Thursday, March 16, 2017

The Tyranny of Network Level Authentication and CredSSP

The Tyranny of Network Level Authentication and CredSSP

“My password is expired so I can’t login, but I need to RDP in to change my password!”, is the cry we constantly hear.

This happens when your users login to their local machine using one account, but need to RDP into to a machine using another account in a different domain.  This is often because the systems they need to work on are in a different domain in order to segment access.  Think Corp creds for email and HR vs prod creds for the company’s web sites.

NLA is not really a security control, it simply changes when you authenticate.  With NLA on, you authenticate (using CredSSP) before getting the remote session and GUI. This is designed to reduce the load on the server.  This however removes a user’s access to the login GUI where then can change their password at login.

Everything you are likely to find on this issue will tell you that the issue in Network Level Access (NLA) being required for RDP. NLA is not supposed to be required by default, but I have seen and heard that it often turns on on domain join.  I have seen this even though there was no GPO setting it. (We are both wrong, but I’ll get back to that later) This could be related to all sorts of build and domain join automation. If you have the issue, why is not particularly important. You will just need to go and set the GPO or edit the registry on the machine or via GUI.  


“Mark, I made the change, but I still can’t get in!!”  That’s right, you can’t. NLA probably wasn’t even turned on.  As I mentioned above, we were wrong. So why can’t we login and change our passwords‽  We can’t change our passwords because most RDP clients, such as mstsc.exe or rdcman.exe, just assume NLA is on and try to authenticate you first anyway.  This fails and you are kept out.

You need to tell your client not to use CredSSP for your connection. If you are implementing your own RDP client via the activeX library MsTscAx.dll, set EnableCredSspSupport to false.

One caveat is that there is no way to send the password anymore, say from your local cred manager or a password management tool.  You will have to type the old password once and the new password twice, so it’s a bit of a pain. 

Don’t let your password expire…

The Tyranny of Network Level Authentication and CredSSP

 

3 comments:

Anonymous said...

What if I break my hand and can't type my password the same way twice? What if I don't break my hand and can't type my password the same way twice? What if I break your hand and then you type my password once, but I type my password the second time the normal way?

Xoco said...

Add this line to a .rdp file and try again:

enablecredsspsupport:i:0

Clint Glazner said...

Where can I find a .rdp file?

Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).