• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 465
  • Last Modified:

Terminal Server 2008 login problem when connected with Windows PPTP

Hi,

I have a Server 2008 standard as dc and a second Server 2008 as Terminal Server
I have setup the user with permission to login to the terminal server and it works fine within the LAN. If I connect to the network with PPTP VPN configured on the DC I cannot login to the terminal server (I can login with administrator account). WHen I login as a user I get a message (translated from Swedish): "the connection was not allowed as the user account does not have permission for remote login". Please note again that it works when I'm within the network.
In AD under Remote Access the users have "Allow access".Thanks in advance!
0
henriklundin
Asked:
henriklundin
  • 10
  • 5
1 Solution
 
vincebryanCommented:
Is the User who is attempting to log on a member of the terminal servers local "Remote Desktop Users" group?
0
 
henriklundinAuthor Commented:
yes thet are member of that group. And it's working within the LAN...it must be something with the PPTP windows VPN...
0
 
vincebryanCommented:
Couple of things to check:

1) Can you ping the terminal server (IP and Netbios name)
2) Is the IP range of your client location different to that of your server location (I've had a problem before where by the default gateway of the local machine's location was the same as that of the server's location and this caused no end of problems with connectivity)
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
henriklundinAuthor Commented:
Sorry, but I wrote that I can login to the server, but only as administrator.

I can reach everything on the server as shared folders etc over VPN...
0
 
henriklundinAuthor Commented:
I just noticed that I can only login via the LAN to the terminal server if I'm using the computer name, not IP address! Isn't that strange?`How can I configure so users can login via the IP 192.168.255.4?

Thanks in advance!
0
 
vincebryanCommented:
Your problems may stem from the fact that you are using 255 as a subnet. IPv4 specifies that no network or subnet can have a value of 255.

Examples of Invalid addresses:
10.1.0.0 - Host IP can't be 0.
10.1.0.255 - Host IP can't be 255.
10.123.255.4 - No network or subnet can have a value of 255.
0.12.16.89 - No Class A network can have an address of 0.
255.9.56.45 - No network address can be 255.
10.34.255.1 - No network address can be 255
0
 
henriklundinAuthor Commented:
I also noticed that in secpol.msc under Allow login to terminal server that the group Terminal Server Group that I added gets a strange name. Check attached file.
Thanks.
screendump.jpg
0
 
henriklundinAuthor Commented:
Hmm but I have had the 192.168.255.0-network with mask 255.255.255.0 for many years. Are you sure this can cause a problem like this?
0
 
vincebryanCommented:
I can't be sure that this would cause the problem but Server 2008 can be a bit of stickler for detail.

The strange name you see in Group Policy occurs when a user or group is listed that isn't in the AD.
On my TS I only have Administrator and the local group 'Remote Desktop User' in that Policy.
Any user or group I wish to give TS access to is then added to the local group Remote Desktop User.
0
 
henriklundinAuthor Commented:
Thanks I will check that later today.

Maybe there is something with the security settings on terminal server that doesn't allow me to login via ip adress, only via hpst name?
0
 
vincebryanCommented:
I tried on my TS and i can connect using IP or name and i didn't change any settings to allow this, which brings me back to thinking there's an issue with that IP.

Might I suggest as a test that you add a 2nd IP address to your Terminal Server on a different subnet. Put a PC on that same subnet and see if you can connect from that PC using the new IP address (not the name)?
0
 
henriklundinAuthor Commented:
Hmmm...
I have changed subnet for the whole network to 192.168.199.0, but I still got the same problem...
I can login when usting host name sc-ts (all users), but not via IP other than administrator(now 192.168.199.4)! It's so strange!
0
 
henriklundinAuthor Commented:
after this night it was not possible to login in as a user anymore....

I noticed when I add a group to the local "remote desktop group" of the terminal server I got strange numbers after...se attached image.
Also when I check the members later my recent added group is not visible any more...If I try to add it again I got a message that it's already added, but it's not visible...
0
 
henriklundinAuthor Commented:
Here is the attached image...
screen2.jpg
0
 
henriklundinAuthor Commented:
I have solved everything now by reinstalling active directory! Everthing workls perfect now!!
Thank you anyway for your help!
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 10
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now