Tuesday, May 3, 2011

Delayed RDP connections in Windows 2008 R2 using NLA

I have been troubleshooting an issue relating to slow RDP connections in Windows 2008 R2 for at least two weeks now.  After much frustration and little headway, I called MS support.  First of all, some background:  This is an isolated Windows 2008 R2 domain sitting in its own network with no access to the internet.  The MSTSC clients are mostly all 6.1.7600 which support Network Level Authentication (NLA) using CredSSP.  This was the first clue since connections from Windows 2003 were always instant.  With NLA being used in the newer client, there is now key based authentication using SSL.  By default, the clients are going out and attempting to update the root certificate on the RDP connection certificate.  Since the servers do not have internet access, this had to timeout which delayed the initial screen paint for the RDP connection.
It always worked in this order.  Open MSTSC, enter the box name, click Connect.  NLA would cause an authentication prompt where you enter your domain credentials, then click Ok.  After clicking Ok, the MSTSC client would spin at the “Establishing secure connection” for 15 to 35 seconds, before the remote console would open.
You can also disable NLA or CredSSP in the 6.1.x client by creating a .rdp file and adding the following property:
enablecredsspsupport:i:0
Setting the following group policy fixed the issue:
Computer Configuration
Policies
  Admin Templates
   System
    Internet Communication Management
     Internet Communication Settings
Set the following setting to Enabled: Turn off Automatic Root Certificates Update

 This addressed the host to host RDP issue within the network, but I am still seeing slower than normal response through the RDP Gateway.  MS claims this delay through the GW is by design.  However, I did not accept this answer and asked for documentation as to why this occurs.  Will update when I hear back.

3/23/2016 - As of recent, I have been working on yet another domain which does not have internet access and is fronted via RD Gateway with no trusts.  The same annoying delay persists!  One thing we discovered were RDP connections from a mac were instant every time.  However on Windows clients, there was consistently a 30 second delay.

I opened a case with MS and implemented the following registry fix:

https://support.microsoft.com/en-us/kb/2620264

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Gateway
Name: SkipMachineNameAttribute
Type: REG_DWORD
Value: 1

This prevented the gateway from trying to authenticate against my client domain first and reduced the overall gateway connection time by ~10 seconds.  So, we are making progress, but not there yet.

At this point, we are at a consistent ~10 to 15 second connect time which is not too bad.  I am still working with MS to reduce this further.  Stay tuned...



Posted by at

2 comments:

  1. JulienOctober 16, 2012 at 10:01 AM

    Hi !
    Thanks a lot for your post !
    I have the same issue and it's pretty difficult to find information on this !
    We tried the SSP setting but I prefere the GPO option that i'll try.
    Do you know what's the security impact ?

    Thanks,

    Julien

    www.doiturself.eu

    ReplyDelete
  2. UnknownOctober 28, 2013 at 12:32 PM

    I have been searching for this exact same problem and I followed your post. At first I thought it fixed it for me as it was superfast connecting soon as I made the settings. It then occurred to me that I had 2 settings in place before trying out your method. I had also unticked IPv6 on the network card before reading your post, after reading then completed your suggestion. So going back to square one reapplying both settings as default, the slowness was there as expected. I then un-ticked IPv6 and RDP was instant.
    Like you my server had no Default Gateway either.

    ReplyDelete

Subscribe to: Post Comments (Atom)