How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?
Last updated: 2020-05-29
I am unable to log in to my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance using Remote Desktop Protocol (RDP). I am receiving one of the following authentication error messages:
- "An authentication error has occurred. The Local Security Authority cannot be contacted."
- "The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box."
- "This computer can't connect to the remote computer. Try connecting again, if the problem continues, contact the owner of the remote computer or your network administrator."
How do I troubleshoot these errors?
NLA errors often occur when the instance has lost connectivity to a domain controller because domain credentials aren't authenticated. To fix this issue, you can use the AWS Systems Manager AWSSupport-TroubleshootRDP automation document, or you can disable NLA on the instance.
AWSSupport-TroubleshootRDP automation document
The AWSSupport-TroubleshootRDP automation document allows you to modify common settings on an Amazon EC2 Windows instance that can impact RDP connections. For instructions to troubleshoot using the AWSSupport-TroubleshootRDP document, see AWSSupport-TroubleshootRDP.
Disable NLA on the instance
Note: Disabling NLA requires registry changes. Before you start, create an Amazon Machine Image (AMI) from your instance. This creates a backup before you make changes to the registry.
To use AWS Systems Manager AWS-RunPowerShellScript Run Command to add registry keys, follow these steps:
Important: The instance must have the AWS Systems Manager SSM Agent installed. The instance also must have an AWS Identity and Access Management (IAM) role (AmazonEC2RoleforSSM) with permissions to Systems Manager. For more information, see Systems Manager prerequisites.
1. Open the AWS Systems Manager console.
2. From the Instances & Nodes section of the navigation pane, choose Run Command.
3. Choose Run command.
4. For Command document, select AWS-RunPowerShellScript.
5. For Command parameters, enter the following commands:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v fAllowSecProtocolNegotiation /t REG_DWORD /d 0 /f
6. For Targets, select Choose instances manually.
7. Select your instance.
8. Choose Run.
9. Wait until the Overall status changes to Success. Refresh the page after 2 minutes.
10. Restart the instance.
11. Log in to the instance using RDP.
If you still can't connect, see How do I troubleshoot Remote Desktop connection issues to my Amazon EC2 Windows instance?