I have written my own Credential Provider and Credential Provider Filter to be used on a Windows Server 2008 R2 server. My Credential Provider firstly authenticate the user against an AAA directory server, and if authorised creates or updates the user’s account on the Windows server for new and existing users respectively.
A problem occurs when using Remote Desktop for new users. In version 6.1 of RDP, Windows uses by default Network Level Authentication (NLA) to firstly authenticate the user, however because for new users the user doesn’t exist on the Windows server (until my CP creates it) it fails before establishing a remote desktop connection.
I am working in a relatively secure environment so I don’t foresee any heighten security risks in disabling NLA. Alternatively, if I leave NLA enabled, is there any support by Windows to wrap, customise, or replace the Windows CredSSP assuming it is this DLL which provided the NLA support on the server side? Also, on the client side is there any way to off load the NLA authentication to another server – example to my AAA directory server? I assume the latter option would mean installing software on each client that needs to connect to the Windows server which I would like to avoid if at all possible.
Ross
Ross Clemens