Remote Desktop Services – Connection Errors

KB ID 0001132

 

Below is not an exhaustive list of connection errors, it’s just a some things that have tripped me up. If you have a nasty error that you have fixed, feel free to drop me a line, send me some screenshots and the fix, and I’ll add them as well.

General Errors

Remote Desktop can’t connect to the remote computer for one of the following reasons;

1) Remote access to the server is not enabled
2)The remote computer is turned off
3)The remote computer is not available on the network

Make sure the remote computer is turned on and connected to the network, and that remote access sis enabled.

Probably the most common (and easiest to troubleshoot) of RDP errors, firstly ensure that the server is actually ‘listening’ for RDP connections, on the SERVER issue the following command;

[box]

netstat -an | find /i ":3389"

[/box]

You should see it LISTENING (Note: Below its listed twice because its listening on IPv4 and IPv6)

If its not, the the service might not even be running, Look in Services, and ensure the following services are running;

  • Remote Desktop Services
  • Remote Desktop Services UserMode Port Redirector

Make sure that RDP has been allowed on the local firewall of the RDP server, In the past I’ve seen a bug on some versions of Windows when even with the firewall disabled, things didn’t work unless RDP was allowed on the firewall settings. (I know that makes no sense, but I’ve seen it, particularly for remote VPN traffic).

Test RDP Connectivity

From a machine ON THE SAME NETWORK as the target RDP Server, firs see if you can ping the server by both IP address and hostname. (This is more for peace of mind remember the server might ot respond to pings but might be responding to RDP Traffic.

Then test that the machine you are on can get to the the RDP server on the correct port, (TCP 3389*)

[box]

Test-NetConnection {IP-Address-or-Hostname} -Port 3389
OR
Test-NetConnection {IP-Address-or-Hostname} RDP

[/box]

Providing this works, now try the SAME tests form outside you network, i.e. outside the firewall, or on a remote VPN  connection etc.

*RDP Port Note: Normally RDP is on TCP 3389, check on the server just in case someones changed the RDP listening port number. Or the firewall is expecting you to connect on another RDP Port.

Your computer can’t connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your network administrator for assistance.

Solution for Windows 10: I struggled with this for a while, all forum posts refer to windows 7/8 and the problem was caused by a windows update (KB2592687), that needed to be removed. But I was connecting with Windows 10? This  was the resolution;

Create/Edit a 32 bit DWORD value called RDGClientTransport in your registry at;

[box]

HKCU > SOFTWARE  >Microsoft > Terminal Services Client

[/box]

Set its value to ‘1’ (one).

Also See Remote Desktop Web Access – Connection Error


Your computer can’t connect to the remote computer because your computer or device did not pass the Network Access Protection requirements set by your network administrator.Contact your network administrator for assistance.

You normally see this error if one (or more), of your Remote Desktop Role servers does not have the correct certificate installed on it, (or the certificate it does has has expired).

Server Manager > Remote Desktop Services > Collection > Task > Select your collection > Task > Edit Deployment Settings > Certificates > Check and reinstall each one as required.

Remote Desktop Gateway Errors

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server address is unreachable or incorrect. Type a valid Remote Desktop Gateway server address.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable. Try reconnecting later or contact your network administrator for assistance.

The machine trying to connect needs to be able to resolve the ‘public name’ of the Remote Desktop Gateway server. And this may not be the hostname of the server! As you can see in the image above the Gateway server name is set to rdg.smoggyninja.com. The important thing is when I ping this name, it resolves to the correct IP address, (mine responds to pings, yours probably wont if you’re connecting though a firewall.)

In some cases you need to set the public name of the the Remote Desktop Gateway server, in the servers IIS Settings. On the Gateway server > Start > Administrative Tools > Internet Information Services (IIS) Manager > {Server-name} > Sites > Default Website > RDWeb > Pages  > Application Settings > Set ‘DefaultTSGateway’ to the public name of the gateway server. Then from command line run ‘iisreset‘ to restart the web services.

Your computer can’t connect to the remote computer because the Remote Desktop Gateway server’s certificate has expired or has been revoked. Contact your network administrator for assistance.

In most cases this should be easy to fix, if you use self signed certificates make sure your CRL settings and/or OCSP settings are correct. If you use a publicly signed cert make sure your client can contact the publishers CRL (look on the properties of the certificate).

Check the Obvious: It saying the RDG cert has expired, make sure it’s in date! In the Gateway Server Launch Server Manager > Remote Desktop Services > Collections > {Collection-name} > Tasks > Edit Deployment Properties.

Certificates > RD Gateway > View Details > Is it in date?

Everything is OK? But I’m Still Getting This Error? Are you publishing the Gateway with something else like Web Application Gateway? Threat Management Gateway? Load Balancer? Look in that direction.

Also See Remote Desktop Web Access – Connection Error

Related Articles, References, Credits, or External Links

NA

SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA

Cisco PRSM – Replace the Certificate Using Microsoft Certificate Services

KB ID 0001023 

Problem

Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than growing a ginger ponytail, donning sandals and firing up Linux.

Solution

The following procedure was carried out on Windows Server 2012 R2. I want my certificate to have a common name of prsm.petenetlive.com (change your configs and commands accordingly).

1. Download and install the following.

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

2. Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = prsm.petenetlive.com.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PRSM, IP:123.123.123.110, DNS:prsm.petenetlive.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = prsm.petenetlive.com

[/box]

3. Open an administrative command window, issue the following three commands;

[box]

cd C:OpenSSL-Win32Bin

openssl req -new -nodes -out prsm.petenetlive.com.csr -keyout prsm.petenetlive.com-orig.key -config openssl.cfg

openssl rsa -in prsm.petenetlive.com-orig.key -out prsm.petenetlive.com.key

[/box]

Don’t worry if it says it cant read the openssl.cnf file

4. If you look in C:OpenSSL-Win32bin directory you will see the CSR (certificate request) has been generated.

5. Open the .csr file with notepad and copy all the text, (this is a request in PEM format). This is what you will give to your CA to request the certificate, copy that to the clipboard.

6. Connect to your Certificate Authority web enrollment portal > Request a certificate.

7. Advanced certificate request.

8. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

9. Paste in the PEM text you copied to the clipboard > Set the certificate template to ‘Web Server’ > Submit.

Note: Your CA may have a different template for web server certificates, if so use that one. If you don’t see web server either it’s not been published, or your user does not have rights to the certificate template.

10. Choose ‘Base 64 encoded’ > Download > Save the cert in the directory you were using earlier (you will see why in a minute) > I give it the same name as the common name on the certificate so I saved it as prsm.petenetlive.com.cer

11. Here it is, but there is still a problem with it, PRSM needs the certificate in x509 format, (it isn’t). But OpenSSL-Win32 can convert it for us.

How to Convert a Windows .cer file to an x509 .crt file

12. Open and administrative command window and issue the following two commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in prsm.petenetlive.com.cer -out prsm.petenetlive.com.crt

[/box]

13. Now it looks better, for PRSM we need this file AND we need the .key file, (not the one that ends in xxx-orig.key!) In the example below I’ve kept everything neat so the other file i need is prsm.petenetlive.com.key, (third one down).

14. Connect to PRSM > Administration > Server Certificates > Browse and select both files.

15. Install and Restart Server.

16. Restart.

17. Refresh your web session and you should now be using the correct certificate.

Related Articles, References, Credits, or External Links

NA