How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?

Last updated: 2021-06-29

I can't log in to my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance using Remote Desktop Protocol (RDP). I'm receiving one of the following authentication error messages:

  • "An authentication error has occurred. The Local Security Authority cannot be contacted."
  • "The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box."

Short description

The preceding errors can occur in the following two scenarios:

  • Network Layer Authentication (NLA) is enabled on the server.
  • The trust relationship between your domain and EC2 instance joined to this domain fails during RDP login.

Resolution

NLA is enabled on the server

NLA errors often occur when the instance has lost connectivity to a domain controller because domain credentials aren't authenticated. To fix this issue, you can use the AWS Systems Manager AWSSupport-TroubleshootRDP automation document. Or, you can disable NLA on the instance.

AWSSupport-TroubleshootRDP automation document

The AWSSupport-TroubleshootRDP automation document allows you to modify common settings (such as the RDP Port, Network Layer Authentication (NLA), and Windows Firewall profiles) on an Amazon EC2 Windows instance that can impact RDP connections. For instructions to troubleshoot using the AWSSupport-TroubleshootRDP document, see AWSSupport-TroubleshootRDP.

Disable NLA on the instance

You can disable NLA on the unreachable instance using one of the following methods:

  • Disable NLA using Systems Manager AWS-RunPowerShellScript document.
  • Manually make registry changes offline.

Note: Disabling NLA requires registry changes. Before you start, create an Amazon Machine Image (AMI) from your instance. This creates a backup before you make changes to the registry.

Disable NLA using Systems Manager AWS-RunPowerShellScript document

To use AWS Systems Manager AWS-RunPowerShellScript Run Command to add registry keys, follow these steps:

Important: The instance must have the AWS Systems Manager SSM Agent installed. The instance also must have an AWS Identity and Access Management (IAM) role (AmazonEC2RoleforSSM) with permissions to Systems Manager and must be reporting “Online” on the Systems Manager dashboard. For more information, see Systems Manager prerequisites.

1.    Open the AWS Systems Manager console.

2.    From the Instances & Nodes section of the navigation pane, choose Run Command.

3.    For Command document, select AWS-RunPowerShellScript.

4.    For Command parameters, enter the following commands:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
reg add
"HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD
/d 0 /f

5.    For Targets, select Choose instances manually.

6.    Select your instance.

7.    Choose Run.

8.    Wait until the Overall status changes to Success. Refresh the page after 2 minutes.

9.    Restart the instance.

10.    Log in to the instance using RDP.

Manually make registry changes offline

  1. Stop the unreachable instance and detach the root volume.
  2. Launch a new instance in the same Availability Zone as the original instance you just stopped. This becomes your rescue instance. It's a best practice to launch a Windows version that is different from the unreachable instance. This avoids disk signature issues.
  3. Attach the detached volume to the rescue instance as /dev/xvdf.
  4. Connect to the rescue instance using RDP, and then bring the volume you just attached online in Disk Manager.
  5. Run regedit.exe to open the Registry editor.
  6. Select HKEY_LOCAL_MACHINE and then select File, Load Hive.
  7. Navigate to the Windows folder on the attached volume, and then select the SYSTEM file. The default path is D:\Windows\System32\config.
  8. Name the SYSTEM file. For example badsys.
  9. badsys now appears under HKEY_LOCAL_MACHINE. Under badsys, navigate to ControlSet001, Control, Terminal Server, WinStations, RDP-Tcp.
  10. Double-click SecurityLayer and set its value data to 0. Then select UserAuthentication and set its value data to 0.
  11. Scroll up and select badsys, File, Unload Hive.
  12. After the hive unloads, open Disk Manager and take the disk offline.
  13. Detach the volume from the rescue instance and attach it to the unreachable instance as the root volume (/dev/sda1).
  14. Start the instance and test RDP.

The trust relationship between your domain and EC2 instance joined to this domain fails during RDP login

You can try to log in to the unreachable instance using cached user credentials.

Prerequisites

  • A local account that can successfully authenticate to the EC2 instance.
  • (Options) There should be at least one domain account logged in when the instance was able to communicate with the Domain Controller successfully. In order for domain account to work, the domain account credentials must be cached in the server. Therefore, using a local account is always recommended.
  • To use interactive log on, make sure the policy setting the number of previous log ons to cache (if the domain controller isn't available) is set to at least 1. Or, the policy can be set to the default value of 10. By default, this policy isn't defined at GPO and the server local policy is used.

To log in using cached user credentials, use the following steps:

  1. Open the Amazon EC2 console and select Security groups.
  2. Select Create Security Group and then add a name and description.
  3. Under Security group rules, select Inbound – Add Rule.
  4. Enter RDP.
  5. In the Source field, enter the IP address where you want to RDP from.
  6. For Outbound rule, remove all outbound access and then select Create.
  7. Choose the unreachable instance, and then select ActionsNetworking, Change Security Groups. Remove all existing security groups and assign only the security group that you just created.
  8. RDP to the EC2 instance using the regular domain account. Since all outbound access is removed from EC2, RDP uses the cached credentials stored inside the server.

Note: Initially, authentication is attempted against the Domain Controller. But, because there is no outbound access from EC2, authentication eventually checks the cached credentials inside the server. Using the cached credentials, authentication reattempts and login succeeds. After you're logged in, you can revert the security group settings back to the original state and continue to fix any issues with your domain.

Additional troubleshooting


Did this article help?


Do you need billing or technical support?