Access Denied on Remote Desktop Web Connection

[ajaytemp]

Server: Windows Server 2008 Enterprise
Client: the server and a Vista computer.

I setup an user account on the Windows server with a password.
I added the user account to the Remote Desktop Users. I added it to TS Web Access Computers Properties.

Remote Desktop icon shows in RemoteApp tab along with a Calc icon. Calculator loads fine after logging on. However, Remote Desktop does not. It gives an "Access Denied." error!
However, Administrator account loads Remote Desktop perfectly.

What is the problem and solution?

Thanks,
Ajay

 

[pYro.O]

Hi,

you have to allow log on with terminal services.

policies of the local computer -> computerconfig -> windows-settings -> safety settings -> local policies -> log on with terminal services.
(the names can be different because I use a german server )
Add the group 'users' there and maybe restart the server. Then it should run.


pYr

 

[xeserver]

Hi,

you have to allow log on with terminal services.

policies of the local computer -> computerconfig -> windows-settings -> safety settings -> local policies -> log on with terminal services.
(the names can be different because I use a german server )
Add the group 'users' there and maybe restart the server. Then it should run.


pYr

Did this get resolved? I have the same issue. I keep getting the screen shown below. I have spent weeks searching forums and no one seems to have the answer. I have all the permissions, user groups, and services set up per the recommendations of everyone and I still get the same error.

Thanks for your help!
Jordan

 

[mmthomas]

Did this get resolved? I have the same issue. I keep getting the screen shown below. I have spent weeks searching forums and no one seems to have the answer. I have all the permissions, user groups, and services set up per the recommendations of everyone and I still get the same error.

Is your server a domain controller? On domain controllers, the Remote Desktop Users group has been removed from the logon via terminal services right, but it can be added back in.

 

[xeserver]

Is your server a domain controller? On domain controllers, the Remote Desktop Users group has been removed from the logon via terminal services right, but it can be added back in.

The server is indeed a domain controller. I went to the Remote Desktop configuration (Terminal Services) and added in the Remoter Desktop users group and still the same error.

 

[mmthomas]

The server is indeed a domain controller. I went to the Remote Desktop configuration (Terminal Services) and added in the Remoter Desktop users group and still the same error.

You need to do this in group policy; the default domain controller policy >> Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Be careful not to delete what is already there or you can remove the ability of administrators to remote to the machine.

 

[xeserver]

You need to do this in group policy; the default domain controller policy >> Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Be careful not to delete what is already there or you can remove the ability of administrators to remote to the machine.

Thanks for your help. I really appreciate it.

here is a listing of my group policies:

Policy Setting
Access this computer from the network Everyone, BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, BUILTIN\Pre-Windows 2000 Compatible Access
Add workstations to domain NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, BUILTIN\Administrators, Classic .NET AppPool, DefaultAppPool, S-1-5-82-604604840-3341247844-1790606609-4006251754-2470522317
Allow log on locally BUILTIN\Server Operators, BUILTIN\Remote Desktop Users, BUILTIN\Print Operators, BUILTIN\Backup Operators, BUILTIN\Administrators, BUILTIN\Account Operators
Allow log on through Terminal Services BUILTIN\Remote Desktop Users
Back up files and directories BUILTIN\Administrators, BUILTIN\Backup Operators, BUILTIN\Server Operators

Here is the error I get from the event log:
Description:
The Remote Desktop license server cannot update the license attributes for user "XXXX" in the Active Directory Domain "corp.XXX.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "corp.XXXX.com".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: 0x80070005

 

[mmthomas]

Thanks for your help. I really appreciate it.

Here is the error I get from the event log:
Description:
The Remote Desktop license server cannot update the license attributes for user "XXXX" in the Active Directory Domain "corp.XXX.com". Ensure that the computer account for the license server is a member of Terminal Server License Servers group in Active Directory domain "corp.XXXX.com".
If the license server is installed on a domain controller, the Network Service account also needs to be a member of the Terminal Server License Servers group.
If the license server is installed on a domain controller, after you have added the appropriate accounts to the Terminal Server License Servers group, you must restart the Remote Desktop Licensing service to track or report the usage of RDS Per User CALs.
Win32 error code: 0x80070005

Check this link for that error.

 

[xeserver]

Check this link for that error.

OK .... I have done everything in the link you sent me and I am still getting denied.

You have no idea how grateful I am for your help.


Here are some screen shots:

 

[xeserver]

By the way, I am no longer getting the previous error in the event log but instead am get flat out getting denied.

jrw

 

[mmthomas]

Hmm, odd. In the group policy, in the same area as the "allow log on through terminal services" there is also a "Deny log on through terminal services." That isn't set to deny anything is it? Also, is there an error message being logged now when a user is denied access?

 

[xeserver]

Hmm, odd. In the group policy, in the same area as the "allow log on through terminal services" there is also a "Deny log on through terminal services." That isn't set to deny anything is it? Also, is there an error message being logged now when a user is denied access?

The "Deny" policy is empty by default and has nothing in it.

There are no error messages being generated when a remote user attempts to connect.

I tried connecting today and then ran a report of the domain RDS CAL usage and this was the result:

RDS CAL Usage Report
RD License Server: xxx
Report Date:  Tuesday,  January  05,  2010 12:27:14 PM
Report Scope: Domain

Issued to User RDS CAL Version Expires On
CORP\Administrator Windows Server 2008 or Windows Server 2008 R2  Saturday  March  06  2010 12:12:57 AM
CORP\xxx Windows Server 2008 or Windows Server 2008 R2  Friday  March  05  2010 11:50:49 PM

RDS CAL Version RDS CAL Type Installed RDS CALs RDS CALs in Use RDS CAL Availability
Windows Server 2008 or Windows Server 2008 R2 Per User 1 2 None


So you can see that the OS is assigning RDS CALs to the user attempting to login, but then giving a "Access is Denied" screen.

Thanks again

 

[mmthomas]

Here is a registry hack to try. I don't know if it will help in your situation or not, but it has been known to fix some terminal services logon issues in both 2008 and 2003 server. As always with registry stuff, back up your registry first.

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
3. Click Edit, point to New, and then click DWORD Value.
4. In the New Value #1 box, type IgnoreRegUserConfigErrors, and then press ENTER.
5. Right-click IgnoreRegUserConfigErrors, and then click Modify.
6. In the Value data box, type 1, click Decimal, and then click OK.
7. Exit Registry Editor.

 

[xeserver]

Here is a registry hack to try. I don't know if it will help in your situation or not, but it has been known to fix some terminal services logon issues in both 2008 and 2003 server. As always with registry stuff, back up your registry first.

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
3. Click Edit, point to New, and then click DWORD Value.
4. In the New Value #1 box, type IgnoreRegUserConfigErrors, and then press ENTER.
5. Right-click IgnoreRegUserConfigErrors, and then click Modify.
6. In the Value data box, type 1, click Decimal, and then click OK.
7. Exit Registry Editor.

Tried the hack ...... "Access is denied"

You are probably starting to get as frustrated as I am. What drives me nuts is that I have successfully deployed Remote Desktop on other servers and computers with no issue and this one is such a hassle.

 

[mmthomas]

What drives me nuts is that I have successfully deployed Remote Desktop on other servers and computers with no issue and this one is such a hassle.

Yes, I think setting up remote desktop and terminal services is easier in 2008 than previously, and it makes most of the necessary changes for you, so I am running out of ideas, but I'll keep trying.

 

[xeserver]

I can only surmise that the issue is somewhere in the "Log on Access Rights" settings. The issue is not that the Remote Desktop services don't work because the server gives the user a RD CAL when they login, but for some reason it doesn't let them past the blue screen.

I think I will file a report with MSFT and pay the money to have one of their guys help me out.

 

[xeserver]

This is the note I got from Microsoft. After implementing their recommendations I still get the error. I will post their response.



From MSFT:
According to Problem Description and the specified forum, I understand that the issue you are experiencing is:
The TS users cannot RDP to the Windows 2008 Remote Desktop (RD) Session Host Server which is a domain controller by using MSTSC.EXE and received the following error message.
“Access is denied.” (Please refer to the following screenshot.)

Note: In Windows Server 2008 R2, Terminal Service has been renamed as Remote Desktop Service and the Terminal Server has been renamed as Remote Desktop (RD) Session Host Server.

If I have misunderstood your concern, please don’t hesitate to let me know.

Based on my experience, could you please check the policy “Allow users to connect remotely using Remote Desktop Services” on the affected RD Session Host Server?
======================================================================================================
1. On the affected RD Session Host server, please open local policy. If the affected server is a domain controller, please open Default Domain Controllers policy. Please refer to the following screenshot.

2. Please navigate to the following path and enable “Allow users to connect remotely using Remote Desktop Services” policy.
Computer configuration/Policy/Administrator Templates/Windows Components/ Remote Desktop Services/ Remote Desktop Session Hosts/Connections

If this issue still persists, could you help take time to collect the following information to clarify the situation?
==================================================================
1. Could you please let me know if the RD Session Host Server has been installed on a domain controller?

2. Since you mentioned “Modified all group policies to allow the RD to function” in Problem Description, could you please collect the gpresult log and upload to me? To do this,
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On the affected RD Session Host Server, please use the command "gpresult \v >c:\ gpresult.txt" (without quotation marks) in the command shell. After that, please upload the gpresult.txt
file to me. Please refer to the following screenshot.

Note: Please run this command under administrator privilege

3. Since you mentioned “Added the Remote Desktop Users group to the domain controller Remote Desktop users group” in Problem Description, could you please check the TS Users account has been added in the Remote desktop users group on the affected RD Session Host Server? Please refer to the following screenshot.

4. Could you please let me know if the RD Licensing Server has been installed on the same server as the RD Session Host Server? And please capture some screenshots of the TS Licensing Manager?
-----------------
a. On the RD Licensing Server, click Start > Run, type licmgr.exe
b. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
c. Maximize the Terminal Service Licensing window, click + before the server entity to expand it, adjust the split bar so that the string names of installed CALs are completely shown in the Terminal Server Licensing window.
d. Capture a screenshot of the Terminal Service Licensing window and upload it to me.

Note: Please refer to the below screenshot, we can check the specific licenses information on the TS License Server from the screenshot.

5. On the affected server, please help collect the Microsoft Platform Support (MPS) Report.
---------------------------------------------------------------------------------------------------------
To allow us to better support you please run the Microsoft Platform Support(MPS) Report for Windows 2008 Server R2 using the steps below. The tool gathers diagnostic information useful in resolving your issue. From a computer that is connected to the internet:

a. Please download and run the MPS report tool, http://www.microsoft.com/downloads/...FamilyID=cebf3c7c-7ca5-408f-88b7-f9c79b7306c0
b. Please click This Computer, then, please select General, Internet and Networking, Server Components, click Next. Please refer to the following screenshot.

c. After the process complete, please save the result in the specified path and upload the CAB file to me.

 

[Tolsnic]

I don't know if you have found a resolution for this yet but I thought I would let you know that we had the same type of problem but it was related to specific accounts that were getting access denied. What we found was that the issue is related to the MaxTokenSize and the specific accounts that were getting the access denied. The accounts with access denied issue belonged to a large number of domain groups and their kerberos token was larger than the default of 12000 bytes which then produced the Access denied issue when trying to log onto a W2K8 R2 RDS server. The problem was resolved by changing the MaxTokenSize value in the registry to 65535 (on the W2K8 R2 RDS server) as detailed in the MS KB article 327825 "New resolution for problems with Kerberos authentication when users belong to many groups"