Remote Desktop Services troubleshooting

Remote Desktop Services FAQ - Connectivity

How can I allow rdp connections from specific clients only?
RDP connections from a Vista client freeze or disconnect after some minutes
When I try to connect to a 2003 TS from my XP SP3 / Vista / Windows 7 client wit the latest RDP client, I get an error: "... Remote Desktop cannot verify the identity of the computer..."
When I try to connect to a 2008 TS from my XP SP3 client, I get an error: "The remote computer requires network level authentication..."
When I try to connect to a 2008 TS from my XP SP3 client via TS Web Access, I get an error: "ActiveX control not installed or not enabled."
Is it possible to connect to a 2008 TS from my XP SP3 client without having to enter my domain username and passsword for the second time?
My Terminal Server does not respond after a reboot. How do I solve this?

Q: How can I allow rdp connections from specific clients only?
Last modified: October 28, 2007

A: You can limit the IP addresses from which rdp connections to your server are allowed in a couple of ways:

your firewall device
Most firewalls devices have the ability to only allow incoming traffic on port 3389 from specific IP addresses
the Windows Firewall on your Terminal Server
Modify the Remote Desktop Exception scope, to only include specific IP addresses
IPSec
You can use IPSec to limit which IP addresses can connect to your Terminal Server

Top of page | FAQ | Home

Q: RDP connections from a Vista client freeze or disconnect after some minutes
Last modified: October 6, 2007

A: The Next Generation TCP/IP stack in Windows Vista supports "Receive Window Auto-Tuning", which increases network throughput.
Some firewall devices don't handle this feature correctly. Check this article for a list of devices which are known to cause a problem and for methods to identify and solve the issue:

934430 - Network connectivity may fail when you try to use Windows Vista behind a firewall device

Top of page | FAQ | Home

Q: When I try to connect to a 2003 TS from my Vista or Windows 7 client, I get an error: "... Remote Desktop cannot verify the identity of the computer..."
Last modified: December 6, 2009

A: The complete error message that you get is:

The connection cannot proceed because Remote Desktop cannot verify the identity of the computer you want to connect to. This problem can occur if:

1) The remote computer is running a version of Windows that is earlier than Windows Vista. 
2) The remote computer is configured to support only the RDP security layer. 

Contact your network administrator or the owner of the remote computer for assistance.

The reason for the error is that remote computers that are running Windows XP or Windows Server 2003 or earlier operating systems cannot provide their identity for verification.

You can get rid of the error message by configuring your rdp 7 client to ignore the problem :
Remote Desktop Client - Options - Advanced tab - Server authentication - If the actual verification does not meet the minimum policy requirements - choose "Connect and don't warn me".

Top of page | FAQ | Home

Q: When I try to connect to a 2008 TS from my XP SP3 client, I get an error: "The remote computer requires network level authentication..."
Last modified: November 15, 2008

A: To connect to Windows Server 2008 or Windows Vista which enforces Network Level Authentication (NLA), you must turn on CredSSP. CredSSP is a new Security Service Provider that is available in Windows XP SP3. By default, CredSSP is turned off in Windows XP SP3. Here's how to enable it in XP SP3:

951608 - Description of the Credential Security Service Provider (CredSSP) in Windows XP Service Pack 3

Top of page | FAQ | Home

Q: When I try to connect to a 2008 TS from my XP SP3 client via TS Web Access, I get an error: "ActiveX control not installed or not enabled."
Last modified: August 10, 2008

A: The rdp 6.1 client includes the ActiveX control which is required to connect through TS Web Access. Make sure that you have installed the rdp 6.1 client (version 60.6001.x).

On Windows Server 2008 and Vista SP1, you don't have to do anything else.
On Windows XP SP3, you have to enable the ActiveX control. Unfortunately, the ActiveX control will not appear in the "Manage Addons" list in IE7. As a workaround, you can enable it in the registry.
Start Regedit and delete the following keys:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
   HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4eb89ff4-7f78-4a0f-8b8d-2bf02e94e4b2}

The TS Web Access page should now load normally.

Top of page | FAQ | Home

Q: Is it possible to connect to a 2008 TS from my XP SP3 client without having to enter my domain username and passsword for the second time?
Last modified: February 4, 2009

A: Absolutely!
This feature is called "Single Sign-On", and it can be enabled for Terminal Server sessions to a 2008 Terminal Server or Vista computer.

The system requirements for Single Sign-On on Windows XP are:

Service Pack 3
rdp client version 6.1 (included in SP3)
NLA (Network Level Authentication

To use NLA, you need CredSSP (Credential Security Service Provider). By default, CredSSP is turned off in Windows XP SP3. Here's how to enable CredSSP in XP SP3:
951608 - Description of the Credential Security Service Provider (CredSSP) in Windows XP Service Pack 3

Next, you need to enable SSO. How to do this through Group Policy is described here: How to enable Single Sign-On for my Terminal Server connections, but since there's no GPO template in XP SP3 for SSO, you'll have to add the following registry keys on the XP client:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation]
   "AllowDefaultCredentials"=dword:00000001
   "ConcatenateDefaults_AllowDefault"=dword:00000001
   "AllowDefCredentialsWhenNTLMOnly"=dword:00000001
   "ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefaultCredentials]
   "1"="TERMSRV/<My Server1>"
   "2"="TERMSRV/<Server2>"

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowDefCredentialsWhenNTLMOnly]
   "1"="TERMSRV/<My Server1>"
   "2"="TERMSRV/<My Server2>"

Note: Replace "<My Server1>", "<My Server2>", etc. with the real server names.

You should not use AllowDefCredentialsWhenNTLMOnly unless it is absolutely necessary. These keys enable SSO when Kerberos or SSL server authentication is not possible, and it is not very secure (you may end up sending your password to a wrong server).

Then, install hotfix 953760 on the Windows XP client.

Top of page | FAQ | Home

Q: My Terminal Server does not respond after a reboot. How do I solve this?
Last modified: August 10, 2008

A: First of all, make sure that the server really performed a reboot (you can check this in the EventLog). If it didn't, and you tried to perform the reboot through a remote session, you are probably suffering one of the issues described here:

930045 - A Windows Server 2003-based computer stops responding when you shut down the computer in a remote console session
971310 - A terminal server that is running Windows Server 2003 stops responding during the shutdown process if a remote console session is established on the server

But if the server did reboot, it could be that there is a race condition between the TermService service and TermDD. This happens sometimes when servers are patched or new software is installed and the startup sequence changes. When the TermService service starts up before TermDD, the listener seems to be working but it doesn't. The workaround for this is to add TermDD to the list of dependencies in

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\DependOnService

so the list becomes RPCSS followed by TermDD.

You can remotely reboot the server from the command line with:

   shutdown.exe /m \\RemoteServer /r /t 00 /f

Top of page | FAQ | Home