none
Long delay to log in, "Please wait for the Local Session Manager"

    Question

  • System is a virtual server running Windows Server 2016 Standard on Hyper-V and about 1000 local Windows users are defined. Active Directory is NOT being used.

    Viewing the virtual server directly on Hyper-V host server, there's a long delay after I press Ctrl+Alt+Del before I can log in. (Swirling dots are displayed.)

    Using remote desktop, there's a long delay "Please wait for the Local Session Manager" and it usually times out.

    Clue #1: I observed that lsass.exe is using high CPU while the delay occurs.

    Clue #2: For each user on the system (in alphabetical order until it times out), the Security Event Log shows Event ID 4798 for C:\Windows\System32\LogonUI.exe, "A user's local group membership was enumerated."

    Any suggestions? Thanks.

    Thursday, November 24, 2016 2:39 AM

All replies

  • Hi

    Did you ever get an answer to this?

    I have the exact same issue.

    Monday, May 15, 2017 8:05 PM
  • I did not find any solution, but it was just a test server so I didn't follow up.

    I ended up using Windows Server 2012 R2 for my servers with large number of users.

    Tuesday, May 16, 2017 4:52 PM
  • We have this issue on some 2012 R2 server too but its not as bad as 2016 as now we cant get in at all :(

    I've opened a case up with MS Paid support and waiting someone replying to me.

    Tuesday, May 16, 2017 4:54 PM
  • I can replicate this bug

    1) RDP to a newly created Windows Server

    2) create a batch file with the following content:

    :start
    net user /add user%random%_%random% /random
    timeout 1
    goto start

    open command prompt and execute the batch file.

    Wait 20 minutes

    try to RDP or connect via console.  It won't work.

    This is a windows bug!!

    Issue is on Windows 2016 Std with ALL windows updates up to today's date 16th May 2017.



    Tuesday, May 16, 2017 5:07 PM
  • The same on my end. Probably Chris has the same issue like on my end with shared hosting Windows servers handling customers. Each clients website has its own user in system. Having many websites = many local users. I've observed issues with logging in to my production Windows 2012 R2 servers lately but when I cloned one of them and in separate VM updated it to Windows Server 2016 I could not log on using RDP at all. Only solution for logging in which worked 50/50 is to use hypervisor console. I've checked here and there and it looks like during logging in local users are being iterated which is taking too long for logging in process to complete and logon connection is being disconnected.

    Any suggestions?

    Monday, May 29, 2017 11:16 AM
  • Chris have you maybe got response from MS about it using mentioned paid channel?
    Monday, May 29, 2017 11:17 AM
  • IMHO this is for sure related to large number of user accounts being iterated during logon process. I've used:

    wmic useraccount get name

    command to list user accounts and it returned 1817 entries. During RDP logon session I was observing Windows Event Log and I noticed that iteration starts from accounts with letter A at the beggining and goes to Z. On my end RDP logon session ended when iteration was on accounts starting with M letter.

    Does anyone have any idea how RDP logon session timeout could be extended?

    Monday, May 29, 2017 10:00 PM
  • I was hoping that this is related to adding so many Event Log errors but after disabling one entry in local group security policy (https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4798) audit log entries stopped to be written to event log but still I was not able to log in. So now I started checking lsass.exe using process manager.

    Take a look at this screenshot:

    and take a look at summary. This is only entries from lsass.exe recorded during RDP session incoming connection. There ARE 482730 registry checking only by this process. This explains why it is using so much CPU.

    Anyway disabling adding new entries to Event Log Security section didn't helped and I still can't connect to upgraded test version of Windows Server 2016.

    Tuesday, May 30, 2017 9:36 AM
  • So.... can someone from MS at least reply in this thread? I'm not sure if you are aware but this issue is easy to replicate and it affect large amount of Windows shared hosting companies. This problem occurs on Windows Server 2012 but after few tries it allows to log in but after updating to Windows Server 2016 there is literallly no way to log in using RDP which makes whole system not manageable remotely.

    This problem is only issue which holds me now from upgrading my enviroment from 2012 R2 to 2016 and users started asking more and more about HTTP/2.

    So ... anyone from MS?

    Saturday, June 03, 2017 5:25 AM
  • Hi I opened a paid case with MS, I've not heard from them in over a week but they have replicated the issue on both windows 2012 R2 and 2016 and this was the last I heard. My assumption is this case has been escalated to developers.
    Saturday, June 03, 2017 1:20 PM
  • If anyone is experiencing this issue on your end then plase just vote up also this one:

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/19532398-unable-to-log-in-using-rdp-on-windows-server-2012

    Thursday, June 08, 2017 7:59 AM
  •  

    Hi

    I have been working with MS Support for 3-4 weeks on this issue and I now have a Fix.

    From MS:

    We found that each  iteration (happening in LogonUI ) makes a call out to LSASS.exe which performs the UserLookup and returns the SID information. This is what it is taking time.

     

    This kind of extensive lookup happens because of new functions introduced from Win2012 onwards.

     

    To turn this lookup off, please add the following registry key ( both the locations ), reboot the machine and then test and let me know the results.

     

    Location 1: HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System

    Location 2: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

     

    Key: DontDisplayLastUserName

    Type: DWORD

    Value: 1

    I can confirm this works

    Tuesday, June 13, 2017 4:04 PM
  • OMG it worked. Thanks

    P.S. IMHO this should be disabled by default.

    Tuesday, June 13, 2017 6:29 PM
  • .reg file for fast reg change:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
    "dontdisplaylastusername"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "DontDisplayLastUserName"=dword:00000001

    Friday, June 16, 2017 10:59 AM