Friday, July 31, 2015

RDP Client Not Authenticating to RD Gateway & NTLM Settings

Here's a particularly troublesome error you might run across if utilizing RD Gateway to provide external access to your RDS 2012 R2 environment.

The Error

A user cannot connect to RDS applications and/or Virtual Desktops through RD Gateway. While trying to connect, the user receives an error message stating “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.”

Error message seen by the user
Error message seen by the user

The Symptoms

While looking in the RD Gateway logs (Microsoft-Windows-TerminalServices-Gateway/Operational), you can see incoming connection requests, indicated by event ID’s 312 & 313, but the connection does not authenticate successfully (not seeing an event ID 200 for the user). After the initial connection request, nothing else happens, the connection just seems to disappear.

The Fix

RD Gateway utilizes NTLM to authenticate user connections. NTLMv2 is used by default with Windows Server 2012 R2. It is possible the user has disabled the NTLMv2 authentication protocol on their machine.

In order to check this, on the client machine, open regedit and browse to HKLM\SYSTEM\CurrentControlSet\Control\Lsa and look for a DWORD value called LMCompatibilityLevel. If LMCompatibilityLevel is present, and it is set to anything under a value of 3, the user will fail to authenticate to the RD Gateway server. Instruct the user to either change the value to 3, or delete the DWORD entirely. Then reboot the computer and try again.

The culprit - LMCompatibilityLevel

By default, the LMCompatibilityLevel DWORD does not exist on Windows 7 and above. However, often time companies set LMCompatibilityLevel to only use NTLMv1 through a login script or Group Policy. This was most likely done for compatibility with legacy applications.

If you'd like more information about LMCompatibilityLevel and what the values mean, check out this TechNet article -