Tuesday, March 17, 2009

How to Enable Network Level Authentication (NLA) in XP SP3

Network Level Authentication (NLA) as you may or may not know is a new feature of Windows Server 2008 and Vista workstations that adds some extra security as well as improves login performance by offloading some of the initial remote computer resources required at login.

In 2003 and earlier versions of Terminal Services authentication did not occur until the full desktop connection (including all the related processes) were started. With NLA enabled, the user is "pre-authenticated" before any desktop and it's related process hogs are even created. This helps with server resources as only valid users will be allowed meaning only valid processes are created on the server.

While XP Service Pack 3 and Remote Desktop 6.0 support NLA, it is not turned on by default, let's get it turned on shall we?



The process for turning it on involves some registry work as sadly none of the GPOs for this feature work with XP (Vista only).

Important Note: As usual, I assume you are reading this because you are a technical person - but you can never be too sure, so I add this note... Altering your computer registry can result in a massive explosion from the flux capacitor that is hidden in your computer, I take no responsibility for any damage that may or may not be caused by following this article's instructions. You do so at your own risk and have been warned, mucking with the timeline and any resulting paradoxes that occur is now your fault not mine.

OK with that out of the way, let us get down to it.

NLA requires the new Credential Security Service Provider (CredSSP) enabled in your system. This system provides the underlying framework for the NLA process. As a reminder, Vista and Windows 2008 already comes with this by default, this procedure is for Windows XP Service Pack 3 ONLY. Though it may apply to future SPs of Windows XP - I have only confirmed it on an XP SP3 system.
  1. Click Start, click Run, type regedit, and then press ENTER.
  2. In the navigation pane, locate and then click the following registry subkey:
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
  3. In the details pane, right-click Security Packages, and then click Modify.
  4. In the Value data box, type tspkg. Leave any data that is specific to other SSPs, and then click OK.
  5. In the navigation pane, locate and then click the following registry subkey:
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
  6. In the details pane, right click SecurityProviders, and then click Modify.
  7. In the Value data box, type credssp.dll. Leave any data that is specific to other SSPs, and then click OK.
  8. Exit Registry Editor.
  9. Restart the computer.


After reboot your XP SP3 Workstation will now support NLA. The easiest way to confirm this is to launch the Remote Desktop tool (Start -> Run -> mstsc) in the upper left hand corner of the title bar left click the icon, then left click About. It should show Network Level Authentication supported. under the copyright information.


Now feel free to turn on NLA on your 2008 or Vista installs and connect away.


Reference Article: KB951608

3 comments:

  1. Great help!!! Working just fine now.

    Regards,

    jracook@gmail.com

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Worked great !!! Thanks a lot !!!

    ReplyDelete