Windows 2008 Network Level Authentication

[Guest Doug Murphy]

Ok, I have read all the threads about CredSSP and XP clients, and have even

tested the change sucessfully. My issue is a little broader, however:

 

I have 4,000+ users, with a mix of XP and Vista (probably) that need to

access , consistently, a 4 server farm that consists of 2 physical servers

and 2 VMs under Hyper-V (these are on another server). All 4 are Windows

Server 2008. This is working just fine using a CoyotePoint Equalizer as a

hardware load balancer. However, these servers are in a Windows 2003 domain,

and we have no plans to change that in the near future. I have no control

over the bulk of the remote users, as they are home systems or belong to

another, allied organization in which I have minimal influence. In esssence,

there is no way that I'm going to be able to dictate that CredSSP and RDP

v6.0 be installed on all these remote systems.

 

My problem is this: I want to TURN OFF Network Level Authentication for

all 4 of these Terminal Servers. Simple, right? Agreed, but the setting in

the GPO:

Computer Configuration

- Administrative Templates

- Windows Components

- Terminal Services

- Terminal Server

- Security

 

"Require user authentication for remote connections by using Network Level

Authentication"

 

will not remain persisitently Disabled or Not Configured. After every

re-boot, the setting reverts to Enabled. This is extraorinarily frustrating

as users who could connect yesterday, cannot connect today due to a Critical

Updates session re-boot, unless we manually go in and reset the GPO to

Disabled.

 

Is there something else I can do to get this setting to remain persistently

OFF??

 

Thx,

Doug Murphy

[Guest Ramasamy Pullappan [MSFT]]

Re: Windows 2008 Network Level Authentication

 

Is it possible that there is a DC level policy setting that is causing this

behavior?

This seems to be more of DC/GP behavior than TS.

-ram.

 

--

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message

news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com...

> Ok, I have read all the threads about CredSSP and XP clients, and have

> even

> tested the change sucessfully. My issue is a little broader, however:

>

> I have 4,000+ users, with a mix of XP and Vista (probably) that need to

> access , consistently, a 4 server farm that consists of 2 physical servers

> and 2 VMs under Hyper-V (these are on another server). All 4 are Windows

> Server 2008. This is working just fine using a CoyotePoint Equalizer as a

> hardware load balancer. However, these servers are in a Windows 2003

> domain,

> and we have no plans to change that in the near future. I have no control

> over the bulk of the remote users, as they are home systems or belong to

> another, allied organization in which I have minimal influence. In

> esssence,

> there is no way that I'm going to be able to dictate that CredSSP and RDP

> v6.0 be installed on all these remote systems.

>

> My problem is this: I want to TURN OFF Network Level Authentication for

> all 4 of these Terminal Servers. Simple, right? Agreed, but the setting

> in

> the GPO:

> Computer Configuration

> - Administrative Templates

> - Windows Components

> - Terminal Services

> - Terminal Server

> - Security

>

> "Require user authentication for remote connections by using Network Level

> Authentication"

>

> will not remain persisitently Disabled or Not Configured. After every

> re-boot, the setting reverts to Enabled. This is extraorinarily

> frustrating

> as users who could connect yesterday, cannot connect today due to a

> Critical

> Updates session re-boot, unless we manually go in and reset the GPO to

> Disabled.

>

> Is there something else I can do to get this setting to remain

> persistently

> OFF??

>

> Thx,

> Doug Murphy

[Guest Doug Murphy]

Re: Windows 2008 Network Level Authentication

 

Agreed, it does seem that way, but the DC-level policies are all Windows

2003. I don't know of one that would affect Network level Authentication,

which, I believe, is new with Vista and Windows 2008.

 

In addition, these 4 servers are in test mode, now, and have no domain-level

GPOs linked to them, except for the default domain policy. I've hunted

through that looking for something that would trigger the re-enabling, with

no success.

 

Unless you, or someone, knows of a particular GPO that could keep

re-enabling it??

 

"Ramasamy Pullappan [MSFT]" wrote:

> Is it possible that there is a DC level policy setting that is causing this

> behavior?

> This seems to be more of DC/GP behavior than TS.

> -ram.

>

> --

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> "Doug Murphy" <DougMurphy@discussions.microsoft.com> wrote in message

> news:40769291-D73A-4727-B652-184E4D2DDD61@microsoft.com...

> > Ok, I have read all the threads about CredSSP and XP clients, and have

> > even

> > tested the change sucessfully. My issue is a little broader, however:

> >

> > I have 4,000+ users, with a mix of XP and Vista (probably) that need to

> > access , consistently, a 4 server farm that consists of 2 physical servers

> > and 2 VMs under Hyper-V (these are on another server). All 4 are Windows

> > Server 2008. This is working just fine using a CoyotePoint Equalizer as a

> > hardware load balancer. However, these servers are in a Windows 2003

> > domain,

> > and we have no plans to change that in the near future. I have no control

> > over the bulk of the remote users, as they are home systems or belong to

> > another, allied organization in which I have minimal influence. In

> > esssence,

> > there is no way that I'm going to be able to dictate that CredSSP and RDP

> > v6.0 be installed on all these remote systems.

> >

> > My problem is this: I want to TURN OFF Network Level Authentication for

> > all 4 of these Terminal Servers. Simple, right? Agreed, but the setting

> > in

> > the GPO:

> > Computer Configuration

> > - Administrative Templates

> > - Windows Components

> > - Terminal Services

> > - Terminal Server

> > - Security

> >

> > "Require user authentication for remote connections by using Network Level

> > Authentication"

> >

> > will not remain persisitently Disabled or Not Configured. After every

> > re-boot, the setting reverts to Enabled. This is extraorinarily

> > frustrating

> > as users who could connect yesterday, cannot connect today due to a

> > Critical

> > Updates session re-boot, unless we manually go in and reset the GPO to

> > Disabled.

> >

> > Is there something else I can do to get this setting to remain

> > persistently

> > OFF??

> >

> > Thx,

> > Doug Murphy

>

>