Solved

Not able to connect to terminal server

Posted on 2014-12-24
51
134 Views
Last Modified: 2015-01-15
Not able to connect to terminal server, all other user are able access it properly...only trying to give access user on new laptop is giving problem.

All settings are proper. Still doesn't connect.
lkxjgldgf.jpg
kjhkjh.jpg
0
Comment
Question by:VINOD MORE
  • 22
  • 12
  • 9
  • +2
51 Comments
 
LVL 3

Expert Comment

by:kola12
Comment Utility
try to add a certificate to the main trusted CAs on new laptop
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
which certificate & how to do that??
0
 
LVL 3

Expert Comment

by:kola12
Comment Utility
On your first screenshot you see certificate. Click "Install certificate" button and install it in Trusted Root Certification Authorities Store.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Done that, didn't work for me.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
It would work, if you would connect to the full qualified name (FQDN) which is on the certificate.
So connect to https://rdadmin.pdlho.local/RDWeb
not to the ip-address. Because the certificate is issued for the name, not the ip.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Still doesn't connect.

I have made ip to fqdn entries in host file is this ok??
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
The name rdadmin.pdlho.local has to rsolve to an ip, yes. So the command
nslookup rdadmin.pdlho.local
has to return an IP address, otherwise it won't work. It does not matter if you use the host file or a DNS server.

Please give more details on what you have done. While installing the certificate you will have to manually select the store it is installed into: the trusted root certication authorities store needs to be selected.

Please provide all you have, it should be no problem at all to solve this.
0
 
LVL 3

Expert Comment

by:kola12
Comment Utility
Do You have DNS server in your network?
DNS server resolve name to IP address without use of host file.
Maybe try to add rdadmin.pdlho.local to trusted sites in Internet Option -> Security Tab
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
What happens when it fails?  More details would be helpful.

Can that user log on from another computer?  i.e. is it a user issue or a computer issue?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Users are accessing Terminal server outside the office, all other user are able to login to terminal server and use...even this user who had problem also able to login from other system...but this fresh new system he is not able to connect...so i tried on other 3 systems for testing i am not able to connect. It seems any for new systems terminal server is not allowing access.  

McKnife
I stored certificate as you said location, but didn't worked.
If you see first pic which is of Terminal Server (rdamin.pdlho.local) certificate looks expired on February 2014 would that be causing problem??

kola12
Yes DNS is there on local network.
OK i will try adding rdadmin.pdlho.local to trusted sites in Internet Option -> Security Tab

Rob Williams
Error message on second pic which is "This computer can't verify the identity......................."
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
For troubleshooting purpose can i access terminal server thru inside network? Is it possible or have to access it from outside network itself??
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
Comment Utility
If the certificate is expired, then it won't be trusted and that's an explanation. generate a new one and distribute it.

A TS is accessible from anywhere as long as the name resolution is working,  the certificate should not matter (remember, it is just a warning, not an error). The cert. is used to authenticate the Server and to TLS-encrypt the datastream, but it should do without.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
So certificate is not mandatory even if its expired it should connect. Right?? So i wont bother about it much.

So you mean its DNS name resolution issue?
I am using Google DNS 8.8.8.8 & 8.8.4.4

Also i have made entries in host public ip to FQDN of server,,, is this ok?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Just to update in today morning i tried to connect from my home PC to TS...I was able to connect.

I just got message screenshot attached. But i was able to log in when i clicked yes.

But still i am not able to access on other laptops and elsewhere. what would be the issue?
uiiuyi.jpg
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"For troubleshooting purpose can i access terminal server thru inside network? "
Yes, but are you testing from the LAN or external?  It sounds like you are external but your first screen capture shows "do you want to save the password for 192.168.x.x" which would be a LAN connection.  Is your FQDN resolving correctly to the public IP rather than the private/LAN IP?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
After some research i think i could be DNS resolveing issue....but i dont know how to fix it.
I trying us Open DNS  address to resolve will it help.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
If you were on the local network you would need a DNS entry on your local DNS server that points  rdadmin.pdlho.local  to the LAN IP of the RD server or Gateway.  Based on your screen shots I assume this would be 192.168.100.222.

However, when accessing remotely from offsite you need to have a public DNS entry for the public domain.  This would probably be the same domain name except the domain suffix would be something like .com, .net, .uk, etc., instead of .local and resolve/point to the public IP of your site, not the LAN IP.  This DNS entry is usually  managed by your domain registrar.  Since you say this works on other machines, it is probably in place.

If the public DNS record is in place then it sounds like there is a problem with the problematic machines' DNS configuration.  You mention you have made entries in the Hosts file.  If these are incorrect and pointing to the LAN IP, it is likely the cause of the problem.   If there are no static entries try changing the DNS server used, when off site, to something like Google’s 8.8.8.8  

On another note, are these machines domain joined?  If so the .local certificate should have been automatically added, but appears to be out of date.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
No machines are not on domain and as they are on remote location and there direct connectivity.
I have used both Google and OpenDns as Dns still same issues.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
But do you still have Hosts, or LMHosts file entries?  They take priority over DNS lookups.  If present you need to delete and run  ipconfig  /flushdns
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
Comment Utility
Vinod, it should be easy to answer
1 does nslookup targetservername provide an IP? ("does name resolution work by now")
2 did you install the certificate manually to the certificate store "trusted root certification authorities"?

Without being perfectly sure about that, it's hard to continue.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
@ Rob Williams
But entries in hosts file where always been there for other systems(remote) and with it also working  fine on other systems on remote site.
Entries are following...(public ip is same for both)
61.16.181.**         rdadmin.pdlho.local
61.16.181.**         rdadmin.pdlho

@ McKnife
Remote site users is using Datacards to access internet. So DNS will be ISP provided.
From where can i download valid certificate? to install on client machine.
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
As it works fine for other people it's down to working out whats different for the one that isn't working.....

Is the new laptop on the domain or standalone (non-domain PCs don't like you using internal addresses for RD gateway stuff)

Can another user connect from the new laptop?
Can the new user connect from a laptop that already works?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
New Laptop are not on domain..as these users dont require to login to domain as they are on remote site.


Another user is also not able to login to new laptop.
Yes user able to connect on his existing laptop.
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
do you have any non-domain laptops that can connect OK?

non-domain laptops don't have any info or trusts setup for your internal network. as your RDP system is using internal FQDNs it struggles on any non-domain machine.

the proper way to fix it is to amend your RDP config to use external FQDNs & proper SSLs.
if you cant/don't want to do that, you can try to add the appropriate Certs & CAs to the laptops or just put them on the domain.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Yes all laptops on remote sites are not on domain. And they have no issues connecting to TS .
Its just that this new laptop is assigned to user then this problem is discovered.

*appropriate Certs & CAs to the laptops
Where can i find valid certificate file on TS, where can I physically get certificate from TS and send to user so he can install it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
61.16.181.**         rdadmin.pdlho.local
 61.16.181.**         rdadmin.pdlho

These are incorrect entries.
.local is not a public domain suffix and the latter does not have a suffix.

Everything must be in agreement, the certificate name, the site to which you are connecting and the appropriate IP.
61.16.181.**         rdadmin.pdlho.xyz
Would be a correct entry and the certificate would also need to be issued for rdadmin.pdlho.xyz
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
looks like @McKnife has already looked at installing the cert with you so you should already have that in there.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Have you tried copying a connection client (rdp file) from a working machine to a non working a machine?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
You said "Remote site users is using Datacards to access internet. So DNS will be ISP provided" - this does not answer if name resolution works. Is it possible for you to use nslookup?
"From where can i download valid certificate" - from where? The server offers one. If it's too old, renew it at the server. If a client connects, he can install that renewed certificate by clicking on "install certificate" on your own screenshot: http://filedb.experts-exchange.com/incoming/2014/12_w52/889535/lkxjgldgf.jpg

Again: I provided 2 points, clear those and we can advance. I don't understand what is keeping you.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Please tell me what keeps you from carrying out the instructions you already have.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I agree with McKnife, but could you also advise if this is SBS (Small Business Server)?  Your link refers to SBS.   SBS unless modified requires a Public certificate to connect.  With 2003 you could ignore the certificate, but you cannot with 2008, but we do not yet have your responses to even isolate if that is the problem.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
TS is Win 2012 server
AD is  Win 2k8 server

As i said i am able to connect from my home PC  to TS..then its should able to connect from any where which i tired after this issue
issue came. on my home pc its win7 prof...its not on any domain...i am using google dns...host entries are same in hosts file as mentioned earlier....and certificate file of rdadmin.pdlho.local  is installed in intermediate trust auth group.
Pls analyze this and let me know whats going wrong on other systems why i am not able to connect from them.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
VINOD MORE as McKnife stated we cannot really help further until you answer all of our questions, you seem to keep restating the same information.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
open a command shell...and the enter what I suggested earlier and again earlier:
nslookup targetservername
->does it return the IP of the targetserver? It should, otherwise name resolution is not working.
The cert is in intermediate trust auth group? Why not in trusted root certification authorities? I don't know why you don't follow the suggestions, and I am losing hope that you ever will ;-)
Did you renew the certificate by now? No feedback on that...
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Mcknife
On working system at my home where i am able to connect to TS.
Check Nslookup queries in attached file, it does not resolves nslookup queries but it is able to connect. Host entries are there in these systems as mentioned earlier. I done this on home laptop too i am able to connect.
I have added certificate to Intermediate Trust Root*** because it works when i put it there, doesn't works when put in only Trusted Root**** category. I dont know why.
I have not renewed the certificate yet, because certificate looks valid till May -2015.

This is all worked on my home PC's i will try this on remote sites systems where it actually need to be working.
I will do same settings as on my Home pc's on remote site PC's let see what out come is. If it works then issue is resolved.
nslookup.jpg
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
nslookup does not use the hosts file (while ping does) - so the hosts file is enough. If the cert is valid until may 2015, that is no problem, too. If your **** would be trusted root certification authority, it would work - what do the **** stand for? Good luck with it and happy new year!
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
I mean when installed certificate in Intermediate Certification Authorities it worked and in Trust Root Certification Authorities it didn't worked.
I will try today on same workings settings which I done on my Home Pc and laptop on remote site systems, will check if it works. It should work ideally...I shall let know soon.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Today's update
Still doesn't connect on this specific laptop(although this is formatted and re-installed)
Laptop is using data card to access internet, internet is working fine
Please find pics for more info.
DFSDF4.jpg
sdfdsf.jpg
sdsds.jpg
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Vinod, the hosts file shows a blank before .local. Fix that, and retry.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Ok i will fix that, and re check.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 250 total points
Comment Utility
Neither of those host file entries are correct from off-site.

Assuming this is Server 2008 or newer you need to have a public SSL certificate.  You cannot use .local for a public certificate and the second host entry is not a FQDN.

The public DNS record (in your case the hosts file), the certificate name, and the site to which you connect using RDP must all be the same and in a format  rdadmin.pdlho.abc  where abc is an accepted top level domain suffix.

You have not yet confirmed which server version and if SBS or not.
As suggested earlier, have you tried copying the rdp connection from a working system?  It may have TS gateway settings you are not using in your new connections.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
If same host entries are working on other systems then it should be fine.
Terminal server is Windows 2012 Server.
Some how i am not open rdweb web page on any systems from outside. Why is that?
How can i download working certificate??
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"So how i am not open rdweb web page on any systems from outside"

Assuming configured with standard options, accessing an RD Server requires a certificate be installed.  Internally one is generated automatically and probably in the name rdadmin.pdlho.local.

Externally you need to have a registered domain name, such as  rdadmin.pdlho.abc, and then purchase a certificate for that FQDN from a provider such as GoDaddy.com and install it on the server.  The clients will automatically accept the certificate because it is from a recognized source, and allow a connection.

With server 2000/2003  when you got the certificate warning you could just click ignore and it would bypass but not so with 2008 and newer.

However I thought you said some systems could connect from offsite?  If so that would make me question if that is the problem.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
@ Rob
I am not able to connect  rd web page which is https://61.16.181.67/rdweb from any where its shows warning its not safe to connect when i link agree and continue its shows apge cannot be displayed....even on working systems which where TS is working properly this page doesn't open at all.

I have no idea what to do with certificate stuff, because i am support guy here i may not be allowed to do this.

Its Windows Server 2012 version confirmed.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"I am not able to connect  rd web page which is https://61.16.181.67/rdweb "
You cannot connect using an IP address as it will not match any certificate.  Again you could with Server 2000/2003.

The following outlines creating, obtaining, and installing a certificate for the RD Gateway.
http://technet.microsoft.com/en-us/library/dd320345(v=ws.10).aspx
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Certificate looks expired on server, what shall i do next??
cert-rd.jpg
0
 
LVL 27

Expert Comment

by:Steve
Comment Utility
Yea, it's expired. and it's a self cert too. as noted above, non-domain machines tend to be hard to please when using self cert SSLs.

You'd be best to buy a proper SSL as it's much simpler when accessing externally & using non-domain PCs, but you can self cert a new SSL internally for free if you'd prefer. you'd probably need to install the cert onto non-domain pcs manually.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Looks like big mystery is about to end. Self signed certificate has being created yesterday on TS,
I will check on remote systems and shall update soon.

Do i have to manually install certificate on any new systems? if yes where do need to install to? i mean trusted root** or Intermediate etc etc??
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
Comment Utility
You have to manually install on each connecting PC in the trusted root certificate store.  Domain joined machines, if connected to the domain, should update automatically.

The advantage of a 3rd party purchased certificate is it is automatically accepted and you don't have to manually add to each machine or device.  They only cost about $70/year.  If also connecting with devices like iPads and tablets, installing self-signed certificates can be very problematic.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now