none
Remote Desktop causes a licensing protocol error for user-initiated connections to RDS servers, but not to non-RDS servers

    Question

  • Situation:

    A Citrix farm with a number of servers that are all started from the same basic image through provisioning. This image contains Windows Server 2008 R2, fully patched, with XenApp 6.5 installed. Next to this is a separate Citrix farm that contains a test-environment for applications.

    Issue:

    User starts MSTSC (Remote Desktop) as an application on Citrix, and tries to connect to various other servers.

    - RDP shows a licensing protocol error on connecting to a Citrix server
    - RDP connects without any problems to a non-Citrix server

    Details:

    The remote user logs in through the internet and starts the remote desktop application which has been published for him. Upon starting the application however, and filling in the name of the server you want to connect to, the applications pops up a second 'logon screen' to provide apparently some passthrough credentials to the Remote Desktop application. When re-entering the data for the user, the connection seems to be made but ends in an error: 'The remote computer disconnected the session becase of an error in the licensing protocol.' This happens, regardless of the credentials I use here, even if I use Admin equivalent credentials.

    This error seems to point at problems with the registry, specifically the HKLM\Software\Microsoft\MSLicensing and HKLM\SOFTWARE\Wow6432Node\Microsoft\MSLicensing keys. Since we're using an image, these keys are inherently empty, and should be filled with the appropriate license as logons occur. They have been provided with the correct set of permissions that are applicable to this key (i.e. the Users-group is also allowed 'full control' here).

    I've looked at the permissions on these keys, and while the Users group (which contains all domain users, including the user I'm testing with) has full access to the 2nd entry, the first one shows the Users only to have 'read only' rights to the key. This is strange, because verification in the base-image shows this to be 'full control' aswell. Even worse, also checking the GPO's that are unleashed on these machines again show specifically that the Users should have 'full control'.

    After altering this back manually, and then going back to the remote user, logging in and again failing this login, I found that the 'full control' option I granted has been removed from the MSLicensing key. I have since found this only happens if a user tries to start a remote desktop session. So if the user does not try to run a remote desktop session the permissions remain as-is. This explains why the users only have 'read only' rights, but doesn't explain why this occurs.

    After browsing around trying to find any hint of this problem and coming up empty, I was still expecting that there might be something with the client and alterations it makes to the local registry. So just to test that scenario, I've tried just connecting it to one of our domain controllers... which went through without a hitch (after just popping a screen up asking me if I wanted to allow access to this computer). Also a mailserver would just allow me to gain access to the login screen through Remote Desktop. Same with an application and a database server. What's weird tho, is that a connection was made, but nothing was placed under the MSLicensing keys, and no permission alterations were made.

    So I then tried connecting as the user to one of the other Citrix servers in the same farm as the Citrix server that has the application started. Which failed in exactly the same way as the connect to a server in a different farm. Even more strange is that there was no alteration in the permissions on the registry keys after trying this connect.

    Eventho the user has indirect membership (through a group) of the 'Remote Desktop Users' group of a server I try to remotely control, even adding the user directly to make sure he has access to gain access to the server does not yield a difference in behavior.

    In short:

    As a user:

    * Connecting to a Citrix server in the same farm with Remote Desktop requests some extra Windows credentials, and doesn't connect.
    * Connecting to a Citrix server in a different farm with Remote Desktop requests some extra Windows credentials, and doesn't connect, and seems to change the registry permissions on HKLM\Software\Microsoft\MSLicensing to read-only for Users.
    * Connecting to a non-Citrix server works without problems, and without asking for extra Windows credentials.

    As a locally logged on Admin on the desktop of the same Citrix server the user is using:

    * Connecting to a Citrix server in the same farm with Remote Desktop connects.
    * Connecting to a Citrix server in a different farm with Remote Desktop connects.
    * Connecting to a non-Citrix server works without problems.

    I've been looking around for anything else to try here, but I'm running low on options. It sounds like something related to permissions for the user, but I'm not sure what. Anyone here have any possible insiht in what might be causing this problem?

    Thursday, October 25, 2012 12:04 PM

All replies

  • Hi,

    We are only supporting the MS product which is not involved with 3rd party product like citrix.Pls try to ask the issue in citrix forum to see whether there are any clues.Thanks for understanding.
    In addition,Only one level of nested Remote Desktop connection is supported. Establishing a Remote Desktop connection from inside a nested Remote Desktop connection is not supported on server 08r2.http://support.microsoft.com/kb/2754550

    regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, October 30, 2012 6:40 AM
    Moderator
  • Thank you for your reply in this matter.

    As I see it at this point we are able to remotely start Remote Desktop, and can connect to a myriad of computers through nested Remote Desktop. However, if we want to gain access to a Windows 2008 R2 machine which has Citrix installed on it, this fails.

    In basics, it means that the Microsoft Remote Desktop client can't connect to a Windows 2008 R2 server for reasons unknown, which _might_ be attributed to Citrix. The assumption that it normally works, and due to an installation of Citrix it doesn't work seems a rather quick grab. While I do agree we can't exclude Citrix as a cause, at this point I'm trying to get a grasp of what exactly happens on starting a remote desktop session, and when the MSTSC program would do what.

    As stated it connects without extra questions to another Windows 2008 machine. Connecting to a Citrix machine pops up an extra question for credentials. Now why it pops up this question is the unknown. This question comes up from the client, and thus a Microsoft product, hence my asking here.

    The provided Microsoft document refers to Windows 8 and Windows 2012, but does not pertain to Windows 2008.

    Tuesday, October 30, 2012 8:10 AM
  • Hi,

    I am really glad to help you if i can.But as you know,the issue only occurs when it has citrix installed.I don't have any expertise in citrix product.So,as you mentioned in the O.P,i guess it could be caused by nested Remote desktop.So i brought you MS document.Inside the document,It does show that Windows 7 and Windows Server 2008 R2 do not support running a Remote Desktop Connection session within another Remote Desktop Connection session.

    regards,

    Clarence


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, October 31, 2012 8:05 AM
    Moderator
  • Nobody else having any ideas?

    I response to your last statement of running a Remote Desktop session within a Remote Desktop session, that is not the case.

    The Remote Deskop client is started on the Citrix/Terminal Server environment, and then used to connect to other machines. This works, as is shown with it connecting to all servers, EXCEPT the Citrix installed machines.

    I know the Citrix machines are able to work with remote desktop, since when starting it directly on the desktop of the servers, the connection is made without incident. It almost sounds like a rights problem somewhere, but I'm drawing a blank as to where this might come from :(

    Tuesday, November 06, 2012 8:22 AM