Windows 2008 Network Level Authentication

  • Thread starter Thread starter Doug Murphy
  • Start date Start date
D

Doug Murphy

Guest
Ok, I have read all the threads about CredSSP and XP clients, and have even
tested the change sucessfully. My issue is a little broader, however:

I have 4,000+ users, with a mix of XP and Vista (probably) that need to
access , consistently, a 4 server farm that consists of 2 physical servers
and 2 VMs under Hyper-V (these are on another server). All 4 are Windows
Server 2008. This is working just fine using a CoyotePoint Equalizer as a
hardware load balancer. However, these servers are in a Windows 2003 domain,
and we have no plans to change that in the near future. I have no control
over the bulk of the remote users, as they are home systems or belong to
another, allied organization in which I have minimal influence. In esssence,
there is no way that I'm going to be able to dictate that CredSSP and RDP
v6.0 be installed on all these remote systems.

My problem is this: I want to TURN OFF Network Level Authentication for
all 4 of these Terminal Servers. Simple, right? Agreed, but the setting in
the GPO:
Computer Configuration
- Administrative Templates
- Windows Components
- Terminal Services
- Terminal Server
- Security

"Require user authentication for remote connections by using Network Level
Authentication"

will not remain persisitently Disabled or Not Configured. After every
re-boot, the setting reverts to Enabled. This is extraorinarily frustrating
as users who could connect yesterday, cannot connect today due to a Critical
Updates session re-boot, unless we manually go in and reset the GPO to
Disabled.

Is there something else I can do to get this setting to remain persistently
OFF??

Thx,
Doug Murphy
 
Re: Windows 2008 Network Level Authentication

Is it possible that there is a DC level policy setting that is causing this
behavior?
This seems to be more of DC/GP behavior than TS.
-ram.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message
news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com...
> Ok, I have read all the threads about CredSSP and XP clients, and have
> even
> tested the change sucessfully. My issue is a little broader, however:
>
> I have 4,000+ users, with a mix of XP and Vista (probably) that need to
> access , consistently, a 4 server farm that consists of 2 physical servers
> and 2 VMs under Hyper-V (these are on another server). All 4 are Windows
> Server 2008. This is working just fine using a CoyotePoint Equalizer as a
> hardware load balancer. However, these servers are in a Windows 2003
> domain,
> and we have no plans to change that in the near future. I have no control
> over the bulk of the remote users, as they are home systems or belong to
> another, allied organization in which I have minimal influence. In
> esssence,
> there is no way that I'm going to be able to dictate that CredSSP and RDP
> v6.0 be installed on all these remote systems.
>
> My problem is this: I want to TURN OFF Network Level Authentication for
> all 4 of these Terminal Servers. Simple, right? Agreed, but the setting
> in
> the GPO:
> Computer Configuration
> - Administrative Templates
> - Windows Components
> - Terminal Services
> - Terminal Server
> - Security
>
> "Require user authentication for remote connections by using Network Level
> Authentication"
>
> will not remain persisitently Disabled or Not Configured. After every
> re-boot, the setting reverts to Enabled. This is extraorinarily
> frustrating
> as users who could connect yesterday, cannot connect today due to a
> Critical
> Updates session re-boot, unless we manually go in and reset the GPO to
> Disabled.
>
> Is there something else I can do to get this setting to remain
> persistently
> OFF??
>
> Thx,
> Doug Murphy
 
Re: Windows 2008 Network Level Authentication

Agreed, it does seem that way, but the DC-level policies are all Windows
2003. I don't know of one that would affect Network level Authentication,
which, I believe, is new with Vista and Windows 2008.

In addition, these 4 servers are in test mode, now, and have no domain-level
GPOs linked to them, except for the default domain policy. I've hunted
through that looking for something that would trigger the re-enabling, with
no success.

Unless you, or someone, knows of a particular GPO that could keep
re-enabling it??

"Ramasamy Pullappan [MSFT]" wrote:

> Is it possible that there is a DC level policy setting that is causing this
> behavior?
> This seems to be more of DC/GP behavior than TS.
> -ram.
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message
> news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com...
> > Ok, I have read all the threads about CredSSP and XP clients, and have
> > even
> > tested the change sucessfully. My issue is a little broader, however:
> >
> > I have 4,000+ users, with a mix of XP and Vista (probably) that need to
> > access , consistently, a 4 server farm that consists of 2 physical servers
> > and 2 VMs under Hyper-V (these are on another server). All 4 are Windows
> > Server 2008. This is working just fine using a CoyotePoint Equalizer as a
> > hardware load balancer. However, these servers are in a Windows 2003
> > domain,
> > and we have no plans to change that in the near future. I have no control
> > over the bulk of the remote users, as they are home systems or belong to
> > another, allied organization in which I have minimal influence. In
> > esssence,
> > there is no way that I'm going to be able to dictate that CredSSP and RDP
> > v6.0 be installed on all these remote systems.
> >
> > My problem is this: I want to TURN OFF Network Level Authentication for
> > all 4 of these Terminal Servers. Simple, right? Agreed, but the setting
> > in
> > the GPO:
> > Computer Configuration
> > - Administrative Templates
> > - Windows Components
> > - Terminal Services
> > - Terminal Server
> > - Security
> >
> > "Require user authentication for remote connections by using Network Level
> > Authentication"
> >
> > will not remain persisitently Disabled or Not Configured. After every
> > re-boot, the setting reverts to Enabled. This is extraorinarily
> > frustrating
> > as users who could connect yesterday, cannot connect today due to a
> > Critical
> > Updates session re-boot, unless we manually go in and reset the GPO to
> > Disabled.
> >
> > Is there something else I can do to get this setting to remain
> > persistently
> > OFF??
> >
> > Thx,
> > Doug Murphy
>
>
 

Similar threads

M
401 1 2148074248 in IIS logs behind a load balancer with multiple servers
Replies
0
Views
282
MattHamrick
M
T
Windows Server OS (2008, 2012, 2016) continues to use the old DNS addresses
Replies
0
Views
272
Todd Eichmann
T
I
IIS Client Certificate Authentication results in 401-Unauthorized for sub-applications
Replies
0
Views
362
IIS
I
L
Accessing network path with windows authentication
Replies
0
Views
75
Liran Dobrish
L
I
ARR authenticating itself to backend with client certificate on re-routing requests
Replies
0
Views
389
IIS
I
Back
Top