lsaValue, stringValues

secProvKey = "SYSTEM\CurrentControlSet\Control\SecurityProviders"
secProvValue = "SecurityProviders"

regObj.GetStringValue HKEY_LOCAL_MACHINE, secProvKey, secProvValue, theValue

theValue = theValue & ", credssp.dll"

regObj.SetStringValue HKEY_LOCAL_MACHINE, secProvKey, secProvValue, theValue

dfsdf asdfasdfasdf said...

On windows 7 (where credssp.dll is already in that registry key), it adds it again. So the value ends up being "credssp.dll, credssp.dll". Not a problem?

Chris said...

Makes no sense to do this on Windows 7, since it is already enabled. This blog entry was specifically for Windows XP.