Share via

why rdp NLA allow servername\username but not allow ip\username.

the site yes 20 Reputation points
2024-08-15T11:26:48.28+00:00

I face a problem when connect remote desktop (RDP) with this 2 different user.
eg. The server name (server1) with ip (IP1), it have a local user (user1).

when I rdp to the ip1 or server1. with IP1\USER1 fail, NLA error. with SERVER1\USER pass.

RDP with just user1 to server1/ip1 also NLA error.

  • and this is domain join server, just we are using local user for RDP.

May I know what's the different for "ip1\user1" and "server1\user1"?
why NLA allow "server1\user1" but not "ip1\user1" ?
Thanks

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,542 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
750 questions
0 comments
Accepted answer
  1. Wesley Li 8,775 Reputation points
    2024-08-16T08:46:57.6533333+00:00

    Hello

    About the difference between "IP1\USER1" and "SERVER1\USER1" :

    In Remote Desktop Protocol (RDP) connections, the main difference between using "IP1\USER1" and "SERVER1\USER1" is the method and path of authentication. When using an IP address and a user name (such as "IP1\USER1"), the system may not be able to authenticate directly through the domain environment because the IP address itself does not contain domain information. With the server name and user name (such as "SERVER1\USER1"), the system can find the corresponding server through DNS or NetBIOS name resolution, and then authenticate through the domain environment, because the server name is usually associated with the domain.

    Why does NLA allow "SERVER1\USER1" but not "IP1\USER1" :

    NLA (Network Layer Authentication) is a mechanism for authenticating a user's identity before an RDP connection is established. It requires the user to provide credentials and authenticate before the connection is actually established. In a domain environment, the NLA may be configured to require authentication through the domain environment. Because "SERVER1\USER1" contains the server name, which is associated with the domain, NLA is able to identify and verify the user's identity. "IP1\USER1", on the other hand, contains only the IP address and user name, without explicit domain information, which may cause the NLA to fail to verify the user's identity properly and thus deny the connection.

    In summary, when using "SERVER1\USER1" for RDP connections, it is easier to meet the authentication requirements of the NLA because it contains the server name and domain information. When "IP1\USER1" is used, the authentication requirements of NLA may not be met due to the lack of clear domain information, resulting in a connection failure. When making RDP connections in a domain environment, it is recommended to use the "server name \ user name" format to ensure that the correct authentication path is used.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 23,545 Reputation points MVP
    2024-08-15T11:49:34.4766667+00:00

    AFAIK, NLA will attempt to map the servername to an SPN - which, in case of the IP address, it's bound to fail. Details at https://syfuhs.net/how-authentication-works-when-you-use-remote-desktop

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments
  2. Wesley Li 8,775 Reputation points
    2024-09-02T16:43:19.4166667+00:00

    Hello

    Do you have any other questions?

    What is the current progress of the issue?

    Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.