LondonTown123
asked on
Terminal Services Credentials Problem
Hi,
I have a 30 computer network (mix of Windows XP and Vista machines) running on a Windows Server 2008-based single-server domain The server is used as a file server and also hosts our intranet (using Sharepoint 3).
I am now trying to deploy terminal services on the network. The terminal services role is installed and I have also installed 30 per-device CALs. I have set up terminal services to be accessed by client machines through the local URL http://mydomain/ts. Client machines can succssfully access the terminal services page.
When you attempt to run a terminal services application (in this case, the bog standard windows Calculator found under Programs/Accessories/Calcu
Why won't the credentials work?
I have a 30 computer network (mix of Windows XP and Vista machines) running on a Windows Server 2008-based single-server domain The server is used as a file server and also hosts our intranet (using Sharepoint 3).
I am now trying to deploy terminal services on the network. The terminal services role is installed and I have also installed 30 per-device CALs. I have set up terminal services to be accessed by client machines through the local URL http://mydomain/ts. Client machines can succssfully access the terminal services page.
When you attempt to run a terminal services application (in this case, the bog standard windows Calculator found under Programs/Accessories/Calcu
Why won't the credentials work?
did you ad realm to the login? like DOMAIN\username? Are you in active directory enviroment? Do you have AD configured for kerberos only auth?
ASKER
Hi, thanks for the response.
the realm is included in the login. I am using active directory. How do I check how AD is configured for authorisation?
Thanks
the realm is included in the login. I am using active directory. How do I check how AD is configured for authorisation?
Thanks
1) firt of all check firewall - maybe try to turn it off for a while - I saw cases where it caused auth issues
2) check if the usergroup of domain users who should access the RDP is added into Remote Desktop Users local group (Local group on Terminal Server) in user management. This is a must.
3) enforced kerberos auth can be found at domain GPO object
2) check if the usergroup of domain users who should access the RDP is added into Remote Desktop Users local group (Local group on Terminal Server) in user management. This is a must.
3) enforced kerberos auth can be found at domain GPO object
ASKER
Hi, thanks again.
I've turned the firewalls off on both client and server side. All the domain users and computers are added to the Remote Desktop Users group. I think Kerberos authentication is enforced (I have attached a screenshot from the domain GPO). The problem is still occuring.
I don't think it is a general authentication problem, as client computers can authenticate for Sharepoint services on the server, and for Remote Desktop sessions on the server (*- see note below), but just not for Terminal Services applications runnning on the server.
*I've found that authentication for Remote Desktop sessions only succeeds when you connect to the server via it's IP address, but not when you connect via the server name. If you connect via the server name it gives the same problem of 'credentials not working'. Why would authentication work with the IP address but not the computer name?
Whatever is causing this is probably related to the Terminal Services problem that I am trying to solve.
Domain-GPO---Kerberos.jpg
I've turned the firewalls off on both client and server side. All the domain users and computers are added to the Remote Desktop Users group. I think Kerberos authentication is enforced (I have attached a screenshot from the domain GPO). The problem is still occuring.
I don't think it is a general authentication problem, as client computers can authenticate for Sharepoint services on the server, and for Remote Desktop sessions on the server (*- see note below), but just not for Terminal Services applications runnning on the server.
*I've found that authentication for Remote Desktop sessions only succeeds when you connect to the server via it's IP address, but not when you connect via the server name. If you connect via the server name it gives the same problem of 'credentials not working'. Why would authentication work with the IP address but not the computer name?
Whatever is causing this is probably related to the Terminal Services problem that I am trying to solve.
Domain-GPO---Kerberos.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi, and thanks.
I'm pretty sure that you're right about the certification issue...I know how to get to the server certifcates area in IIS 7.0, everything I've done once I got there has pretty much been guesswork. I've had other certificate problems with the server which I've mentioned to get around but without quite understanding how. How do I go about getting a valid certificate in place?
Just for the record,I have checked the permissions and DNS settings and they are fine.
You've been really helpful so far.
I'm pretty sure that you're right about the certification issue...I know how to get to the server certifcates area in IIS 7.0, everything I've done once I got there has pretty much been guesswork. I've had other certificate problems with the server which I've mentioned to get around but without quite understanding how. How do I go about getting a valid certificate in place?
Just for the record,I have checked the permissions and DNS settings and they are fine.
You've been really helpful so far.
ASKER
Sorry, *managed' not 'mentioned'
ASKER
This was a partial solution.To solve the problem I had to install the Certification Authority role in Windows Server 2008 and issue a domain certificate to the Terminal Server. I also had to troubleshoot a possible conflict issue I was having with Windows Sharepoint 3 using the same ports as the TS Gateway (see http://tinyurl.com/6zc9zu for a walkthrough).