Microsoft Windows XP and Network Level Authentication not supported – Real Solution [Not a way around]

. Thursday, April 23, 2009

Continuing series of my experiences with new Windows 7 I’d like to share solution for one more annoyance artificially created by our dear beloved Microsoft.

What is it Network Level Authentication ?

It’s a new and more secure way to establish RDP connection to remote host and which require less resources prior to completion of authentication process, thus making host more resilient to DDS attacks. Additional layers of encryption [TLS 1.0/FIPS 140-1&2] plus single-sign on  is also a nice add-on.

Rumors have been around about Windows XP Service Pack 3 will enable ability to use NLA to connect to Vista/Windows 7/Windows 2008 Server hosts , but alas the miracle didn’t happened (almost).

Why almost? Because Microsoft did include required files to support NLA or more precisely it’s core component - the new Credential Security Support Provider (CredSSP) protocol, but “forgot” to enable it by default.

Luckily they left back door open to enable CredSSP on XP SP3, but it’s a bit tricky as it involves tweaking Windows Registry.

To enable NLA in XP machines; first install Windows XP SP3, then edit the registry settings on the XP client machine to allow NLA

Steps to Configure Network Level Authentication:

1. Click Start, click Run, type regedit, and then press ENTER.
2. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3. In the details pane, right-click Security Packages, and then click Modify.
4. In the Value data box, type tspkg in new line. Leave any data that is specific to other SSPs, and then click OK.
5. In the navigation pane, locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
6. In the details pane, right-click SecurityProviders, and then click Modify.
7. In the Value data box, type credssp.dll . Leave any data that is specific to other SSPs, and then click OK. (add comma between last entry and credssp.dll)
8. Exit Registry Editor.
9. Restart the computer.

Now when you run remote desktop you will notice that Network Level Authentication is supported. To check this, right-click the top left hand corner of a remote desktop session and choose, Help > About

More info here and here