none
XP SP3->Server 2k8 Authentication error code: 0x507

    Question

  • Hi everyone,

    I had a lab setup of 3 Server 2k8 RC0 Terminal servers. They functioned as my thinclient RemoteApp servers, and they did a fantastic job! So fantastic that I went ahead and purchased Server 2008 Enterprise Edition licenses. I setup my environment the same exact way I had set up my RC0 environment, but I have ran into unexpected errors. Long story short:

    My XP SP3 computers (which have the 'latest' RDP client) cannot connect to my 2k8 servers. They simply throw back an "Authentication code error: 0x507." I did find the MS Knowledgebase page where it said to edit a couple registry keys which appended the data "tspkg" and "credssp.dll" to three different locations, then rebooted and has made no difference.

    With the latest RDP Client, I can still connect to my 2003 servers without a problem. The one difference I've noticed is that when the RDP client connects to a Server 2008 TS, it asks for a username & password before going any further, unlike connecting to a 2003 server where it'll connect you to the server first then ask for the login credentials.

    I'm stuck, and cannot get past this. School starts in a couple weeks and I need to find a workable solution to these issues. I've tried to go through as many RDP settings as possible on my Server 2008 TS and that has made no difference (accept all connections even from insecure clients, added my user group to the Remote Desktop system group...stuff like that)

    I would love to hear what some people have to say, and would appreciate any feedback or ideas about this situation. Thank you!

    -Mike Tucker 
    • Edited by Mike Tucker Wednesday, July 09, 2008 10:29 PM subject clarificatio n
    Wednesday, July 09, 2008 10:25 PM

Answers

All replies

  • Hi Mike,

    Are your 2008 Terminal Servers configured to "allow connections only with Network Level Authentication"?  If so, XP SP3 may not have CredSSP enabled (which provides Network Level Authentication) - please see this KB article for how to enable CredSSP on XP SP3: http://support.microsoft.com/kb/951608/  - that's the article with details on adding the registry keys you mentioned.  This should work, but to isolate the problem, you can try temporarily setting your WS08 TS to allow connections from non-NLA clients as well just to see if that's indeed the issue.

    Please see the following TS blog post (feedback #5) on more info for why you are seeing the prompt to enter creds before you connect to the server (that is actually a new security feature in WS08): http://blogs.msdn.com/ts/archive/2007/03/28/ts-connection-experience-improvements-based-on-rdp-6-0-client-customer-feedback.aspx 

    Thanks,

    ~Olga
    Thursday, July 10, 2008 7:06 PM
    Moderator
  • Hi Olga, thanks for your reply.

    My TS server are not configured to allow only NLA-aware connections. Just for safety reasons, I did throw in the credssp reg fixes for my XP machines.

    I did find a "weird" work around for the problem. When I first launch an .rdp RemoteApp session, it always asks for the username/password Before dropping me to a Windows Server 2k8 App. If I type in both the username AND password for a user, the box immediately disappears with no warning, exception or error. If I simply hit the "space" button and hit enter, it'll drop me to the Server 2k8 login screen. When I enter my credentials there, it'll open the RemoteApp program.

    With that said, is there a way that I can disable the first authentication box and have it drop the user directly to the Server 2k8 login? or Even better, have the first authentication box actually work without pulling a mysterious disappearing act?

    I'm a little confused by it all. When I had the 2k8 RC installs with the same exact configuration, the first authentication box was enough and it went right in to the RemoteApp program. (I have verified the configuration is the same as my RC boxes as I kept my RC boxes up and cross-checked all the settings.)

    Thanks again for any information,

    -Mike Tucker
    Friday, July 11, 2008 7:02 PM
  • Hi Mike!

    Glad you found the workaround - just to clarify, the workaroud for you is to hit space on the first credential prompt on the client and then enter creds on the server?

    To learn more about avoiding double prompts, you can read blog post here: http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-connection-authentication-faq.aspx

    -it discusses avoiding double prompts by turning off the "always prompt for credentials" setting on the server.

    With the new client and NLA you should always get prompted for credentials on the client side, which is actually more secure and better (as per KB here http://support.microsoft.com/kb/951616, it requires fewer resources on your target server before you connect and can potentially prevent malicious attacks like DOS).

    Thanks,

    ~Olga
    Monday, July 14, 2008 6:25 PM
    Moderator
  • Hi All,

    I got the same problem "an authentication error occurred (Code:0x507):, by doing lot  of R&D i find its solution. You can find its solution in under given link.

     

    http://rajugunnal.blogspot.com/2010/12/authentication-error-has-occurred-code.html

     

    Regards

    Raju Gunnal

    Friday, December 03, 2010 9:09 AM
  • This can also be a probalem in the ssl change to NLA disable ssl & see what happens.
    • Proposed as answer by ThE tErMiNaL Thursday, March 15, 2012 10:44 PM
    Thursday, March 15, 2012 10:43 PM
  • Problem is with security layer which is set up to "negotiate" by default. This option is in RDP TCP properties General Tab. Security layer need to be chancged to "RDP security Layer" Encryption Type: "Client Compatible" .
    Thursday, January 10, 2013 12:15 AM