Cannot Access Windows Server 2008 Terminal Server Using Vista Client

Posted on 2008-11-06
Last Modified: 2013-11-21
Cannot Access windows 2008 terminal server using a vista client.  Note that this vista client computer can connect to terminal services on a Windows Server 2003.  Note also that XP clients have no problems accessing the Windows 2008 Terminal well as accessiing terminal services on a windows server 2003.

Note also that under Terminal Services configuration, Negotioate using network layer security only is off.  All configuration options under rdp-tcp have been set to allow "lowest common denominator".  Also, all configurations in active directory are correct because access can be made by all xp clients to the windows server 2008 terminal services.  

The only problem is that vista clients cannot access Server 2008 terminal services via their RDP.
Question by:cruisepak
    LVL 15

    Expert Comment

    On the Vista machine, Go Start -> Run -> type "MSTSC" and hit enter. Then go to "Options" and then the "Advanced" tab. What option is selected under "Server Authentication"?

    Author Comment

    Authentication Options on vista client are "Always Connect, even if authentication fails".  i've tried all those options. It's funny as well that all vista clients are having this issue so it does point me to the Windows Server 2008 side of the issue.    

    Accepted Solution

    More Research......(on my own issue mind you).

    It looks like credssp looks to be the issue.  XP clients do not utilize CredSSP (disabled in SP3).  thus, when XP clients connect to Windows Terminal Server, Kerbos is the common authentication protocol.  Conversely, when vista clients connect to a Windows 2003 Terminal Server, CredSSP is not present in Server 2003...and thus Kerbos is the lowest common denominator.  XP to a Server 2003 session is governed by Kerbos.

    The problem lies therefore in CredSSP being the default protocol between vista clients and windows Server 2008 terminal server sessions.  The trick now is to either a) disable CredSSP on the windows 2008 server so that kerbos is used...or to disable CredSSP in Vista clients (all flavors).

    I can't find any group policies in Server 2008 to allow this and Vista Home Premium and Basic have no group policy editor (gpedit.msc) so there is no way to disable it in vista.

    Does Anyone have any suggestions....preferably for a windows 2008 server side modification?
    LVL 3

    Expert Comment


    I've had problems with using older clients (RDP 5) with Terminal Server 2008 and what I found is that the Remote Desktop settings on the server seem to be over riding the terminal services settings.

    To get it to work I had to un-install the terminal services role and get remote desktop working (dropping security/encryption) and once that worked, re-installed the terminal services role.

    Hope that helps.

    Featured Post

    Want to promote your upcoming event?

    Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

    Join & Write a Comment

    Suggested Solutions

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now