000016752 - Multiple authentication prompts appear in the RSA Authentication Agent 7.0 for Windows when accessing a remote computer that uses Network Level Authentication

Document created by RSA Customer Support Employee on Sep 7, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016752
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent
RSA Version/Condition:  7.0.1, 7.0
IssueMultiple authentication prompts appear when accessing a remote computer that uses Network Level Authentication
ResolutionMicrosoft Remote Desktop Connection 6.1 includes Windows Network Level Authentication (NLA), a new feature to enhance security.  If this feature is enabled when you attempt to connect to a remote computer, you see a prompt to authenticate before you can establish a remote connection. If you use NLA with an RSA SecurID credential provider configured on the remote computer, you see two prompts to authenticate before you can access the remote desktop. One prompt opens from the local computer and the other opens from the remote computer. This is not caused by the RSA Authentication Agent application. It is a limitation of the how Microsoft implements Network Level Authentication when you use a third-party credential provider. This enhanced security is functioning as designed by Microsoft. Once you enter your account information and successfully authenticate through each prompt, you can access the remote computer.
NotesNetwork Level Authentication is enabled by default for Windows Vista, Windows 7 and Windows 2008 Server operating systems. You can manually enable it on Windows XP SP3 operating systems. For more information on using Network Level Authentication, see the Microsoft web site.
Microsoft's website shows a few different ways to disable NLA on both the server and client sides, but this is generally discouraged because it reduces the security of the environment. If it is determined that it is more important to reduce the number of steps for the users than it is to keep the enhanced security provided by Network Level Authentication, the Microsoft website shows a few ways to change settings. For the server side,  review the following article on how to Configure Network Level Authentication for Remote Desktop Services Connections.
On the client side, review how to alter the values of authentication level:i: and EnableCredSSPSupport:i:n in the default.rdp file.  Note that there may be more than one version of this file, especially if the users have network folders.

Please note, these are Microsoft pages.  RSA has no responsibility for their content.   Also, as the Microsoft website is dynamic, it is possible the links have been removed or replaced, and you will need to search the Microsoft website for the current information.
Legacy Article IDa45108