When using Citrix Secure Access (SPA) with CEP and the Citrix Secure Access browser extension (Chrome-based) to access an RDP TCP application, the RDP connection fails with a black screen and the following error message:

In the SPA console, the application log shows that the TCP connection is established successfully.
Other TCP applications (for example, SSH) connect normally through the browser extension.
RDP connections using the Secure Access Agent installed on the endpoint also succeed.

This issue occurs due to a compatibility mismatch between browser-based RDP clients and the RDP security configuration on the target Windows system.

Specifically, browser-based RDP connections via SPA CEP may fail when:

• Network Level Authentication (NLA) is required

• The RDP server is configured to force a specific RDP security layer (RDP)

The Secure Access Agent uses the native OS RDP client, which supports these security mechanisms, while the browser-based RDP client has more limited support.

Update the RDP security settings on the target Windows VM as follows:

1. Disable Network Level Authentication (NLA)

On the target VM:

1. Open System Properties

2. Go to Remote tab

3. Disable:

   • “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”

2. Update RDP Security Layer Policy

1. Open Local Group Policy Editor (gpedit.msc)

2. Navigate to:

    

   Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

3. Set:

   • Require use of specific security layer for remote (RDP) connections

     • Status: Enabled

     • Security Layer: Negotiate

Note: Setting the value explicitly to RDP may still result in connection failure when using the browser extension.

3. Reboot the Target VM

After applying the above changes, reboot the Windows VM to ensure the settings take effect.

SPA CEP Browser Extension: RDP Connection Fails with “Error: Connection failed: 0”