Griff

Network Level Authentication

2 posts in this topic

Hi

I am having a problem with implmenting Network level authentication with Windows 2008 R2. For use with RDS load balancing

I have a simple setup. 2 servers, which i want to load balance in an RDS farm

I've setup 1 of these servers as the RDS connection broker, joined them both to a farm and then setup DNS round robin for the two servers.

All works fine, connection to the farm points to either of the servers, then the load balancer kicks in and balances to the least loaded of the 2 servers.

The only problem being that Network level authentication does not work, so I get prompted for a password when starting the RDP connection, then the connection hits the load balancer and i need to login to this, then when pushed to the target server I again have to login. I assume if NLA is working, it takes my first login and uses that through the chain.

I have enabled the option

'Allow connection only from computers running Remote Desktop with NEtwork Level Authentication'

From the RDP-Tcp Listener properties

I'm using the RDP client from a 2008 server (so its a verison with NLA enabled)

I've set the policy options

Prompt for credentials on client computer - enabled

Copnfigure server authentication for client - enabled

The other policy options in remote desktop section are all set to unconfigured

I do have two issues which may be effecting this

I have not yet installed the licenses/license server. This is part of a larger environment build, so this will turn up in due course, would this cause it to fail ?

I am having a problem with the cert part of the process, I have a CA and have created the certificate on each server, btu the certificate name matches the server, not the farm name, so it gives and error on connection. Again, would this stop the NLA, or is ti just a warning.

This is very annoying as the loadbalancing part works great, but its not usable with having to do mutiple logins to get in. Any suggestions would be greatly appreciated

Thanks

0

Share this post


Link to post
Share on other sites

As i understood you used tree loadbalancing methods:

- the round robin functionality of the DNS.

- the NLB functionality of windows.

- the RDS connection broker.

You should not use all those at the same time. You shouldn't use NLB if you're using the RDS connection broker (which is the right method to allow users to get their session back if they get disconnected).

The Round Robin won't help load balancing that much.

Most likely you'll need a real load balancer replacing the dns round robin if you want the same number of user on both servers. Forget about a Microsoft load balancer, you'll have to look for either open source (yes there are some open source load balancer) or a network appliance solution (cisco content switch, F5....).

The licensing issue shouldn't be a problem if you're within the 120 days.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.