Must Have Terminal Server User Access Permissions--Error

Presentation Server 4.0 running on Server 2003 SP1 also is our Terminal Server License Server.  We have 3 remote locations connected via site-to-site VPN’s.  DC is 2000 SBS.  One clarification I need to make is, I installed Citrix on the remote client before the site-to-site VPN was working.

The Citrix icon on the task bar shows “Citrix Program Neighborhood – Not Connected”

I used the “Custom ICA Connection” in Program Neighborhood and created a Connect By Published Application session.  When I tried the connection, it errored out (see error below); didn’t matter if I logged on as admin or user.  I have made sure that the users belong to Remote Desktop Users group AND Allow log on Trough Terminal Services rights are assigned.  I have also made sure permissions are set through Connections in Terminal Services Configuration (both Microsoft RDP and Citrix ICA 3.0), also Citrix Connection Configuration (which looks like the same thing to me).  From the Citrix Management Console, I have set the farm “Connection Access Control” property to “any connection”, the published application “Access Control” property to “Allow connection through Metaframe…”, “Any connection”, and “Allow all other connections”.  

ERROR DIALOG
“To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group another group that has these permissions, you must be granted these permissions manually.”

Folks this is betting the snot out of me!


I used the “Custom ICA Connection” in Program Neighborhood and created a Connect By Server session.  When I connect with admin rights it brings up a RDP session just fine, but if I try to loin to the domain as a domain user I get two error dialogs.
ERROR DIALOGS
1.The desktop you are trying to open is currently available only to administrators. Contact your administrator to confirm that the settings are in place for your client connection.
2.To log on to this remote computer, you must have Terminal Server User Access permissions on this computer. By default members of the Remote Desktop Users group have these permissions. If you are not a member of the Remote Desktop Users group or another group another group that has these permissions, you must be granted these permissions manually.

Help me…Please
bit_terAsked:
Who is Participating?
 
bjlilloConnect With a Mentor Commented:
1) Publish the application to a specific AD group (I assume that's done.)
2) When logged in as a user in the group specified in #1, open Program Neighborhood and go to the Application Set Manager, Find New Application Set, and run through the wizard to connect to your particular farm.
3) Run the application from the icon that is found in the newly created Application set.

This worked for me. The procedure I was doing prior to that was creating a custom ICA connection and attempting to connect to the application that way.
0
 
krais99Commented:
Log onto the Citrix server as an administrator.  Go into Computer Management, Local Users and Groups, Groups and go into the Remote Desktop Users group.  Add the Domain Users group and close out.  If you wish to restrict who in the domain can log on, create a domain group called Citrix Users or something to that effect and add the personnel you wish to have access to Citrix to that group and add that group into Remote Desktop users.

Hope this helps,

Todd
0
 
bit_terAuthor Commented:
Sorry, I forgot to mention that I already did that, still doesn't work, thanks for your comment though.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
mgcITCommented:
When you installed Terminal Services (through Add/Remove Programs > Add Windows Components) did you choose Remote Administration Mode, or Application Server Mode?

Should be Application Server Mode
0
 
bit_terAuthor Commented:
Installed as App Server Mode with per device licenses
0
 
bit_terAuthor Commented:
I had looked at these articles before,
Link 1. There is no "Citrix Settings" tab in the dialog, the article refers to Win 2003 x64, we run 32 bit 2003. Therefore I thought it was only for 64 bit ver, should that tab be on ver we run?
Link 2. I have verified these settings too, I made reference to this in my original post.  However I had "access control" selected as "any connection" instead of "any connection that meets any of the following filters" because I don't know how to make a filter and I thought any connection would be less restrictive.
Link 3. We are not getting that event ID num in the events viewer, the only events are "can't create printer for session (not exact)", but I have started going through the troubleshooting procedures listed in the article just to see what we have (don't have high hopes it will help).

Thanks for your help, I always appreciate anything anyone wants to suggest!!
0
 
gsgiCommented:
Here are a couple of guesses:

To let non admins citrix or ts into a dc you have to set the log on locally group policy.
Make users at least power users on their own box (even as a test if it's against your better judgement, then we'll deal with that if it works later).

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20256896.html?query=logon+locally&clearTAFilter=true
http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20971422.html?query=logon+locally+ts&clearTAFilter=true


-gsgi
0
 
bit_terAuthor Commented:
I appreciate your help; the box is not a DC, just a member server.  I tried the suggestions in the links, but it didn’t help.  I can TS in with admin privileges, I can also launch a “server” session as admin (TS?), from Citrix Program Neighborhood, but if I try to launch a “published application”, even as admin; it gives the old “allow log on through TS” error.  

Could someone tell me why the “Citrix Program Neighborhood Agent” shows “not connected” on the task bar?  Do you think I need to uninstall reinstall Citrix client?  As I mentioned earlier, I loaded it on client box before the site-to-site VPN was working properly.  If I do, can you recommend a “best practice” install method for my situation?
0
 
bjlilloCommented:
Does it make a difference if you connect to the application through a Custom ICA Connection vs. finding the application set and running it from there? I had the exact same behavior you described this morning and can connect through the Application Set, but not through a Custom ICA Connection.
0
 
bit_terAuthor Commented:
I don't know, how do I connect using the "finding application set and running it from there"?  I'm lost could you give me a procedure to follow?


Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.