Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Friday, April 1, 2011

TS error - winlogon failed

Troubleshooting
Logon problems
For a user to log on to a Terminal Server, the following permissions and rights must be granted:
  • Allow log on through Terminal Services
    This user right is by default granted to Administrators and members of the local Remote Desktop Users group on the server.
  • Permission to use the rdp-tcp connection
    The local Remote Desktop Users group has by default "User access" permission on the rdp-tcp connection.
  • Allow logon to Terminal Server checkbox, in the properties of the user account in AD.
    By default, this checkbox is checked for all users.
So on a standard installation of a Terminal Server, you only have to add your users or user groups to the local Remote Desktop Users group on the Terminal Server.
If your TS is also a Domain Controller (not recommended!), then you must do the following:
  1. add the users to the built-in domain local Remote Desktop Users group in AD
  2. enable the following setting in the Default Domain Controller Policy:
    Computer Configuration - Windows Settings - Security Settings - Local Policies - User rights Assignment 
    "Allow log on through Terminal Services"
    
    and add the Remote Desktop Users group to the list of allowed users
  3. add the Remote Desktop Users group to the permission list of the rdp-tcp connection
Modifying the permissions on the rdp-tcp connection can be done in Terminal Services Configuration, or programmatically:
  • 290720 - How to Add a User to Terminal Services RDP Permissions by Using WMI (2003)
  • 259129 - How to modify or query the RDP connection permissions for Terminal Services (W2K)

Error messages - permission problems

Here are some common error messages which users get when they haven't been granted the correct permissions and user rights:
  • "The local policy of this system does not permit you to logon interactively"
    2003: The user account is not a member of the local Remote Desktop Users group. See 289289
    SBS2003: The Remote Desktop Users group does not have the "Allow log on through Terminal Services" right - see 886620
    W2K: The user does not have the "Log On Locally" right in the servers security policy.
  • "You do not have access to logon to this session"
    2003: The user account is not a member of the local Remote Desktop Users group.
    W2K: The user doesn't have the necessary permissions on the rdp-tcp connection. This happens when you remove the User group from the properties of RDP-tcp
  • "The requested session access is denied."
    Vista: The user account is not a member of the local Remote Desktop Users group
    See 954369
  • "Your interactive logon privilege has been disabled"
    The user does not have the "Allow Logon to terminal server" check box selected on the Terminal Services Profile tab of their account.
    2003: The user account is denied Read permissions to the Active Directory directory service. This right is by default denied to the Guest account. See 815266
  • "The desktop you are trying to open is currently available only to administrators", followed by
    "You do not have access to logon to this session"
    2003 + Citrix PS3.0 only: Installing Citrix PS 3.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See 931353 and CTX104106
  • "To log on to this remote computer, you must have Terminal Server User Access permissions...."
    2003 + Citrix PS4.0 only: Installing Citrix PS 4.0 on a Windows 2003 creates a new RDP-TCP listener. The default properties of this listener allow only the launching of published applications. See CTX109925

Error messages - misc. problems

  • "An error occurred in the licensing protocol"
    Vista: not enough permissions on the local registry to store the client license
    See 187614
  • "The remote computer disconnected the session because of an error in licensing protocol"
    XP: Terminal Services service is not started; invalid stored license
    See 921045
  • "Because of a security error, the client could not connect to the remote computer"
    W2K + 2003: corrupted certificate on the Terminal Server
    See 329896
  • "Because of a security error, the client could not connect to the terminal server"
    W2K: invalid certificate on the Terminal Server
    XP: invalid stored license
    See 323597
  • "The terminal server has ended the connection"
    W2K with SRP1: invalid certificate on the Terminal Server
    See 323497
  • "The remote computer has ended the connection"
    XP with SP2: DFS client is disabled
    See 898713
  • "No authority could be contacted for authentication"
    Vista client to Vista host in 2003 domain: Kerberos service account problem
    See 939820
  • "The system could not log you on"
    RDP 6.0 client to XP SP2 host: smart card login problem
    See 939682
  • "The remote session was disconnected because another user has connected to the session"
    2008: autologon enabled
    See 947714
  • "Your system administrator does not allow the use of default credentials..."
    Vista RDP client with Single Sign-On enabled
    See Problems using default credentials with Vista RDP clients with Single Sign-on Enabled
  • "The logon attempt failed"
    Vista RDP client with saved credentials
    See 954397 and Problems using saved credentials with Vista RDP clients and above
  • "Winlogon has encountered a problem and needs to close"
    2003: when many users connect at the same time
    See 953675
  • "Server is not found in the network"
    2008: when many users connect at the same time
    See 954398
  • "Autoreconnect failed to reconnect user to session because authentication failed. (0x0)"
    All OS: autoreconnect enabled and a time-out limit on disconnected sessions can cause this error message.
    A temporary network interruption can cause the remote session on the server to be put into the "disconnected" state, and the time-out limit causes it to end after the limit is exceeded.
    When the user tries to start working again in the session, the rdp client tries to reconnect and fails, producing the above error message as well as EventID 1042 in the EventLog.
  • "... Remote Desktop cannot verify the identity of the computer..."
    Vista and Windows 7 client to 2003 / 2000 TS: downlevel RD Session Hosts cannot provide their identity
    See RDP7_to_RDP6

Misc. logon problems

  • 2258492 - You notice that the check box "Deny this user permissions to logon to a Remote Desktop Session Host Server" behaves differently in Windows 2003 and Windows 2008
  • 982010 - You may be unable to log on a terminal server that has the DisableWindowsUpdateAccess user policy set
  • 922044 - A Windows Server 2003 Service Pack 1-based terminal server cannot accept new incoming Terminal Service connections
  • 828664 - An access violation error occurs if your Terminal Services information is corrupted
  • 914048 - Event IDs 1000 and 1004 may be logged in the Application event log, and Windows Server 2003 Terminal Server client connections and logon tries may sometimes fail, when you try to connect to a remote computer
  • 931353 - Error message when you use RDP to connect to a Windows Server 2003-based computer that is running Terminal Server and Citrix MetaFrame Presentation Server 3.0: "The desktop you are trying to open is currently available only to administrators"
  • 939820 - Error message when you try to use Remote Desktop Connection to connect to another Windows Vista-based computer in Windows Vista: "No authority could be contacted for authentication"
  • 947714 - You cannot create a remote desktop session as an administrator when Autologon is enabled in Windows Server 2008
  • 951028 - You are prompted two times for credentials when you use the Remote Desktop Client to connect to a Windows 2000 Terminal Server from Window Vista or from Windows Server 2008
  • 954393 - Local credentials are used to log on to a Windows Server 2008-based computer instead of credentials that you entered on a Terminal Services client
  • 938449 - Event ID 5719 is logged when you start a computer on a domain, and the computer is running Windows Server 2003, Windows XP, or Windows 2000
=====================
During a migration process I came accross this odd problem.
I could not change a Terminal Server Profile Path for a couple of hundred users.
I searched the microsoft site but I could not find anything that would help me quick.
Yes I did find this link http://technet.microsoft.com/en-us/library/cc783578.aspx
But my client did not have grouppolicies in place and I did not want to use the "Terminal Services Extension"
I found several partly usefull scripts I combined the best of them in the script below. I really hope you will find this usefull.
Read More at link
=========================

# Start Registry Editor (Regedt32.exe).
# Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
# Locate the following entry:
Value name: RestrictAnonymous
Data type: REG_DWORD
Value: 1
# Change the value to 0.

No comments: