Guest Doug Murphy Posted October 17, 2008 Posted October 17, 2008 Ok, I have read all the threads about CredSSP and XP clients, and have even tested the change sucessfully. My issue is a little broader, however: I have 4,000+ users, with a mix of XP and Vista (probably) that need to access , consistently, a 4 server farm that consists of 2 physical servers and 2 VMs under Hyper-V (these are on another server). All 4 are Windows Server 2008. This is working just fine using a CoyotePoint Equalizer as a hardware load balancer. However, these servers are in a Windows 2003 domain, and we have no plans to change that in the near future. I have no control over the bulk of the remote users, as they are home systems or belong to another, allied organization in which I have minimal influence. In esssence, there is no way that I'm going to be able to dictate that CredSSP and RDP v6.0 be installed on all these remote systems. My problem is this: I want to TURN OFF Network Level Authentication for all 4 of these Terminal Servers. Simple, right? Agreed, but the setting in the GPO: Computer Configuration - Administrative Templates - Windows Components - Terminal Services - Terminal Server - Security "Require user authentication for remote connections by using Network Level Authentication" will not remain persisitently Disabled or Not Configured. After every re-boot, the setting reverts to Enabled. This is extraorinarily frustrating as users who could connect yesterday, cannot connect today due to a Critical Updates session re-boot, unless we manually go in and reset the GPO to Disabled. Is there something else I can do to get this setting to remain persistently OFF?? Thx, Doug Murphy
Guest Ramasamy Pullappan [MSFT] Posted October 22, 2008 Posted October 22, 2008 Re: Windows 2008 Network Level Authentication Is it possible that there is a DC level policy setting that is causing this behavior? This seems to be more of DC/GP behavior than TS. -ram. -- This posting is provided "AS IS" with no warranties, and confers no rights. "Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com... > Ok, I have read all the threads about CredSSP and XP clients, and have > even > tested the change sucessfully. My issue is a little broader, however: > > I have 4,000+ users, with a mix of XP and Vista (probably) that need to > access , consistently, a 4 server farm that consists of 2 physical servers > and 2 VMs under Hyper-V (these are on another server). All 4 are Windows > Server 2008. This is working just fine using a CoyotePoint Equalizer as a > hardware load balancer. However, these servers are in a Windows 2003 > domain, > and we have no plans to change that in the near future. I have no control > over the bulk of the remote users, as they are home systems or belong to > another, allied organization in which I have minimal influence. In > esssence, > there is no way that I'm going to be able to dictate that CredSSP and RDP > v6.0 be installed on all these remote systems. > > My problem is this: I want to TURN OFF Network Level Authentication for > all 4 of these Terminal Servers. Simple, right? Agreed, but the setting > in > the GPO: > Computer Configuration > - Administrative Templates > - Windows Components > - Terminal Services > - Terminal Server > - Security > > "Require user authentication for remote connections by using Network Level > Authentication" > > will not remain persisitently Disabled or Not Configured. After every > re-boot, the setting reverts to Enabled. This is extraorinarily > frustrating > as users who could connect yesterday, cannot connect today due to a > Critical > Updates session re-boot, unless we manually go in and reset the GPO to > Disabled. > > Is there something else I can do to get this setting to remain > persistently > OFF?? > > Thx, > Doug Murphy
Guest Doug Murphy Posted October 22, 2008 Posted October 22, 2008 Re: Windows 2008 Network Level Authentication Agreed, it does seem that way, but the DC-level policies are all Windows 2003. I don't know of one that would affect Network level Authentication, which, I believe, is new with Vista and Windows 2008. In addition, these 4 servers are in test mode, now, and have no domain-level GPOs linked to them, except for the default domain policy. I've hunted through that looking for something that would trigger the re-enabling, with no success. Unless you, or someone, knows of a particular GPO that could keep re-enabling it?? "Ramasamy Pullappan [MSFT]" wrote: > Is it possible that there is a DC level policy setting that is causing this > behavior? > This seems to be more of DC/GP behavior than TS. > -ram. > > -- > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message > news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com... > > Ok, I have read all the threads about CredSSP and XP clients, and have > > even > > tested the change sucessfully. My issue is a little broader, however: > > > > I have 4,000+ users, with a mix of XP and Vista (probably) that need to > > access , consistently, a 4 server farm that consists of 2 physical servers > > and 2 VMs under Hyper-V (these are on another server). All 4 are Windows > > Server 2008. This is working just fine using a CoyotePoint Equalizer as a > > hardware load balancer. However, these servers are in a Windows 2003 > > domain, > > and we have no plans to change that in the near future. I have no control > > over the bulk of the remote users, as they are home systems or belong to > > another, allied organization in which I have minimal influence. In > > esssence, > > there is no way that I'm going to be able to dictate that CredSSP and RDP > > v6.0 be installed on all these remote systems. > > > > My problem is this: I want to TURN OFF Network Level Authentication for > > all 4 of these Terminal Servers. Simple, right? Agreed, but the setting > > in > > the GPO: > > Computer Configuration > > - Administrative Templates > > - Windows Components > > - Terminal Services > > - Terminal Server > > - Security > > > > "Require user authentication for remote connections by using Network Level > > Authentication" > > > > will not remain persisitently Disabled or Not Configured. After every > > re-boot, the setting reverts to Enabled. This is extraorinarily > > frustrating > > as users who could connect yesterday, cannot connect today due to a > > Critical > > Updates session re-boot, unless we manually go in and reset the GPO to > > Disabled. > > > > Is there something else I can do to get this setting to remain > > persistently > > OFF?? > > > > Thx, > > Doug Murphy > >
Recommended Posts