Remote Desktop Services – Connection Errors

KB ID 0001132

 

Below is not an exhaustive list of connection errors, it’s just a some things that have tripped me up. If you have a nasty error that you have fixed, feel free to drop me a line, send me some screenshots and the fix, and I’ll add them as well.

General Errors

Remote Desktop can’t connect to the remote computer for one of the following reasons;

1) Remote access to the server is not enabled
2)The remote computer is turned off
3)The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access sis enabled.

Probably the most common (and easiest to troubleshoot) of RDP errors, firstly ensure that the server is actually ‘listening’ for RDP connections, on the SERVER issue the following command;

[box]

netstat -an | find /i ":3389"

[/box]

You should see it LISTENING (Note: Below its listed twice because its listening on IPv4 and IPv6)

If its not, the the service might not even be running, Look in Services, and ensure the following services are running;

  • Remote Desktop Services
  • Remote Desktop Services UserMode Port Redirector

Make sure that RDP has been allowed on the local firewall of the RDP server, In the past I’ve seen a bug on some versions of Windows when even with the firewall disabled, things didn’t work unless RDP was allowed on the firewall settings. (I know that makes no sense, but I’ve seen it, particularly for remote VPN traffic).

Test RDP Connectivity

From a machine ON THE SAME NETWORK as the target RDP Server, firs see if you can ping the server by both IP address and hostname. (This is more for peace of mind remember the server might ot respond to pings but might be responding to RDP Traffic.

Then test that the machine you are on can get to the the RDP server on the correct port, (TCP 3389*)

[box]

Test-NetConnection {IP-Address-or-Hostname} -Port 3389
OR
Test-NetConnection {IP-Address-or-Hostname} RDP

[/box]

Providing this works, now try the SAME tests form outside you network, i.e. outside the firewall, or on a remote VPN  connection etc.

*RDP Port Note: Normally RDP is on TCP 3389, check on the server just in case someones changed the RDP listening port number. Or the firewall is expecting you to connect on another RDP Port.

Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

Solution for Windows 10: I struggled with this for a while, all forum posts refer to windows 7/8 and the problem was caused by a windows update (KB2592687), that needed to be removed. But I was connecting with Windows 10? This  was the resolution;

Create/Edit a 32 bit DWORD value called RDGClientTransport in your registry at;

[box]

HKCU > SOFTWARE  >Microsoft > Terminal Services Client

[/box]

Set its value to ‘1’ (one).

Also See Remote Desktop Web Access – Connection Error


Your computer can’t connect to the remote computer because your computer or device did not pass the Network Access Protection requirements set by your network administrator.Contact your network administrator for assistance.

You normally see this error if one (or more), of your Remote Desktop Role servers does not have the correct certificate installed on it, (or the certificate it does has has expired).

Server Manager > Remote Desktop Services > Collection > Task > Select your collection > Task > Edit Deployment Settings > Certificates > Check and reinstall each one as required.

Remote Desktop Gateway Errors

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway server address.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

The machine trying to connect needs to be able to resolve the ‘public name’ of the Remote Desktop Gateway server. And this may not be the hostname of the server! As you can see in the image above the Gateway server name is set to rdg.smoggyninja.com. The important thing is when I ping this name, it resolves to the correct IP address, (mine responds to pings, yours probably wont if you’re connecting though a firewall.)

In some cases you need to set the public name of the the Remote Desktop Gateway server, in the servers IIS Settings. On the Gateway server > Start > Administrative Tools > Internet Information Services (IIS) Manager > {Server-name} > Sites > Default Website > RDWeb > Pages  > Application Settings > Set ‘DefaultTSGateway’ to the public name of the gateway server. Then from command line run ‘iisreset‘ to restart the web services.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator for assistance.

In most cases this should be easy to fix, if you use self signed certificates make sure your CRL settings and/or OCSP settings are correct. If you use a publicly signed cert make sure your client can contact the publishers CRL (look on the properties of the certificate).

Check the Obvious: It saying the RDG cert has expired, make sure it’s in date! In the Gateway Server Launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties.

Certificates > RD Gateway > View Details > Is it in date?

Everything is OK? But I’m Still Getting This Error? Are you publishing the Gateway with something else like Web Application Gateway? Threat Management Gateway? Load Balancer? Look in that direction.

Also See Remote Desktop Web Access – Connection Error

Related Articles, References, Credits, or External Links

NA

FreeRDP Error: 0x2000D

KB ID 0001416

Problem

The day after I had deployed some RDP Web access servers, I got the call that all the Linux (Intel NUC Thin clients), could not connect to the RDP farm, all the windows machines were fine?

Error

[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core.transport] – BIO_read returned a system error 14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core] – freerdp_set_last_error ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x2000D]
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.client.x11] – Freerdp connect error exit status 1

Solution

I was confused, because I’d not done any work on the Connection Broker? (All the thin clients are ‘in-house’). While support stated building a new broker, I researched the error online.

The reason this had started, was because of a Windows update KB4088776 After removing this update from the ‘Session Hosts’ and the’ Connection Broker’, the Linux (FreeRDP) client could then reconnect.

Related Articles, References, Credits, or External Links

NA

AnyConnect Error – ‘Failed To Get Configuration From Secure Gateway’

KB ID 0001354

Problem

Saw this while attempting to connect to my ASA this week.

AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator

Solution

Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.

Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.

So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;

[box]

Petes-ASA# show run webvpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles AnyConnect-VPN-Profile disk0:/anyconnect-vpn-profile.xml
 anyconnect enable
 tunnel-group-list enable

[/box]

Note: You can ‘show flash‘ and make sure the file is in flash memory as well.

I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).

[box]

Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
 anyconnect mtu 1398
 anyconnect profiles value PNL-Profile type user
 anyconnect ssl df-bit-ignore enable

[/box]

It’s easy to remove it.

[box]

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles

[/box]

Then simply add the correct one back in, and save the changes.

[box]

Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787

23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]

[/box]

Now if you ‘refresh’ your ASDM, you will see it displays correctly again;

 

Problem Solved.

Related Articles, References, Credits, or External Links

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

Cisco AnyConnect Error: ‘The VPN client driver has encountered an error’

Cisco AnyConnect Error: ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

AnyConnect Error:  ‘The secure gateway has rejected the connection attempt, No assigned address’

Cisco AnyConnect Error: (Mobile Devices)

AnyConnect – The VPN Connection Failed (Domain Name Resolution)

KB ID 0001236 

Problem

This is a pretty generic error to be honest.

AnyConnect Secure Mobility Client

VPN

The VPN connection failed due to unsuccessful domain name resolution.

Solution

Firstly, (and obviously) the name you are typing in the AnyConnect window can be resolved can’t it? If not then you might want to consider some employment that does not involve computers.

Secondly (this is what usually trips me up) did you copy and paste the name? If so is there a space on the end?

This name may also be incorrect in the profile.xml that’s associated with this VPN, to check, the location of that file is covered in this article.

Also check that the VPN device, does not need to be connected to on a different port, as per this article.

Related Articles, References, Credits, or External Links

NA

AnyConnect – ‘Your environment does not meet the criteria’

KB ID 0001232 

Problem

For an existing client, I was setting up a new user. I connected their laptop though my mobile phone and attempted to connect. This is the error I got.

Cisco AnyConnect
Logon denied: Your environment does not meet the access criteria defined by your administrator.

Solution

A cursory glance over the firewall config didn’t yield anything in their AAA settings that was odd, they were simply using LDAP for authentication.

I probably should have guessed the answer earlier than I did, (because I’ve written an article on it). But the reason this was failing was, the firewall had a Dynamic Access Policy (DAP) attached to the remote VPN, that only permitted access to users that were in a particular Active Directory group. This user was not a member of that group.

To check your Dynamic Access Policies and understand how to find them, (you need to be in the ASDM!) See the following article;

Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups

Related Articles, References, Credits, or External Links

NA

vSphere 5 – Install and Configure the Web Client

KB ID 0000551 

Problem

The ability to administer vCenter via a web browser is nothing new, vCenter has had a web console in previous versions.

vCenter vSphere 4 Web Client (Web Access)

The version with vSphere 5 is much more feature rich. Like the VMware vSphere client it talks directly to the vCenter vSphere API, but unlike previous web access, the component needs to be installed and configured before you can use it.

What the Web Client Can Do

1. Connect to a vSphere vCenter server.

2. Can be used on non Windows machines (VI Client is Windows only).

3. Deploy Virtual Machines (Including deployment from Templates).

4. Configure Virtual Machines.

5. Provide basic monitoring.

What the Web Client Can’t Do

1. Manage Hosts

2. Manage Clusters

3. Manage Networks.

4. Manage Datastores or Datastore Clusters.

5. Connect to ESX or ESXi hosts.

Solution

Step 1 Install and Configure Web Access

Prerequisite: The vCenter server needs to have Adobe Flash installing on it to access the management console.

1. From the vCenter Installer media select “VMware vSphere Web Client (Server) > Install > Follow the on screen prompts.

2. Accept all the defaults, note the secure port number we will be using that later (TCP Port 9443).

3. Once installed > On the vCenter server itself open a browser window > navigate to > https://{servername}:9443/admin-app > Select “Register vCenter Server”.

vSphere Web Client Supported Browsers: Internet Explorer (7 or newer) and Firefox (3.5 or newer), I’ve tried Chrome, it works, but some functionality is lost. (anything that requires the plug in i.e. console connections).

4. Enter the details for the vCenter server > Take note of the URL for your client to access (https://{servername}:9443/vsphere-client) > Register.

5. You will probably be using self signed certificates to tick the box and select “Ignore”.

6. That’s the server configured and ready to go.

Step 2 – Access the vCenter from web client

1. Open a browser window and navigate to https://{servername}:9443/vsphere-client> You may receive a warning about the certificate (because it’s self signed) click to continue > Enter your credentials > Login.

2. The first time you connect it launches the welcome splash screen > tick “Do not show..” and close the window. (Note you can launch it again from the help menu).

Note: If you see this error:

Connection Error
Unable to connect to vCenter Inventory Service –
https://{servername}:10443

Check on the vCenter server to make sure this service is running.

3. You should then be connected, and be able to browse your virtual infrastructure.

4. You can “console” onto your VM’s (Note: will need a plug in installing your browser will prompt you to accept/install).

 

Related Articles, References, Credits, or External Links

NA

VMware VI Client Error ‘Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server “IP-Address” failed’

KB ID 0000870 

Problem

This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”.

Solution

Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in https://{Name or IP Address}, you will see this error. However this was NOT MY PROBLEM.

This is happening because there is no communication between you and the ESX/vCenter you are trying to connect to. The first thing you need to do is see if HTTPS is open. On the affected machine open a web browser and point it to the same target and make sure you see the web console of the ESX/vCenter server. If you can’t see this, check firewalls (and proxies) and make sure HTTPS is not getting blocked.

In my case I could see this but it still did not work! Then I was reminded we have had strange comms problems on this site before, which I have documented here. Sure enough, when I dropped the MTU on the server I was trying to connect from (which was over a site to site VPN tunnel). It started to work fine.

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect Error – ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

KB ID 0000558

Problem

Seen when trying to use the AnyConnect client to connect to your Cisco Device.

Error:
Cisco AnyConnect
The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address.

Solution

Note: Common sense dictates, make sure you actually have internet connectivity first!

Essentially this is caused because the AnyConnect client wants to connect to the “Name” of your gateway not its IP address, often this can be an “Odd” name allocated by your ISP, if you do not have a registered DNS name that you use.

That works OK if you can resolve that name in DNS, but if you can’t you see this error. The simplest fix is to put the “Name” you are trying to connect to in the problem clients “host file. This gets checked before DNS is consulted.

1. Run the following command;

[box]%SystemRoot%system32driversetchosts[/box]

2. Choose “Notepad” to open the file.

3. Enter the public IP and the name the AnyConnect software is connecting to, save the file and exit.

Note: Windows Vista/Server 2008 and newer operating systems DO NOT require a reboot. (XP/Server 2003 and older will).

Related Articles, References, Credits, or External Links

Thanks to Roger Bingham for his patience while I worked out what was wrong 🙂