docs: add troubleshooting step for directory sharing failures

Closes #45461
gravitational · Sep 3, 2024 · 91b8c9b · 91b8c9b
1 parent 6e5b33e
commit 91b8c9b
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx b/docs/pages/enroll-resources/desktop-access/troubleshooting.mdx
@@ -393,3 +393,54 @@ to force the policy update:
 ```code
 $ gpupdate.exe /force
 ```
+
+To enable NLA with Teleport 16.2.0 and later, set the `TELEPORT_ENABLE_RDP_NLA`
+environment variable to `yes` on hosts running Teleport's `windows_desktop_service`.
+More information on Teleport's NLA support is available in the [Active Directory guide](./active-directory.mdx#network-level-authentication-nla).
+
+### CredSSP: server not found in Kerberos database
+
+Attempts to connect to a desktop fail, and the UI shows an error similar to:
+
+```
+CredSSP UnknownCredentials: server not found in Kerberos database
+```
+
+This is an error with NLA. To connect to a Windows host using NLA, Teleport
+must specify the computer name as it exists in Active Directory. You will see
+this error if you have not specified the correct computer name, or if you are
+connecting by IP address instead of hostname.
+
+**Solution:** correct the server's computer name
+
+To fix this error, ensure that either:
+
+- the server's computer name is specified in the `teleport.dev/computer_name` label
+- the server's `addr` field specifies the correct computer name
+
+See [Computer Name](./active-directory.mdx#computer-name) for more information.
+
+## Directory Sharing
+
+### Failed to share directory
+
+Attempts to share a directory fail and a warning is presented that says:
+
+```
+Failed to share directory, drive redirection may be disabled on the RDP server.
+```
+
+**Solution:** Ensure that device redirection is enabled.
+
+Teleport's directory sharing feature leverages RDP device redirection.
+If device redirection is not enabled or allowed by the RDP server then the operation
+will fail.
+
+Device redirection is typically enabled by default, but may be disabled in group policy.
+The relevant settings are located under:
+
+```text
+Computer configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
+```
+
+Make sure that the option for *Do not allow drive redirection* is unset or disabled.