Over the past couple of years, I’ve noticed that establishing an RDP session from my primary desktop to other PCs sometimes fails under specific circumstances. I’m researching a story about this for Mayank Pamar at WindowsLatest, so keep an eye out for that opus. It’ll probably hit next week. When I attempt to get into some of my Windows 11 PCs (the only kind of physical PC I have any more), my login will occasionally be refused if I use a Microsoft Account (MSA). Indeed I’ll see a Remote Desktop Connection LSA error that reads “The Local Security Authority cannot be contacted.”

What Causes Remote Desktop Connection LSA Error?

Interestingly, there are a number of possible causes. Some are easy to fix, others fall on third parties. Here’s a partial list:

• OS can’t validate credentials, particularly MSA logins (the most common and obvious reason, but one users cannot easily fix themselves)
• Secure channel negotiation (to exchange credentials) fails
• Time sync or DNS resolution fails
• Credential policies are somehow misconfigured

Time sync and DNS stuff is probably the most approachable, so they’re worth trying. For the former that means Settings > Time & Language > Date & time > Sync now (under Additional Settings). For the latter, it’s only meaningful if using manual DHCP assignment, in which case Setting > Network & Internet > Ethernet or Wi-Fi > Edit DNS Settings > define preferred and backup DNS server addresses. Most users will get their DNS server assignments via DHCP.

The other items are a bit more convoluted. I’ll get to them in my upcoming story. Here in this brief blog, I’ll “leave them as an exercise for the reader” in the classic ploy used to avoid heavy lifting in so many, many textbooks I’ve read over the years…

A Typical (and Useful) Workaround

If I can’t get into a PC using my MSA, I’ll set up a local account on the affected machine with admin privileges and use that to RDP into the machine instead. This might cause issues on machines where you want or need access to account-speicific files or data (e.g. the associated C:\users\<name> folder hierarchy). But otherwise it works OK. In a small and unscientific survey of my local fleet, I’ve had to do this on just under half the machines (4 out of 9), most of which are running Insider Preview releases (and thus, have their foibles).

Here in Windows-World, if you can’t do things the way you want to, you must sometimes do them some other way. Obtaining RDP access to some of my test and experimental PCs puts me in those shoes from time to time. So it goes!