Friday, July 31, 2015

RDP Client Not Authenticating to RD Gateway & NTLM Settings

Here's a particularly troublesome error you might run across if utilizing RD Gateway to provide external access to your RDS 2012 R2 environment.


The Error

A user cannot connect to RDS applications and/or Virtual Desktops through RD Gateway. While trying to connect, the user receives an error message stating “Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.”

Error message seen by the user
Error message seen by the user

The Symptoms

While looking in the RD Gateway logs (Microsoft-Windows-TerminalServices-Gateway/Operational), you can see incoming connection requests, indicated by event ID’s 312 & 313, but the connection does not authenticate successfully (not seeing an event ID 200 for the user). After the initial connection request, nothing else happens, the connection just seems to disappear.

The Fix

RD Gateway utilizes NTLM to authenticate user connections. NTLMv2 is used by default with Windows Server 2012 R2. It is possible the user has disabled the NTLMv2 authentication protocol on their machine.

In order to check this, on the client machine, open regedit and browse to HKLM\SYSTEM\CurrentControlSet\Control\Lsa and look for a DWORD value called LMCompatibilityLevel. If LMCompatibilityLevel is present, and it is set to anything under a value of 3, the user will fail to authenticate to the RD Gateway server. Instruct the user to either change the value to 3, or delete the DWORD entirely. Then reboot the computer and try again.

The culprit - LMCompatibilityLevel

By default, the LMCompatibilityLevel DWORD does not exist on Windows 7 and above. However, often time companies set LMCompatibilityLevel to only use NTLMv1 through a login script or Group Policy. This was most likely done for compatibility with legacy applications.

If you'd like more information about LMCompatibilityLevel and what the values mean, check out this TechNet article - https://technet.microsoft.com/en-us/library/cc960646.aspx.

4 comments:

  1. Thank you so much, I think this is what I've been stuck on for a client.

    I would add that this may be configured in the following GP setting:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
    Network security: LAN Manager authentication level

    See here for further info:
    https://technet.microsoft.com/en-us/library/jj852207(v=ws.11).aspx

    ReplyDelete
  2. Hi everyone, I had this error for months, and finally a correct answer, I could not delete it, but we created one. BAT when initializing windows. Thank you

    ReplyDelete
  3. Hi,

    I applied the above mentioned fix in my 2016 RDS gateway, it did not work for me. I checked the registry key in 2016 we have an key”lmcompatibilitylevel” dword set as 3. Is this key cause issue in 2016 RDS server. I am still getting event ID 312 in 2016 RDS gateway server. Any thoughts please share

    ReplyDelete
    Replies
    1. Did you solve this issue? Im having the same problem.

      Delete