When attempting to use Remote Desktop Protocol (RDP) with traffic forwarded through Advanced Server Access (ASA) Gateway and using the AD-joined feature, the RDP connection fails. The client's symptoms may vary, but generally, the RDP client will briefly open to a black screen before closing out.
The signature for this issue is the following in the ASA Gateway logs. Verbose RDP logging may need to be enabled on the Gateway per the following documentation:
Sep 19 10:38:06 asagw sft-gatewayd[254598]: 2023-09-19T10:38:06.821-0500#011INFO#011[SessionID=3494B42A999289AB31D5A34D0C8E2AFA]: connecting using client info: Username: test@domain.com, Domain: (null)#011{"peerchild": "gatewayd-agent", "T": "2023-09-19T10:38:06.821-0500", "source": "rdp_internal"}
Sep 19 10:38:11 asagw sft-gatewayd[254598]: 2023-09-19T10:38:11.829-0500#011ERROR#011[SessionID=3494B42A999289AB31D5A34D0C8E2AFA]: failed to connect with NLA. retrying to connect without NLA#011{"peerchild": "gatewayd-agent", "T": "2023-09-19T10:38:11.828-0500", "source": "rdp_internal"}
Sep 19 10:38:11 asagw sft-gatewayd[254598]: 2023-09-19T10:38:11.841-0500#011WARN#011Error: HYBRID_REQUIRED_BY_SERVER#011{"peerchild": "gatewayd-agent", "source": "rdp_internal", "T": "2023-09-19T10:38:11.840-0500"}
- Advanced Server Access (ASA)
- AD-Joined
This error is generally a sign that the target server is configured to require Network-Level Authentication (NLA), which is not compatible with ASA's AD-joined feature.
Disable NLA on the target server via GPO as per step #2 in the following documentation:
Please consult with the Windows administrators before making such a change to ensure there are no further environmental implications.
