Error connecting to computers other than RD Gateway
- I have RD Gateway on R2 setup. When trying to connect from an external XP Machine using RDC 7.0, I get errors when trying to connect to machines other than the RD Gateway (which is also a session host).
When I look at the logs, it appears that I'm able to get past the gateway -- indeed, in the gateway logs, it says that my user has passed NAP/CAP and is allowed to connect to the target computer. Then there's another log that says my user has disconnected after exactly 60 seconds transfering a few bytes.
Looking at the security logs on the target computer, I see a logon attempt but it was by the machine account of the RD Gateway (and using kerberos), not my user. Further, even when I logon to the Gateway machine, I get to the "Switch User" screen instead of directly logged on as me.
Something appears to be prevening RD Gateway from connecting/impersonating the specified user (I think).
How can I fix this?
Thanks!
Answers
- Please check this KB article: http://support.microsoft.com/kb/969084. The shared creds between TS Gateway and TS does not work with RDC 7.0 on XP SP3.
Thanks, Vikash- Proposed As Answer byVikash BuchaMSFT, ModeratorTuesday, November 17, 2009 4:48 AM
- Marked As Answer byVikash BuchaMSFT, ModeratorWednesday, November 18, 2009 4:58 AM
All Replies
- What error do you get when you aren't able to connect? Is it repeated credential prompt? If yes, did you try passing your credentials again on the re-prompt?
If the symptoms are exactly what I am asking about, please turn on cred SSP on your XP SP3 machine. Here is the link on how to do this: http://support.microsoft.com/default.aspx/kb/951608
Thanks, Vikash- Unproposed As Answer byOren Novotny Sunday, November 08, 2009 7:38 AM
- Proposed As Answer byVikash BuchaMSFT, ModeratorSunday, November 08, 2009 6:07 AM
- No, it doesn't reprompt. In fact, it does authenticate correctly to the RD Gateway. I can see a successful logon on the RD Gateway security log and the RD Gateway operational log shows that I've passed NAP/CAP and am connected to the target machine.
When I look at the security log on the target machine though, the only logon that corresponds to the same time as the RD Gateway logon is by the RD Gateway machine account, not the user account. - Can you please provide the exact error message that you get on the client side? Also as I suggested earlier, can you try enabling cred ssp on the XP SP3 machine and let me know if it works.
Thanks, Vikash Hello Oren,
Thanks for your post in our forum.
Generally, we don’t recommend you to install other Remote Desktop Services roles on the RD Gateway server. That will possibly impact the roles or the RD Gateway from functioning correctly. If possible, please consider to install other roles on separate servers.
To narrow down the problem’s scope, please let us know the following information:
· Is the issue occurring with only specific computers / users? Have you tried to use other client machine to start the RDC from the Internet? What’s the result?
· Please include the exact error message to us when the RDC fails.
· Please start a Remote Desktop Connection to the target server from the RD Gateway server. What is the result?
· Please double-check the CAP and RAP on the Gateway server, correct them if there is anything wrong. There are similar issues that installing other roles on the RD Gateway server may affect the CAP/RAP from running.
We’d like to provide further assistance as soon as getting the information above. Thanks for your cooperation.
· Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
Hello Oren,
As the thread has been quiet for a while, I wonder if the issue has been resolved or you need any further assistance from us?
Please let us know it.
Thanks and have a nice day.
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.comI'm unable to use the computer with the issue until the end of the month. The strange thing is that from a different XP computer that only has RDC 6 on it, everything seems to work. I can connect to both the gateway compter RD and other RD's normally.
- Did you try enabling cred SSP on the XP machine which is not able to connect? I think that can be an issue.
Thanks, Vikash - I didn't get a chance yet; did that behavior change between RDC 7 and 6? I can also try uninstalling RDC 7. I seem to recall that there weren't any issues before which is why I was surprised by the error. In any event, I'll have to wait until the end of the month when that machine is available again.
- Yes, there is an issue when using RDC 7.0 on XP SP3 client (without cred ssp enabled) through a TS Gateway server. Please check that out and let me know whether it resolves your issue or not.
Thanks, Vikash - Please use this script to enable credSSP on XP SP3.
http://gallery.technet.microsoft.com/ScriptCenter/en-us/41a472e1-9660-4813-be4f-4b81a5345d75
Regards, Rajesh. - Okay, I gained access to the machine for a few hours and tested -- Enabling Cred SSP partially worked. Now, I get prompted twice, once for the gateway and again for thee target. When I enter my creds the second time, it does work. I do have the option checked though in the Advanced tab that it should use the same credentials for both the gateway and target -- it shouldn't be prompting me twice.
Is there something else I need to enable/change for RDC 7?
Thanks! Hello Oren,
Thanks for your feedback.
Firstly, please make sure that Remote Desktop Connection 6.1 (RDP 7.0 supported) is used for the client machine.
Secondly, use the steps described in the following blog to set up the configurations:
Single credential prompt for TS Gateway Server and Terminal Server
If the issue still persists, please refer to the “What are the various scenarios this setting is not applicable?” section of the article above. I highly suspect there is a saved credential for the TS Gateway server in your case. If so, please delete the credential as the image shows and let us know the result.
Thanks again for your cooperation.
· Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Hi Lionel,
Yes, I already have the client setup that way. When I use RDC 6 and TS Gateway from a different XPSP3 machine, it does work fine using a single login.
The problem is with the other machine with RDC7. - Please check this KB article: http://support.microsoft.com/kb/969084. The shared creds between TS Gateway and TS does not work with RDC 7.0 on XP SP3.
Thanks, Vikash- Proposed As Answer byVikash BuchaMSFT, ModeratorTuesday, November 17, 2009 4:48 AM
- Marked As Answer byVikash BuchaMSFT, ModeratorWednesday, November 18, 2009 4:58 AM
- Hello Oren,
I agree with Vikash's suggestion and the KB article is very possibly helpful for your scenarios.
Please give it a try and let us know the result.
Thanks.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
