2008 r2 RDP SSL NLA problem "Local Security Authority cannot be contacted"

Hi!

I have run into an issue with RDP settings for 2008 R2 servers (all of them) whenever I enable NLA. That happens on user accounts that do NOT enforce password expiration (and so passwords are not expired) and MSTSC supporting NLA (client computers are win7 or win8).

In fact those same clients can use NLA just fine for connections to other win7/win8 workstations (domain members) using NLA, no probs!

SSL certificates are automatically issued by enterprise CA. All computers/servers have current and valid Computer certificates.

For some strange reason, I cannot enable NLA on RDP settings for any of 2008 R2 servers (various roles, ranging from physical DC running multiple roles, through dedicated virtual DC or dedicated virtual Print Servers up to dedicated Remote Desktop Services host), because all of them at once stop accepting RDP connections, always with same error message:

An authentication error has occurred.
The Local Security Authority cannot be contacted

Remote computer: server.domain.local
This could be due to an expired password.
Please update your password if it has expired.
For assistance, contact your administrator or technical support.

Please keep in mind that domain member computers running windows 7 x64 or windows 8.1 x64 can accept NLA enabled and SSL encrypted RDP traffic at same time without issues while using the same user accounts to connect.

To make it even funnier, I can set RDP on 2008 R2 acting as Remote Desktop Services server to accept only SSL RDP traffic and keep NLA disabled and all works just fine. So, it is strictly the NLA causing trouble here, but why? WS 2008 R2 unable to use Kerberos authentication for RDP?

WS 2012 R2 can accept NLA/SSL RDP connections without trouble, just as win7/win8 workstations can, so issue is narrowed down to only 2008 R2 servers (physical or virtual).

Is there a hotfix for this problem on 2008 R2? sounds to me like it is a bug in 2008 r2 regarding Kerberos authentication for RDP... is MS ever planning to fix it or we have to upgrade all servers to 2012R2 to "fix it" ...