Kaseya Community

LiveConnect - Remote Desktop Protocol using Network Level Authentication

  • Greetings and Salutations!

    I am hoping that someone can shed some light on this subject as I was unable to find an answer after searching the forums and the knowledge base. Our company is PCI Compliant and part of the compliance requirements is to use Remote Desktop with Network Level Authentication (RDP w/ NLA). When attempting to connect to any Windows 7 workstation through RDP w/NLA we receive the following error in LiveConnect:

    This error occurs whether I try to utilize the RDP Connection in LiveConnect inside or outside our network.  If I disable the NLA requirement from RDP then the issue ceases.

    RDP w/ NLA works outside of LiveConnect so it the issues resides in the LiveConnect program.

    Thoughts?

    Environment: Kaseya Server Version: 6.2.0.0, Level 2237
    Kaseya Host Server OS: Windows Server 2008 R2, Service Pack 1

  • I apologize that the image of the error didn't post.  Here is the message received within the LiveConnect program:

    An internal error has occurred.

  • Kaseya, any ideas on when this is resolved? its been quite a while now, and working around manually is a pain. This is a pretty basic request.

    This also occurs when using remote control in the normal way.

  • I could be wrong but there is really nothing that Kaseya can do other then to check if NLA is enable and to disable it and re-enable it once the remote session is complete.

    If I'm wrong and you have a better understanding on NLA and how you could make it work feel free to share Big Smile


    So the simple solution is to publish an enable and disable NLA agent procedure under KLC that you can run when you notice that NLA is blocking your RDP session. (I do the same thing for enabling RDP connectivity)

    Below is a sample script I wrote a while back that can deal with this issue, just duplicate the script below and rename  and change the #UserAuth# variable value to 1


    <?xml version="1.0" encoding="utf-8"?>
    <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">
      <Procedure name="RDP Network Level Authentication (Disable)" treePres="3" id="551899311" folderId="79212332565323711844324329">
        <Body description="Description: Disables RDP Network Level Authentication on the target machine. Will only execute on Windows 2008 Servers.&#xA;Type: Configuration&#xA;Created by: HardKnoX (19/03/2012)&#xA;Updated by:">
          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">
            <Parameter xsi:type="EnumParameter" name="VariableType" value="ConstantValue" />
            <Parameter xsi:type="StringParameter" name="SourceContent" value="0" />
            <Parameter xsi:type="StringParameter" name="VariableName" value="UserAuth" />
          </Statement>
          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">
            <Parameter xsi:type="EnumParameter" name="VariableType" value="ConstantValue" />
            <Parameter xsi:type="StringParameter" name="SourceContent" value="FALSE" />
            <Parameter xsi:type="StringParameter" name="VariableName" value="OSCheck" />
          </Statement>
          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false" osType="2008">
            <Parameter xsi:type="EnumParameter" name="VariableType" value="ConstantValue" />
            <Parameter xsi:type="StringParameter" name="SourceContent" value="TRUE" />
            <Parameter xsi:type="StringParameter" name="VariableName" value="OSCheck" />
          </Statement>
          <If description="">
            <Condition name="CheckVariable">
              <Parameter xsi:type="StringParameter" name="VariableName" value="#OSCheck#" />
              <Parameter xsi:type="EnumParameter" name="Condition" value="Contains" />
              <Parameter xsi:type="StringParameter" name="Value" value="TRUE" />
            </Condition>
            <Then>
              <If description="">
                <Condition name="Windows 32 or 64 Bit Check">
                  <Parameter xsi:type="EnumParameter" name="Condition" value="NotExists" />
                  <Parameter xsi:type="StringParameter" name="Value" value="" />
                </Condition>
                <Then>
                  <Statement description="Set the specified registry value - Regedit displays keys as folders and values as documents." name="SetRegistryValue" continueOnFail="false" osType="NT4|2000|XP|2003|Vista|2008">
                    <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication" />
                    <Parameter xsi:type="StringParameter" name="Value" value="#UserAuth#" />
                    <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" />
                  </Statement>
                  <If description="">
                    <Condition name="CheckRegistryValue">
                      <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication" />
                      <Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
                      <Parameter xsi:type="StringParameter" name="Value" value="#UserAuth#" />
                    </Condition>
                    <Then>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                        <Parameter xsi:type="StringParameter" name="Comment" value="LOG: NLA UserAuthentication to #UserAuth#, Agent Procedure Successful!" />
                      </Statement>
                    </Then>
                    <Else>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                        <Parameter xsi:type="StringParameter" name="Comment" value="ERROR LOG: Failed to set NLA UserAuthentication to #UserAuth#, Agent Procedure Failed!" />
                      </Statement>
                      <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">
                        <Parameter xsi:type="EnumParameter" name="VariableType" value="FileContent" />
                        <Parameter xsi:type="StringParameter" name="SourceContent" value="ERROR" />
                        <Parameter xsi:type="StringParameter" name="VariableName" value="ERROR" />
                      </Statement>
                    </Else>
                  </If>
                </Then>
              </If>
              <If description="">
                <Condition name="Windows 32 or 64 Bit Check">
                  <Parameter xsi:type="EnumParameter" name="Condition" value="Exists" />
                  <Parameter xsi:type="StringParameter" name="Value" value="" />
                </Condition>
                <Then>
                  <Statement description="Set the specified registry value on 64 bit systems." name="SetRegistryValue64" continueOnFail="false">
                    <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication" />
                    <Parameter xsi:type="StringParameter" name="Value" value="#UserAuth#" />
                    <Parameter xsi:type="EnumParameter" name="DataType" value="Integer" />
                  </Statement>
                  <If description="">
                    <Condition name="CheckRegistryValue64">
                      <Parameter xsi:type="StringParameter" name="RegistryPath" value="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication" />
                      <Parameter xsi:type="EnumParameter" name="Condition" value="Equals" />
                      <Parameter xsi:type="StringParameter" name="Value" value="#UserAuth#" />
                    </Condition>
                    <Then>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                        <Parameter xsi:type="StringParameter" name="Comment" value="LOG: NLA UserAuthentication to #UserAuth#, Agent Procedure Successful!" />
                      </Statement>
                    </Then>
                    <Else>
                      <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                        <Parameter xsi:type="StringParameter" name="Comment" value="ERROR LOG: Failed to set NLA UserAuthentication to #UserAuth#, Agent Procedure Failed!" />
                      </Statement>
                      <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false">
                        <Parameter xsi:type="EnumParameter" name="VariableType" value="FileContent" />
                        <Parameter xsi:type="StringParameter" name="SourceContent" value="ERROR" />
                        <Parameter xsi:type="StringParameter" name="VariableName" value="ERROR" />
                      </Statement>
                    </Else>
                  </If>
                </Then>
              </If>
            </Then>
            <Else>
              <Statement description="Write an Entry into the Procedure Log" name="WriteScriptLogEntry" continueOnFail="false">
                <Parameter xsi:type="StringParameter" name="Comment" value="LOG: Incompatible OS detected, skipping procedure task.... " />
              </Statement>
            </Else>
          </If>
        </Body>
      </Procedure>
    </ScriptExport>



    [edited by: HardKnoX at 11:16 AM (GMT -8) on Jan 9, 2013] bad information
  • Short answer: Kaseya doesn't support NLA based RDP sessions.

    Long answer: It has nothing what so ever to do with trust relationships between the client and the server (NLA is *not* about trusts). It has to do with the fact that the whole KLC process doesn't support the authentication phase that NLA requires (CredSSP). This goes doubly true if the connection happens to be relayed via your KServer, rather than p2p.

    This requires in-depth knowledge of how KLC works internally to really understand - community.kaseya.com/.../76579.aspx for some clues.

    Short answer: only Kaseya can fix this -- but I doubt that is actually possible at the technical level, since it would require intercepting and relaying the CredSSP authentication process, would in fact be a man-in-the-middle attack, something you definitely don't want and would probably be rejected as a hack by CredSSP.

    Instead, use the VLC option in KLC - which works fine.



    [edited by: Craig Hart at 7:29 PM (GMT -8) on Jan 8, 2013] typos fixed
  • @Craig Thanks for the explanation Smile

    Just an idea maybe Kaseya could improve KLC by adding the ability to detect if NLA is enabled and then give you the option to disable it if you use RDP, until such time that their RDP remote control can handle NLA.

    Personally I prefer RDP over VNC as it appears to be faster and it is less likely that somebody else is watching your remote session.