diff --git a/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx b/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx index 1914aa2b0dd4c..35e163c2d7a6f 100644 --- a/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx +++ b/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx @@ -393,3 +393,54 @@ to force the policy update: ```code $ gpupdate.exe /force ``` + +To enable NLA with Teleport 16.2.0 and later, set the `TELEPORT_ENABLE_RDP_NLA` +environment variable to `yes` on hosts running Teleport's `windows_desktop_service`. +More information on Teleport's NLA support is available in the [Active Directory guide](./active-directory.mdx#network-level-authentication-nla). + +### CredSSP: server not found in Kerberos database + +Attempts to connect to a desktop fail, and the UI shows an error similar to: + +``` +CredSSP UnknownCredentials: server not found in Kerberos database +``` + +This is an error with NLA. To connect to a Windows host using NLA, Teleport +must specify the computer name as it exists in Active Directory. You will see +this error if you have not specified the correct computer name, or if you are +connecting by IP address instead of hostname. + +**Solution:** correct the server's computer name + +To fix this error, ensure that either: + +- the server's computer name is specified in the `teleport.dev/computer_name` label +- the server's `addr` field specifies the correct computer name + +See [Computer Name](./active-directory.mdx#computer-name) for more information. + +## Directory Sharing + +### Failed to share directory + +Attempts to share a directory fail and a warning is presented that says: + +``` +Failed to share directory, drive redirection may be disabled on the RDP server. +``` + +**Solution:** Ensure that device redirection is enabled. + +Teleport's directory sharing feature leverages RDP device redirection. +If device redirection is not enabled or allowed by the RDP server then the operation +will fail. + +Device redirection is typically enabled by default, but may be disabled in group policy. +The relevant settings are located under: + +```text +Computer configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection +``` + +Make sure that the option for *Do not allow drive redirection* is unset or disabled.