Add an RDP Server
Last modified on September 7, 2023
An Remote Desktop Protocol (RDP) Server in StrongDM is the combination of an IP/DNS address and authentication information used to control a Microsoft Windows resource, such as a server running Windows Server 2019 or Windows 10 Professional. This guide will show you how to add an RDP Server as a resource in the Admin UI.
- StrongDM supports the Microsoft Remote Desktop client on Windows and macOS. StrongDM does not support the Remote Desktop app.
- StrongDM only supports NTLM authentication for RDP. If the user account used to set up the RDP resource in StrongDM is added to the “Protected Users” group in Windows, the user will be prevented from authenticating using NTLM, and connections through StrongDM will no longer work.
Add an RDP Server
To add your RDP server as a StrongDM resource, use the following steps.
- Log in to the Admin UI and go to Infrastructure > Servers.
- Click Add server.
- Select RDP as the Server Type and set other resource properties to configure how the StrongDM relay connects to the server.
- Click create to save the resource.
- Click the resource name to view status, diagnostic information, and setting details. After the server is created, the Admin UI displays that resource as unhealthy until the health checks run successfully. When the resource is ready, the Health icon indicates a positive, green status.
Configuration properties are visible when you add a Server Type or when you click to view the server’s settings.
The following table describes the settings available for your RDP server.
|Display Name||Required||Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >)|
|Server Type||Required||Select RDP|
|Hostname||Required||IP/DNS address used to connect to the resource from your gateway or relay (for example, |
|Port||Required||Port on the target server that is listening for RDP connections; default port value 3389|
|Bind Interface||Read-only||Automatically generated IP address value in the |
|Port Override||Optional||Automatically generated with a value between 1024-59999 as long as that port is not used by another resource; preferred port can be modified later under Settings > Port Overrides|
|Secret Store||Optional||Credential store location; defaults to Strong Vault; to learn more, see Secret Store options|
|Key Type||Required||Signing algorithm with default value set to RSA-2048; other options include RSA-4096, ECDSA-256, ECDSA-384, ECDSA-521, and ED25519; to learn more, see Key Type options|
|Authentication||Required||Select Leased Credentials (default) or Remote Identities|
|Username||Required||Username to authenticate with (for example, |
|Password||Required||Password for the provided username|
|Resource Tags||Optional||Resource tags consisting of key-value pairs |
After the RDP Server is created, the Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.
If any errors occur, please copy them into an email and send them to firstname.lastname@example.org.
Windows 11 Support
Adding a Windows 11 RDP resource requires two minor configuration changes to the resource and to your StrongDM organization.
- On the Windows 11 resource the setting Require devices to use NLA to connect needs to be disabled.
- The StrongDM Support team must then enable a setting for your organization manually. Please contact StrongDM Support for further assistance.
Windows Network Level Authentication (NLA)
Windows NLA is a security protocol used by the Remote Desktop Service. When enabled, it completes additional client-side verifications. Moreover, StrongDM will automatically detect and use Windows NLA if it is enabled. However, some variations of NLA are not supported. For example, you may encounter error messages such as the following in your
cannot extract server's sent public key: failed to handshake tls conn: read tcp4 172.22.64.180:35118->172.22.20.44:3389: read: connection reset by peer" cannot complete server NLA authentication: cannot parse ntlm echo packet: cannot read class byte: remote error: tls: internal error
Users may also see similar errors when trying to connect to RDP Servers. If you do encounter problems like this, please contact our Support team, who may be able to perform additional configuration on the backend to address this.