KB_150055: DIGIPASS Authentication for Windows Logon (DAWL) and Terminal Server RDP connection considerations.5/23/2017 4:24:07 PM
When you set up an RDP session to a Windows 2003 Server from a server/workstation that uses DAWL, this is working as expected. But when you make an RDP connection to Windows 2008 servers, the DAWL login screen pops up.
To overcome some security issues and keep compatibility, Microsoft introduced Network Level Authentication (NLA) on windows 2008 servers.
Basically, NLA requires the connecting user to authenticate himself before a session is established with the server. Without NLA, if you opened an RDP session to a server it would load the login screen from the server for you. This would use up resources on the server, and was a potential area for Denial Of Service attacks.
NLA delegates the user's credentials through a client side Security Support Provider and prompts the user to authenticate before establishing a session on the server.
Since a Windows logon is used on the client machine, and since DAWL is used on this client machine, the DAWL login screen pops up.
You will have to create the users which have to be authenticated on the remote machine in IDENTIKEY Authentication Server.
If creating, and maintaining, these users in IDENTIKEY Authentication Server is not possible, you can disable Network Level Authentication or you can use another product to do remote access.
To disable NLA, you can add the line “enablecredsspsupport:i:0” in the RDP connection settings file.
Below is a link to an interesting collection of FAQ, related to Remote Desktop connection authentication:
Be aware that when you disable NLA, the default settings of Windows 2012 will not accept the connection:
While in W2008 the default option allows the connection:
Applies to: IDENTIKEY Authentication Server, DAWL
KB 150055 – 23/05/2017
© 2017 VASCO Data Security. All rights reserved.