KB40848 - Window Terminal Service failed to connect when "Connect smart cards" option is enabled in the bookmark settings and backend is configured with NLA

This article describes an issue where Window Terminal Service (WTS) bookmarks fail to connect when "Connect smart cards" option is enabled in the bookmark settings and TS server requires Network Level Authentication (NLA).

When users launch Window Terminal Services bookmarks via the PCS gateway, the connection fails with the following error message:

The remote computer that you are trying to connection to requires Network Level Authentication (NLA), 
but your window domain controller cannot be contacted to perform NLA. For assistance, contact technical 
support or your network administrator.

Disabling NLA makes your connection less secure. However, if you are an administrator on the remote 
computer, you can disable the NLA.  On the Remote tab in System Properties, select "Allow connections 
from computers running any version of Remote Desktop.

As per the information in the MS blog, a limitation with the MS RDP client and smart card authentication is that the MS RDP client does not support Network Level Authentication (NLA) with smart card authentication in a cross-domain environment. 

This issue impacts the following versions

• 8.2R7.1 and above
• 8.3R2 and above

To resolve this problem, please upgrade to Pulse Connect Secure 9.0R3.

https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2016/05/02/why-doesnt-nla-work-with-cross-domain-smart-card-authentication/