How to Establish RDP from Linux to Windows with Network Level Authentication (NLA) Using xfreerdp and Remmina


1 views

Network Level Authentication (NLA) adds an extra security layer by authenticating users before establishing a full remote desktop session. While Windows clients handle this seamlessly, Linux RDP clients require specific configuration to support this security feature.

The older rdesktop utility doesn't support NLA, but these modern alternatives do:


# Install FreeRDP (xfreerdp) on Debian/Ubuntu
sudo apt-get install freerdp2-x11

# Install Remmina with RDP plugin
sudo apt-get install remmina remmina-plugin-rdp

The most reliable method is using FreeRDP's xfreerdp implementation:


xfreerdp /v:windows-server.domain.com /u:username /p:password /cert-ignore \
/d:domain /size:1920x1080 +compression /clipboard /sound:sys:pulse \
/microphone:sys:pulse /network:auto /gfx +glyph-cache /sec:nla

Key parameters:

  • /sec:nla - Enables Network Level Authentication
  • /cert-ignore - Bypasses certificate validation (use carefully)

For those preferring a graphical interface:

  1. Open Remmina and create a new connection
  2. Set protocol to "RDP - Remote Desktop Protocol"
  3. Under Security settings, choose "NLA - Network Level Authentication"
  4. Enable "Quality settings" for performance tuning

If you encounter errors, try these diagnostic steps:


# Verbose output for debugging
xfreerdp /v:target.server /u:user /p:pass /sec:nla /log-level:DEBUG

# Check supported protocols
xfreerdp /buildconfig | grep "Supported protocols"

Common fixes:

  • Ensure Windows firewall allows RDP connections
  • Verify the remote computer has NLA enabled in System Properties
  • Update FreeRDP to latest version (v2.0+ recommended)

For enterprise environments requiring certificate validation:


xfreerdp /v:server /u:user /p:pass /sec:tls \
/cert-name:corp-certificate /d:corpdomain /load-balance-info:tsv://MS Terminal Services Plugin.1.RDP-Over-TCP

Network Level Authentication (NLA) is a security feature introduced in Windows Server 2008 R2 that requires authentication before establishing a full Remote Desktop session. While Windows clients support this by default, Linux users often face challenges when trying to connect to NLA-enabled Windows machines.

Here are the most reliable options for Linux:

  • FreeRDP (xfreerdp): The modern successor to rdesktop with full NLA support
  • Remmina: A popular GUI client with NLA capabilities
  • Vinagre: GNOME's remote desktop client

Install FreeRDP on Debian/Ubuntu:

sudo apt-get install freerdp2-x11

Basic connection command:

xfreerdp /v:windows-server-ip /u:username /p:password /cert:ignore +fonts /dynamic-resolution

For better performance and security:

xfreerdp /v:192.168.1.100 /u:admin /p:mypassword /cert:ignore \
/size:1920x1080 /bpp:32 /network:auto /compression /audio-mode:1 \
/microphone /multimon +clipboard +fonts +aero +window-drag

If you encounter connection problems:

  1. Verify the Windows machine has NLA enabled in System Properties
  2. Check firewall settings on both ends
  3. Try different security protocols with /sec:tls, /sec:rdp, or /sec:nla
  4. Use /log-level:debug for detailed error information

For those preferring a graphical interface:

sudo apt-get install remmina remmina-plugin-rdp

Configure a new connection with:

  • Protocol: RDP
  • Server: [Windows server IP]
  • Username: [your username]
  • Security: Negotiate
  • Enable NLA checkbox

For slower networks, consider these parameters:

+compression /gfx:rfx /gfx-h264:avc444 /rfx-mode:video