Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1526
  • Last Modified:

Cannot log into TS Web Access or TS Gateway from (only) XP computers

Hello.

I am running Server 2008 R2 and am hosting terminal services, with RemoteApp web access and TS Gateway access.  

Everything works fine from Vista and Windows 7, but every XP machine is unable to run RemoteApp or RDP.  

The XP machine can get past the login page at RemoteApp, but trying to run any applications results in the server requesting the password over and over.  On the server, the security logs report bad password attempts, but it is absolutely not an issue of the password being mistyped.

I am aware of the CredSSP feature and have made the registry adjustment to turn it on.  http://support.microsoft.com/kb/951608

Can anyone suggest something to try next, please?  I am totally stumped here.  XP clients can connect, but absolutely refuse to authenticate.

Thanks for any advice!
Joe
0
JOE-BULLITT
Asked:
JOE-BULLITT
  • 11
  • 7
1 Solution
 
woolnoirCommented:
what version of mstsc are on the clients... is the server set to require network level authentication, and can the client version support it...6.1 or over i think.
0
 
woolnoirCommented:
RemoteApp (or TS RemoteApp) is a special mode of Remote Desktop Services, available only in Remote Desktop Connection 6.1 and above (with Windows Server 2008 being the RemoteApp server), where a remote session connects to a specific application only, rather than the entire Windows desktop. The RDP 6.1 client ships with Windows XP SP3, KB952155 for Windows XP SP2 users,[11] Windows Vista SP1 and Windows Server 2008

---

I guess im checking what SP the windows XP machines are running ?
0
 
SysExpertCommented:
also RDP client 7 is already out


http://support.microsoft.com/kb/969084

I hope this helps !
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
JOE-BULLITTAuthor Commented:
Thanks for all the comments.
I have tried this with XPSP2/RDP 6.1, and also XPSP3/RDP 6.1, and XPSP3/RDP 7.0  And have no success getting an account from XP machine to authenticate.
(It seems like it should work.  I figured it anything it could have been CredSSP, but alas it is not.)
0
 
woolnoirCommented:
What error do you get after repeated password entries, anything on the client or serverside ?
0
 
woolnoirCommented:
Sorry - not sure if you answered my previous query or not, is your server set to allow connections ONLY from NLA clients ? it maybe worth changing the value to the reverse and observe the result.
0
 
JOE-BULLITTAuthor Commented:
Hi Woolnoir.

The error message is 4625 unknown username or bad password.  But I am am absolutely entering the correct password with the correct username sysntax (domain\username).  I have even tried it with the local administrator credentials, and it will not accept a password.

When you ask about the server only accepting NLA clients, do you mean in the RDP registry?
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication

Thanks.
0
 
woolnoirCommented:
0
 
JOE-BULLITTAuthor Commented:
Oh, right.  Sorry for my confusion.
Yes, it is set to allow connections from all computers running any version of RDP.
0
 
woolnoirCommented:
then you shouldn't need to configure CREDSSP - im wondering if there is a conflict happening between that and the TS server.

Need to have a think.
0
 
JOE-BULLITTAuthor Commented:
Right, which is why I am baffled that only XP cannot authenticate.  (BTW, every XP machine, CREDSSP configured or not, will not pass credentials.)
0
 
woolnoirCommented:
Still thinking about this one - i guess you haven't had any progress or inspiration in the meanwhile.
0
 
JOE-BULLITTAuthor Commented:
I am still inspired - but no progress yet.  :-)

I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?
0
 
woolnoirCommented:
I think there are some changes to which Certification people the OS supports, but something like that would show up as a pretty obvious error within the browser or OS... I'll have another think about this tonight - just twisting my brain around a Mac issue currently.
0
 
JOE-BULLITTAuthor Commented:
I appreciate your assistance very much!
0
 
woolnoirCommented:
do you have a domain or local group on the TS server called "Windows Authorization Access Group" - a associate has suggested adding the TS server machine account to this group if it isnt already.  Can you have a poke acount and let me know how it is on your domain/server ?
0
 
woolnoirCommented:
I am racking my brain here... when I set this up I did have a challenge with the SSL certificate, but I resolved it and have it working.  Is there anything with SSL certs that are unique to XP as opposed to Win 7 or Vista?

--------------
who was the SSL certificate from, and do your XP machines trust the SSL certificate being used... just having a think around this sorta area atm.
0
 
JOE-BULLITTAuthor Commented:
I figured it out!

In Local Policy on the XP machines, I went to "Network security: LAN Manager authentication level" and changed it to "Send NTLMv2 response only" and am now able to authenticate.

On the server the same policy was set to allow only NTLMv2, and I imagine I could have changed it to accept NTLM, but that would not be what I want.  So I now have a solution for XP users!

Thanks very much for helping!
- Joe
0
 
woolnoirCommented:
V.nice Joe - glad you got there in the end, only hope my random ideas helped in some way :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 11
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now