Solved

Cannot log into TS Web Access or TS Gateway from (only) XP computers

Posted on 2010-08-23
19
1,495 Views
Last Modified: 2013-11-21
Hello.

I am running Server 2008 R2 and am hosting terminal services, with RemoteApp web access and TS Gateway access.  

Everything works fine from Vista and Windows 7, but every XP machine is unable to run RemoteApp or RDP.  

The XP machine can get past the login page at RemoteApp, but trying to run any applications results in the server requesting the password over and over.  On the server, the security logs report bad password attempts, but it is absolutely not an issue of the password being mistyped.

I am aware of the CredSSP feature and have made the registry adjustment to turn it on.  http://support.microsoft.com/kb/951608

Can anyone suggest something to try next, please?  I am totally stumped here.  XP clients can connect, but absolutely refuse to authenticate.

Thanks for any advice!
Joe
0
Comment
Question by:JOE-BULLITT
  • 11
  • 7
19 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504368
what version of mstsc are on the clients... is the server set to require network level authentication, and can the client version support it...6.1 or over i think.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504421
RemoteApp (or TS RemoteApp) is a special mode of Remote Desktop Services, available only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the RemoteApp server), where a remote session connects to a specific application only, rather than the entire Windows desktop. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users,[11] Windows Vista SP1 and Windows Server 2008

---

I guess im checking what SP the windows XP machines are running ?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33504546
also RDP client 7 is already out


http://support.microsoft.com/kb/969084

I hope this helps !
0
 

Author Comment

by:JOE-BULLITT
ID: 33504605
Thanks for all the comments.
I have tried this with XPSP2/RDP 6.1, and also XPSP3/RDP 6.1, and XPSP3/RDP 7.0  And have no success getting an account from XP machine to authenticate.
(It seems like it should work.  I figured it anything it could have been CredSSP, but alas it is not.)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504663
What error do you get after repeated password entries, anything on the client or serverside ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504694
Sorry - not sure if you answered my previous query or not, is your server set to allow connections ONLY from NLA clients ? it maybe worth changing the value to the reverse and observe the result.
0
 

Author Comment

by:JOE-BULLITT
ID: 33504841
Hi Woolnoir.

The error message is 4625 unknown username or bad password.  But I am am absolutely entering the correct password with the correct username sysntax (domain\username).  I have even tried it with the local administrator credentials, and it will not accept a password.

When you ask about the server only accepting NLA clients, do you mean in the RDP registry?
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication

Thanks.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504878
0
 

Author Comment

by:JOE-BULLITT
ID: 33504938
Oh, right.  Sorry for my confusion.
Yes, it is set to allow connections from all computers running any version of RDP.
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33504960
then you shouldn't need to configure CREDSSP - im wondering if there is a conflict happening between that and the TS server.

Need to have a think.
0
 

Author Comment

by:JOE-BULLITT
ID: 33505287
Right, which is why I am baffled that only XP cannot authenticate.  (BTW, every XP machine, CREDSSP configured or not, will not pass credentials.)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33509656
Still thinking about this one - i guess you haven't had any progress or inspiration in the meanwhile.
0
 

Author Comment

by:JOE-BULLITT
ID: 33511648
I am still inspired - but no progress yet.  :-)

I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33511740
I think there are some changes to which Certification people the OS supports, but something like that would show up as a pretty obvious error within the browser or OS... I'll have another think about this tonight - just twisting my brain around a Mac issue currently.
0
 

Author Comment

by:JOE-BULLITT
ID: 33513102
I appreciate your assistance very much!
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33513327
do you have a domain or local group on the TS server called "Windows Authorization Access Group" - a associate has suggested adding the TS server machine account to this group if it isnt already.  Can you have a poke acount and let me know how it is on your domain/server ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33515226
I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?

--------------
who was the SSL certificate from, and do your XP machines trust the SSL certificate being used... just having a think around this sorta area atm.
0
 

Accepted Solution

by:
JOE-BULLITT earned 0 total points
ID: 33516545
I figured it out!

In Local Policy on the XP machines, I went to "Network security: LAN Manager authentication level" and changed it to "Send NTLMv2 response only" and am now able to authenticate.

On the server the same policy was set to allow only NTLMv2, and I imagine I could have changed it to accept NTLM, but that would not be what I want.  So I now have a solution for XP users!

Thanks very much for helping!
- Joe
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33518353
V.nice Joe - glad you got there in the end, only hope my random ideas helped in some way :)
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now