?
Solved

Cannot RDP into a citrix server

Posted on 2006-05-22
16
Medium Priority
?
1,143 Views
Last Modified: 2013-11-21
I have a windows 2000 Terminal server running citrix metaframe xpe.  The previous admin locked down the rdp service on this server so it cannot be used.  Citrix and ICA work fine.  But I want to use RDP for admin purposes (ie if citrix is down and cannot use the published desktop).  
At first rdp was not even installed, just ICA, so I set that up, then I had to press ctrl+alt+del from and RPD session to login, I fixed that with a group policy.  

The error I am getting now is "the system cannot log you on" "access is denied"  I know he did not use group policy for this, since there was not any group policies setup when I arrived.  He used registry hacks and local policies.  I am trying to undo what he did.  I cannot call him since he did not leave under the best of terms.  I am using the administrator account which has no issue logging in locally and Citrix and ICA is working fine.  

Reinstalling Terminal services is not a solution.  I have a production Citrix server.  Anything that might cause it any issue is not a solution.  Keeping that running is much more important then me being able to rdp into the server.  
0
Comment
Question by:lrpage
  • 8
  • 6
  • 2
16 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16733916
Rae you able to log on locally, i.e. from the same network, using a Domain Admin account?

Some things to check:
1-"allow users to connect remotely to this computer" must be enabled (right click on My computer, under remote tab)
2-you must be a member of the remote desktop users group (administrators are by default)
3-if the workstation is a member of a server 2000/2003 domain you will have one of the 2 following check boxes, depending on the version, on the "Terminal Services Profile" of the users profile in Active Directory. Make sure it is checked appropriately. "Deny the user permission to log on to any terminal server", or "Allow Logon to Terminal Server"
4-if XP SP2 or Server 2003 SP1 the firewall needs to be configured to allow remote connections ( I would disable for now for troubleshooting purposes)
5-make sure any other software firewalls are disabled as well (for test purposes), including Internet security suites. Symantec's sometimes needs to be uninstalled or if using Symantec Antivirus some versions have "Internet Worm Protection" which can block Remote Desktop. Try disabling that as well.
6-Verify the Remote Desktop User group has the rights to log on using Terminal Services.  Go to Control Panel | Administrative tools | Local Security Policy | Local Policies | User Rights Assignments ...make sure Remote Desktop Users is included in "allow logon through Terminal Services"  
7-The terminal Services service must be running
If you have access to the remote machine make sure it is "listening" for your connection. To do so at a command line enter (substitute port # if not using default 3389):
  netstat  -an  |find  "3389"
You should get the following result:
TCP   0.0.0.0:3389    0.0.0.0:0    listening
If not go to Start  | Run | services.msc and see if Terminal Services is started and set to automatic
0
 
LVL 3

Author Comment

by:lrpage
ID: 16734250
1.  not a option on windows 2000 server only 2003 and xp
2.  once again is this not an option in 2000, I do not see it, nor do I see this group in any of my other 6 servers, except my 2003 server
3.  This is fine, and i can RDP into my other 6 servers and 300 workstations, just this one that has been tweaked
4.  Firewall is disabled
5.  not other firewall is allowed on my domain (save my pix box)
6.  Once again only a 2003 feature, but I did make the change in AD for this machines GPO to allow admins to allow logon to TS. Then i ran secedit /refreshpolicy machine_policy
7.  tested fine
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16734334
Sorry I missed the "2000".  However option 6 still applies, just you will be choosing a different user or group name. If this is a DC and the user is not a Domain admin the same GPO has to be edited on the Default Domain Controller policy (not recommended). Where it is 2000 I think you have to be an admin regardless as by default it is designed for admin purposes only.

Still you are quite right it could be a registry change.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Author Comment

by:lrpage
ID: 16734466
Yes I am using the admin account and this is not a domain controller.  
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16734502
Sorry I have no further suggestions other than searching the registry, which wouldn't be easy to find, or figure out the default settings. If you want to have a look, many of the entries are located in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer
the larger number of related ones should be specifically in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp

Cheers.
0
 
LVL 19

Expert Comment

by:BLipman
ID: 16737376
If you check the Event Viewer can you narrow down the specific error such as "cannot log in locally", "cannot log in interactively", etc?  Can you open the Local Security Policy on the trouble server and do a side by side comparison with a working server to make sure that you are configured properly?  
0
 
LVL 3

Author Comment

by:lrpage
ID: 16745101
blipman
I checked the event log, there are no errors there.  And I do not have another TS server to compare to.  Thanks.
0
 
LVL 19

Expert Comment

by:BLipman
ID: 16747343
Here is a screen shot of a Windows 2000 + Citrix machine's Local Security Policy, you can use this as a baseline.  

http://i33.photobucket.com/albums/d95/benlipman/LocalSecPol.jpg

Does this help?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16747553
Might be just me, but I can't read it. It is too small and when I enlarge, it is too blurry.
0
 
LVL 3

Author Comment

by:lrpage
ID: 16752015
Rob Will, you are correct, I cannot read that picture either.  Blipman, thanks for trying.  I believe it is a registry hack I need to undo.  The previous person used a lot of registry hacks and did not document any of it.  I am hoping someone might be familiar with what registry hacks he might have done.  
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16752106
Here is one:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\
Key = fDenyTSConnection
Enable  remote desktop value = 0
Disable remote desktop value = 1
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16980592
lrpage, did you ever find the registry changes?
--Rob
0
 
LVL 3

Author Comment

by:lrpage
ID: 16996821
I went there but the key fdenytsconnection was not there.  Are you looking at a 2003 server or 2000.  I have a 2000.  I think I will be upgrading that server from 2000 with metaframe xp to 2003 with presentation server 4.0 soon, just waiting to see if I can get the funding for it.  
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1000 total points
ID: 16997116
I just looked on a 2000 of mine and it is not there either.
I was just curious as to whether you were able to resolve.
0
 
LVL 3

Author Comment

by:lrpage
ID: 17001349
My final fix is going to be to do the upgrade and reinstall Citrix
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 17001402
Thank you lrpage. Sorry I wasn't much help.
--Rob
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question