Posted on October 23, 2014 · Posted in Windows Server 2012

Windows XP RDP Clients Can’t Connect to RDS on Server 2012

Despite the fact that the Windows XP OS support already over 6 months ago – many external and internal customers continue to use this OS, and it seems that nothing will drastically change in the nearest future :(. Recently found the problem: Windows XP RDP clients cannot connect to the newly deployed Remote Desktop Services terminal farm on Windows Server 2012.

XP users have complained about such rdp client errors as:

Because of a security error, the client could not connect to the remote computer.  Verify that you are logged on to the network, and then try reconnecting again

The remote session was disconnected because the remote computer received an invalid licensing message from this computer

The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.

Having searched in Microsoft documentation, in the first place we decided to update the versions of RDP clients on the machines with Windows XP. After installing the RDP client 7.0 (rdp 8.0 can not be installed on XP), the problem was solved for a half of the clients. The second half was left….

After studying the issues of RDS server on Windows 2012, we have found that the default 2012 server requires mandatory support of NLA (Network Level Authentication); if a client doesn’t support NLA, it won’t be able to connect to the RDS server.

There are two conclusions from the above – to allow the rest XP clients to connect to the Windows Server2012 via RDP, you have to:

  • Disable the NLA check on the servers of the Remote Desktop Services 2012 farm
  • Or enable NLA support on the XP clients

How to Disable NLA on the RDS 2012 Server

To disable mandatory use of NLA by clients, in Server Manager console go to Remote Desktop Services -> Collections -> QuickSessionCollection, then Tasks -> Edit Properties, click Security and uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication.

disable nla on windows server 2012 r2 RDS

Of course, you need tounderstand that disabling NLA at the server level reduces the system security and generally is not recommended. It is preferable to use the second method.

How to Enable NLA at the Level of Windows XP Client

NLA support appeared in Windows XP starting from SP3, but it is disabled by default. It is possible to enable NLA support only from the registry. To do it:

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders, edit the value of SecurityProviders key by adding credssp.dll at the end (separated from its current value by comma) windows xp NLA Support SecurityProviders key
  • Then in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa add the line tspkg to the value of Security Packages settingtspkg on windows xp
  • After making these changes, restart your computer

After these actions are performed, a computer with Windows XP SP3 should easily connect to the terminal farm on Windows 2012 via rdp.

Tip. Alongside with that, there appeared another problem with printing via Easy Print. To let Windows XP computers on RDS 2012 print using Easy Print, the clients should meet the following requirements:

  • OS – Windows XP SP3 or later,
  • RDP client version – 6.1 or later
  • .NET Framework 3.5.

Related Articles