I'm configuring smartcard logon via RDP on domain controllers and have everything working from inside the network but as soon as I try from a VPN connection it fails with the NLA error
“The remote computer that you are trying to connect to requires Network Level Authentication (NLA), but your Windows domain controller cannot be contacted to perform NLA. If you are an administrator on the remote computer, you can disable NLA by using the options on the Remote tab of the System Properties dialog box.”
From the VPN connection:
- If I authenticate with username/password, I can connect.
- If I authenticate with smart card, I get NLA error.
This is a test domain so it’s not resolvable by our normal DNS servers (the ones that are assigned to my VPN adapter). However, if I change my VPN adapter’s DNS to those of the test domain then smart card authentication works.
It’s weird because NLA should be enabled for both username/password and smartcard but when I’m using a foreign DNS server only username/password authenticates.
I’m pretty sure I have the certificates and smartcard configured correctly but a second set of eyes are welcome.
- The domain’s root certificate is loaded in the NTAUTH store on the client.
- The domain’s root certificate is loaded on the smartcard.
- The DC has a valid Kerberos certificate.
- The root cert is published to the enterprise store in the domain
- All certificates pass a validation check (certutil verify)
- The DC’s certificates pass validation from certutil –dcinfo
- The UPN of the smartcard user cert is user@fqdn
Any ideas?
Thanks!!