Thursday, March 4, 2010

Logon problems

Logon problems

For a user to log on to a Terminal Server, the following permissions and rights must be granted:
  • 2003 only: Allow log on through Terminal Services
    This user right is by default granted to Administrators and members of the local Remote Desktop Users group on the server.
  • W2K only: Log On Locally
    This user right can be granted in the security policy for the server, in Security Settings\Local Policies\User Rights Assignment\Log On Locally.
  • Permission to use the rdp-tcp connection
    2003: The local Remote Desktop Users group has by default "User access" permission on the rdp-tcp connection.
    W2K: The local Users group has by default "User access" permission on the rdp-tcp connection.
  • Allow logon to Terminal Server checkbox, in the properties of the user account in AD.
    By default, this checkbox is checked for all users.

So on a standard installation of a 2003 Terminal Server, you only have to add your users or user groups to the local Remote Desktop Users group on the Terminal Server.

If your TS is also a Domain Controller (not recommended!), then you must do the following:

  1. add the users to the built-in domain local Remote Desktop Users group in AD
  2. enable the following setting in the Default Domain Controller Policy: 
    Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment
    "Allow log on through Terminal Services"
    and add the Remote Desktop Users group to the list of allowed users
  3. add the Remote Desktop Users group to the permission list of the rdp-tcp connection

Modifying the permissions on the rdp-tcp connection can be done in Terminal Services Configuration, or programmatically:

  • 290720 - How to Add a User to Terminal Services RDP Permissions by Using WMI (2003)
  • 259129 - How to modify or query the RDP connection permissions for Terminal Services (W2K)

Error messages - permission problems

Here are some common error messages which users get when they haven't been granted the correct permissions and user rights:
  • "The local policy of this system does not permit you to logon interactively"
    2003: The user account is not a member of the local Remote Desktop Users group. See 289289
    SBS2003: The Remote Desktop Users group does not have the "Allow log on through Terminal Services" right - see 886620
    W2K: The user does not have the "Log On Locally" right in the servers security policy.
  • "You do not have access to logon to this session"
    2003: The user account is not a member of the local Remote Desktop Users group.
    W2K: The user doesn't have the necessary permissions on the rdp-tcp connection. This happens when you remove the User group from the properties of RDP-tcp
  • "Your interactive logon privilege has been disabled"
    The user does not have the "Allow Logon to terminal server" check box selected on the Terminal Services Profile tab of their account.
    2003: The user account is denied Read permissions to the Active Directory directory service. This right is by default denied to the Guest account. See 815266
  • "The desktop you are trying to open is currently available only to administrators", followed by
    "You do not have access to logon to this session"
    2003 + Citrix PS3.0 only: Installing Citrix PS 3.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See 931353 and CTX104106
  • "To log on to this remote computer, you must have Terminal Server User Access permissions...."
    2003 + Citrix PS4.0 only: Installing Citrix PS 4.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See CTX109925

Error messages - misc. problems

  • "An error occurred in the licensing protocol"
    Vista: not enough permissions on the local registry to store the client license
    See 187614
  • "The remote computer disconnected the session because of an error in licensing protocol"
    XP: Terminal Services service is not started; invalid stored license
    See 921045
  • "Because of a security error, the client could not connect to the remote computer"
    W2K + 2003: corrupted certificate on the Terminal Server
    See 329896
  • "Because of a security error, the client could not connect to the terminal server"
    W2K: invalid certificate on the Terminal Server
    XP: invalid stored license
    See 323597
  • "The terminal server has ended the connection"
    W2K with SRP1: invalid certificate on the Terminal Server
    See 323497
  • "The remote computer has ended the connection"
    XP with SP2: DFS client is disabled
    See 898713
  • "No authority could be contacted for authentication"
    Vista client to Vista host in 2003 domain: Kerberos service account problem
    See 939820
  • "The system could not log you on"
    RDP 6.0 client to XP SP2 host: smart card login problem
    See 939682
  • "The remote session was disconnected because another user has connected to the session"
    2008: autologon enabled
    See 947714
  • "Your system administrator does not allow the use of default credentials..."
    Vista RDP client with Single Sign-On enabled
    See Problems using default credentials with Vista RDP clients with Single Sign-on Enabled
  • "Winlogon has encountered a problem and needs to close"
    2003: when many users connect at the same time
    See 953675

Misc. logon problems

  • 922044 - A Windows Server 2003 Service Pack 1-based terminal server cannot accept new incoming Terminal Service connections
  • 828664 - An access violation error occurs if your Terminal Services information is corrupted (W2K preSP5, XP preSP2, 2003 postSP1 hotfix)
  • 258021 - Event ID 52 When You Start Terminal Services
  • 328002 - You Cannot Connect to Terminal Services from a Web Page
  • 270588 - Remote Desktop Protocol Clients Cannot Connect to Terminal Services Server
  • 312030 - Cannot Connect to a Windows 2000-Based Computer with Terminal Services Installed and RDP Listener Is "Down"
  • 290706 - Cannot Automatically Log on Remotely to Terminal Server with Long User Name or Password
  • 329155 - "The Server May Be Too Busy" Error Message If Terminal Services Installed in Remote Administration Mode (SBS2000)
  • 914048 - Event IDs 1000 and 1004 may be logged in the Application event log, and Windows Server 2003 Terminal Server client connections and logon tries may sometimes fail, when you try to connect to a remote computer
  • 931353 - Error message when you use RDP to connect to a Windows Server 2003-based computer that is running Terminal Server and Citrix MetaFrame Presentation Server 3.0: "The desktop you are trying to open is currently available only to administrators"
  • 939820 - Error message when you try to use Remote Desktop Connection to connect to another Windows Vista-based computer in Windows Vista: "No authority could be contacted for authentication"
  • 939682 - Error message when you try to log on to a computer that is running Windows XP SP2 by using a Remote Desktop Protocol connection: "The system could not log you on"
  • 947714 - You cannot create a remote desktop session as an administrator when Autologon is enabled in Windows Server 2008
  • 951028 - You are prompted two times for credentials when you use the Remote Desktop Client to connect to a Windows 2000 Terminal Server from Window Vista or from Windows Server 2008

Citrix specific issues

  • CTX109925 - Error: To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default, members of the Remote Desktop Users group have these permissions..... (2003 + PS4)
  • CTX104106 - Connection Error : The desktop you are trying to open is currently available only to administrators (2003 + PS3)
  • CTX159159 - Troubleshooting and Explaining Session Sharing
  • 894457 - You cannot connect to your previously disconnected session when you try to use a Citrix ICA client to connect to Citrix MetaFrame for Windows Server 2003 (postSP1 hotfix)
  • CTX112347 - Users Cannot Connect to ICA Sessions after Installing Version 6.0 of the RDP Client
  • CTX107051 - Unable to Connect with ICA After Installing Microsoft Rollup 1 for Windows 2000
  • CTX543560 - Connecting to a MetaFrame XP Server Shows a Popup Window Indicating initializing. The Window Then Disappears. (Citrix MF XP + PS3)
  • CTX108638 - Configuring Smart Access for Published Applications

Misc. issues

  • 555061 - Unable To Reconnect To Terminal Server In Application Mode (Windows Mobile 2003 for Pocket PC)
  • 242051 - RDP client can lose connection to Terminal Server if Terminal Server initiates a RAS session to a remote server
  • 886212 - You are unexpectedly logged off when you try to connect to a computer that is running Windows Server 2003 or Windows XP
  • 888820 - "The system cannot find the file specified" error message when you try to connect to a Terminal Server that is located on a Small Business Server 2000 domain
  • 294761 - Logon Timer Error Is Received upon Connection to Terminal Server
  • 830581 - How to limit the number of connections on a terminal server that runs Windows Server 2003
  • 237282 - Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)