Solved

Cannot log into TS Web Access or TS Gateway from (only) XP computers

Posted on 2010-08-23
19
1,500 Views
Last Modified: 2013-11-21
Hello.

I am running Server 2008 R2 and am hosting terminal services, with RemoteApp web access and TS Gateway access.  

Everything works fine from Vista and Windows 7, but every XP machine is unable to run RemoteApp or RDP.  

The XP machine can get past the login page at RemoteApp, but trying to run any applications results in the server requesting the password over and over.  On the server, the security logs report bad password attempts, but it is absolutely not an issue of the password being mistyped.

I am aware of the CredSSP feature and have made the registry adjustment to turn it on.  http://support.microsoft.com/kb/951608

Can anyone suggest something to try next, please?  I am totally stumped here.  XP clients can connect, but absolutely refuse to authenticate.

Thanks for any advice!
Joe
0
Comment
Question by:JOE-BULLITT
  • 11
  • 7
19 Comments
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504368
what version of mstsc are on the clients... is the server set to require network level authentication, and can the client version support it...6.1 or over i think.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504421
RemoteApp (or TS RemoteApp) is a special mode of Remote Desktop Services, available only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the RemoteApp server), where a remote session connects to a specific application only, rather than the entire Windows desktop. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users,[11] Windows Vista SP1 and Windows Server 2008

---

I guess im checking what SP the windows XP machines are running ?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33504546
also RDP client 7 is already out


http://support.microsoft.com/kb/969084

I hope this helps !
0
 

Author Comment

by:JOE-BULLITT
ID: 33504605
Thanks for all the comments.
I have tried this with XPSP2/RDP 6.1, and also XPSP3/RDP 6.1, and XPSP3/RDP 7.0  And have no success getting an account from XP machine to authenticate.
(It seems like it should work.  I figured it anything it could have been CredSSP, but alas it is not.)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504663
What error do you get after repeated password entries, anything on the client or serverside ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504694
Sorry - not sure if you answered my previous query or not, is your server set to allow connections ONLY from NLA clients ? it maybe worth changing the value to the reverse and observe the result.
0
 

Author Comment

by:JOE-BULLITT
ID: 33504841
Hi Woolnoir.

The error message is 4625 unknown username or bad password.  But I am am absolutely entering the correct password with the correct username sysntax (domain\username).  I have even tried it with the local administrator credentials, and it will not accept a password.

When you ask about the server only accepting NLA clients, do you mean in the RDP registry?
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication

Thanks.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33504878
0
 

Author Comment

by:JOE-BULLITT
ID: 33504938
Oh, right.  Sorry for my confusion.
Yes, it is set to allow connections from all computers running any version of RDP.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 20

Expert Comment

by:woolnoir
ID: 33504960
then you shouldn't need to configure CREDSSP - im wondering if there is a conflict happening between that and the TS server.

Need to have a think.
0
 

Author Comment

by:JOE-BULLITT
ID: 33505287
Right, which is why I am baffled that only XP cannot authenticate.  (BTW, every XP machine, CREDSSP configured or not, will not pass credentials.)
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33509656
Still thinking about this one - i guess you haven't had any progress or inspiration in the meanwhile.
0
 

Author Comment

by:JOE-BULLITT
ID: 33511648
I am still inspired - but no progress yet.  :-)

I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33511740
I think there are some changes to which Certification people the OS supports, but something like that would show up as a pretty obvious error within the browser or OS... I'll have another think about this tonight - just twisting my brain around a Mac issue currently.
0
 

Author Comment

by:JOE-BULLITT
ID: 33513102
I appreciate your assistance very much!
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33513327
do you have a domain or local group on the TS server called "Windows Authorization Access Group" - a associate has suggested adding the TS server machine account to this group if it isnt already.  Can you have a poke acount and let me know how it is on your domain/server ?
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33515226
I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?

--------------
who was the SSL certificate from, and do your XP machines trust the SSL certificate being used... just having a think around this sorta area atm.
0
 

Accepted Solution

by:
JOE-BULLITT earned 0 total points
ID: 33516545
I figured it out!

In Local Policy on the XP machines, I went to "Network security: LAN Manager authentication level" and changed it to "Send NTLMv2 response only" and am now able to authenticate.

On the server the same policy was set to allow only NTLMv2, and I imagine I could have changed it to accept NTLM, but that would not be what I want.  So I now have a solution for XP users!

Thanks very much for helping!
- Joe
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33518353
V.nice Joe - glad you got there in the end, only hope my random ideas helped in some way :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now