Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows XP / Windows XP Can’t RDP to Windows 10 / Server 2012R2/2016 RDS

August 7, 2018 Windows 10Windows Server 2012 R2Windows Server 2016Windows XP

Windows XP Can’t RDP to Windows 10 / Server 2012R2/2016 RDS

Despite the fact that the Windows XP OS support is over 4 years ago, many customers continue to use this OS, and it seems that nothing will drastically change in the nearest future :(. Recently I found a problem: Windows XP RDP clients cannot connect through the remote desktop to the newly deployed Remote Desktop Services farm on Windows Server 2012 R2. A similar problem occurs when connecting over RDP from Windows XP to Windows 10 1803.

Contents:
  • Unable To Connect Remote Desktop from Windows XP to Windows Server 2016/2012R2 and Windows 10
  • Disabling RDP Network Level Authentication (NLA) on RDS Windows Server 2016/2012 R2
  • Enabling NLA on Windows XP SP3 Clients

Unable To Connect Remote Desktop from Windows XP to Windows Server 2016/2012R2 and Windows 10

Windows XP users have complained about such RDP client errors as:

Because of a security error, the client could not connect to the remote computer.  Verify that you are logged on to the network, and then try reconnecting again
The remote session was disconnected because the remote computer received an invalid licensing message from this computer
The remote computer requires Network Level Authentication, which your computer does not support. For assistance, contact your system administrator or technical support.

The remote computer requires Network Level Authentication, which your computer does not support.

To resolve this issue, verify if the latest version of the RDP client is installed on computers running Windows XP. Currently, the maximum version of RDP client that can be installed on Windows XP is RDP 7.0  (KB969084 – https://blogs.msdn.microsoft.com/scstr/2012/03/16/download-remote-desktop-client-rdc-7-0-or-7-1-download-remote-desktop-protocol-rdp-7-0-or-7-1/). You can install this update only on Windows XP SP3. Installing RDP client version 8.0 or later is not supported on Windows XP. The problem was solved after installing this update for a half of the XP clients. The second half of the clients were still facing the issue….

Disabling RDP Network Level Authentication (NLA) on RDS Windows Server 2016/2012 R2

After studying the issues of RDS server based on Windows 2012 R2, we have found that Windows Server 2012 (and higher) requires mandatory support of NLA (Network Level Authentication). If the client doesn’t support NLA, it won’t be able to connect to the RDS server. Similarly, NLA is enabled by default when you turn on the Remote Desktop in Windows 10.

There are two conclusions from the above – to allow the rest WinXP clients to connect to the RDS farm on Windows Server 2016/2012 R2 or Windows 10 via RDP, you have to:

  • Disable the NLA check on the servers of the Remote Desktop Services 2012 R2/2016 farm or in Windows 10 workstation;
  • Or enable NLA support on the Windows XP clients.

To disable mandatory use of NLA by clients on Windows Server 2012 R2 RDS, open the Server Manager console and go to Remote Desktop Services -> Collections -> QuickSessionCollection, then select Tasks -> Edit Properties, click Security and uncheck Allow connections only from computers running Remote Desktop with Network Level Authentication.

disable nla on windows server 2012 r2 RDS

On Windows 10 you can disable Network Level Authentication in the system properties (System -> Remote Settings). Uncheck “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”.

windows 10 disable nla

Of course, you need to understand that disabling NLA at the server level reduces the system security and generally is not recommended. It is preferable to use the second method.

Enabling NLA on Windows XP SP3 Clients

You need to install Service Pack 3 on Windows XP to work correctly as an RDP client. If not, you must download and install this update. Service Pack 3 is a mandatory requirement for upgrading the RDP client from version 6.1 to 7.0 and supporting all the necessary components, including the Credential Security Service Provider (CredSS), which is described below.

Without CredSSP and NLA support for RDP connection from Windows XP to new versions of Windows, there will be an error:

An authentication error has occurred, 0x80090327

win xp An authentication error has occurred, Code: 0x80090327

NLA support appeared in Windows XP starting from SP3, but it is disabled by default. You can enable NLA and CredSSP authentication support only through the registry. To do it:

  • In the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders edit the value of SecurityProviders attribute by adding credssp.dll at the end (separated from its current value by comma); windows xp NLA Support SecurityProviders key
  • Then in key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa add the line tspkg to the value of Security Packages attribute;tspkg on windows xp
  • After making these changes, restart your computer.

After these actions are performed, a computer with Windows XP SP3 should easily connect to the terminal farm on Windows Server 2016 / 2012 or to the Windows via the Remote Desktop. However, you can’t save the password for RDP connection on the Windows XP client (you must enter the password every time you connect).

Tip. Alongside with that, there appeared another problem with printing via Easy Print. To let Windows XP computers on RDS 2012 print using Easy Print, the clients should meet the following requirements:

  • OS – Windows XP SP3 or later;
  • RDP client version – 6.1 or later;
  • .NET Framework 3.5 (How to check which version of .Net Framework is installed).

Error: CredSSP Encryption Oracle Remediation

In 2018, a serious vulnerability was found in the CredSSP protocol (CVE-2018-0886 bulletin), which was fixed in Microsoft security updates. In May 2018, Microsoft released an additional update that forbids clients to connect to RDP computers and servers with a vulnerable version of CredSSP (see the article: https://woshub.com/unable-connect-rdp-credssp-encryption-oracle-remediation/). After installing this update when you connect to RDP to remote computers without this update, you receive an error: An authentication error has occurred. The function requested is not supported.

Due to the fact that Microsoft doesn’t release security updates for Windows XP and Windows Server 2003, you won’t be able to connect to supported Windows versions from these outdated operating systems.

To enable RDP connections from Windows XP to the updated Windows 10/8.1/7 and Windows Server 2012/2012 R2/2012/2008 R2, you must enable the Encryption Oracle Remediation policy on the side of the RDP server (Computer Configuration -> Administrative Templates -> System -> Credentials Delegation). Change the policy value to Mitigated, which is not safe as you understand.

Tip. For Windows XP (the supported version called Windows Embedded POSReady 2009) there is a separate update for the CredSSP remote code execution vulnerability – https://support.microsoft.com/en-us/help/4056564/security-update-for-vulnerabilities-in-windows-server-2008 (WindowsXP-KB4056564-x86-Embedded-ENU.exe) and in theory it is possible to install updates for Embedded POSReady on the regular version of Windows XP x86 and on Windows Server 2003.

 

 

6 comments
1
Facebook Twitter Google + Pinterest
previous post
Replacing a Failed Physical Disk in Storage Spaces Direct on Windows Server 2016
next post
How to Install Hyper-V Role in Windows 10 VM under VMWare ESXi

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Disable Built-in PDF Viewer in Microsoft Edge

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

6 comments

ali August 10, 2016 - 3:14 pm

i didnt find SecurityProviders  in the registry directory

Reply
admin August 11, 2016 - 8:32 am

Check registry path again or try create it manually

Reply
_ January 7, 2017 - 10:29 am

Thanks.

Reply
Marco January 16, 2017 - 6:45 pm

Great! TNX a lot!!!!

Reply
May August 12, 2017 - 7:54 am

Brilliant! Worked for me, so thanks a million !

Reply
Pierre October 19, 2019 - 4:42 pm

Thak you so much for sharing – it works !

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Booting Windows 7 / 10 from GPT Disk on BIOS (non-UEFI) systems
  • Error Code: 0x80070035 “The Network Path was not found” after Windows 10 Update
  • Removable USB Flash Drive as Local HDD in Windows 10 / 7
  • How to Disable UAC Prompt for Specific Applications in Windows 10?
  • How to increase KMS current count (count is insufficient)
  • Managing Printers and Drivers with PowerShell in Windows 10 / Server 2016
  • Managing Printers from the Command Prompt in Windows 10 / 8.1
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top