none
Cant make RDP to Windows 7 device from windows 10 RRS feed

  • Question

  • Hi Guys

    We cannot connect to 172.xx.xx.xx:3390 (windows 7 machine) using win10 remote desktop client, however we can connect using linux offline rdp client and windows server 2012 
    and we can connect to 172.xx.xx.xx:3390 ( windows 7 machine) however with windows server 2016 we cant connect also. 
    there is nothing in the firewall/virus installation that is blocking a connection from a win10 client.

    we've checked the network and there is nothing blocking the traffic.

    We have been connecting to this machine via RDP without any issue now suddenly we are unable to

    Perhaps the difference between the two workstations is this certificate set-up, and nowadays Windows 10 does not want to set up RDP connections anymore if no certificate is offered?

    Regards

    Savas Keser


    • Edited by Savas K Friday, January 24, 2020 2:02 PM
    Friday, January 24, 2020 2:01 PM

All replies

  • What´s the error message? Something with CredSSP?
    Friday, January 24, 2020 2:16 PM
  • We cannot connect to 172.xx.xx.xx:3390 (windows 7 machine) 

    RDP is port 3389.

    In a Powershell prompt, test it like this. 

    PS C:\Users\Dave> test-netconnection -ComputerName test10b -CommonTCPPort rdp
    ComputerName     : test10b
    RemoteAddress    : 192.168.1.5
    RemotePort       : 3389
    InterfaceAlias   : Wi-Fi
    SourceAddress    : 192.168.1.2
    TcpTestSucceeded : True


    Friday, January 24, 2020 2:24 PM
  • On the Win 10 machine, open Regedit and navigate to here:

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    Change the Value for the Reg_DWORD "SecurityLayer" from 2 to 0. In Win 10, the default value is 2. The RDP settings GUI does not change this value, so it must be modified via Regedit.

    For more information about different security layer values: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer

    • Proposed as answer by Robotitude Monday, January 27, 2020 2:56 AM
    Friday, January 24, 2020 4:27 PM
  • HI

    1.can you enter winver in command prompt on both win10 computer and win7 then look the os version and os version number ?[for example windows 10  enterprise 1809 (os build 17763.316)]

    2.do you set below policy on all your server and client ?
    we can enter gpresult /h c:\rpd.html on win7 ,win2012,win10
    Computer Configuration -> Administrative Templates -> System -> Credentials Delegation

    3.did you install all update on all your server and client ?
    CredSSP updates for CVE-2018-0886
    https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
    How to verify that the CredSSP update is installed
    https://support.microsoft.com/en-sg/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm

    4.if you disable NLA on win7 ,will the same problem happen when we remote from win10 to win7?


    5."Perhaps the difference between the two workstations is this certificate set-up,"
    could you give a error information ?

    6.we can use below link method to verify your technet forum account so that you can post picture and website link. https://social.technet.microsoft.com/Forums/en-US/5c00b9a9-3afe-4ee9-bbf0-34157716b92a/verify-my-account?forum=reportabug

    7.if you use the issue win10 to remote access another issue win10 ,will the same problem happen ?

    8.are all issue win10 ,win2012 ,win7 ,w2016 in the same AD environment ?

    9.since win7 is end of life ,did you consider upgrading win7 to win10 so that we can solve this issue ?
    https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.





    Monday, January 27, 2020 2:01 AM
  • HI
    Is there any progress on your question?

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 31, 2020 4:55 AM
  • 

    Hello,

    I got this error msg. However I can able to rdp from my windows 2012.

    By the way, I already change regedir setting for security layer

    But still not working. 

    Thanks a lot guys

    Monday, February 3, 2020 12:41 PM
  • Hello Andy,

    Windows 10 version is : windows 10 Pro 1809 OS build 17763.973

    windows 7 is : windows 7 service pack 1

    3)- all is updated.

    4)- Correct I did it. 

    5)- I guess this is the problem. I didnt get any error msg from certification./

    7) we tried different windows 10 and result is same

    8)- Correct. All using AD but windows 7 is standalone computer. workgroup 

    I can remote from windows 2012 but cant via windows 10/

    Monday, February 3, 2020 12:54 PM

  • I can remote from windows 2012 but cant via windows 10/

    Why do you continue to use ":3390"? I have already told you that that is the wrong port number. Have you modified the port that terminal services listens on? Or doing some redirect with a network device?

    If not, the obvious answer is that one client ignores the port number and uses the standard port number 3389, and the other client actually tries to connect to 3390. 

    Run these 2 commands from a Powershell prompt and see if you can connect.

    test-netconnection -ComputerName 172.16.130.232 -CommonTCPPort RDP

    test-netconnection -ComputerName 172.16.130.232 -Port 3390 

    If "-CommonTCPPort RDP" works, then the simple answer is to remove ":3390" from the computer name field.  
    • Edited by MotoX80 Monday, February 3, 2020 2:08 PM
    Monday, February 3, 2020 2:05 PM
  • There is a nat in network device. 

    test-netconnection -ComputerName 172.16.130.232 -CommonTCPPort RDP

    ComputerName     : 172.16.130.232
    RemoteAddress    : 172.16.130.232
    RemotePort       : 3389
    InterfaceAlias   : Ethernet
    SourceAddress    : 10.xxx
    TcpTestSucceeded : True

    ComputerName     : 172.16.130.232
    RemoteAddress    : 172.16.130.232
    RemotePort       : 3390
    InterfaceAlias   : Ethernet
    SourceAddress    : 10.xx
    TcpTestSucceeded : True

    Monday, February 3, 2020 2:50 PM
  • HI
    9. we can run network monitor on both win10 and win7 first then remote access from win10 to win7 .after rdp fail ,we save the network monitor log .we can analyze it and check where it stop .

    10. when disable nla on wi7 then remote access win7 from win10,which steps did you fail ?
    initiate connection :   initiate connection steps we can enter local user credentials like picture 1
    secure connection :  after success  initiate connection step , we can see rdp waring like picture 2
    configure connection: atter secure connection steps,we can see window logon and after configure connection success ,we can see desktop.

    we can run network monitor on both win10 and w2012 respectively ,then try to remote access win7 to capture network package ,then check which difference between them.
    https://www.microsoft.com/en-sg/download/details.aspx?id=4865


    10.1 can you check the win7 rdp self certificate(customzie rds cerntificate) is not expired? like picture 2


    12.when you remote access win7 fail from win10,Is there any log on both win10 and win7
    event viewer\windows logs\
    application
    security
    system
    Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-clientactivexcore
    Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-remoteconnectionmanagement
    Event Viewer – Applications and Services Logs -Microsoft-Windows-TerminalServices-local sessionmanager

    13.what's the below policy setting on win7
    Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security: Require use of specific security layer for remote (RDP) connections


    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Monday, February 3, 2020 2:53 PM
  • There is a nat in network device. 

     

    Without knowing what your network configuration is and why you set it up that way, then Andy's recommendation to run Network Monitor on both machines is your best bet. 
    Monday, February 3, 2020 3:07 PM
  • HI
    Is there any progress on your question?
    If the problem persist ,we can try to post a new case and link this old case so that we can follow up again.

    Best Regards
    Andy YOU
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, February 9, 2020 3:08 PM
  • Dear Andy,

    Thank you very much for your help. Currenly i cant login prod client now. When I have permision to connect, I will try to solve it. I guess it is kind of a certification issiue

    Regards

    Monday, February 10, 2020 12:06 PM
  • I guess it is kind of a certification issiue


    I would expect that you would get an error message about a certificate error then. It could be a cert error, but for a basic "can't connect" message, that sounds more like a port getting blocked. Is the Win10 machine on the same subnet as the 2012 server? 



    Monday, February 10, 2020 2:19 PM
  • On the Win 10 machine, open Regedit and navigate to here:

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

    Change the Value for the Reg_DWORD "SecurityLayer" from 2 to 0. In Win 10, the default value is 2. The RDP settings GUI does not change this value, so it must be modified via Regedit.

    For more information about different security layer values: https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer

    Did modifying the rdp-tcp security layer settings resolve this issue?
    Saturday, July 18, 2020 9:33 PM