Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you upgraded a Windows NT domain to Windows 2000 or Windows Server 2003, then the certificate on the terminal server might be corrupted. As a result, Windows 2000 Terminal Services clients might be repeatedly denied access to the terminal server.
On each terminal server, back up and then delete the Certificate, X509 Certificate, andX509 Certificate ID registry subkeys. Then, on each client, back up and then delete the MSLicensing registry key.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
To back up and then delete the Certificate, X509 Certificate, and X509 Certificate ID registry subkeys
On each terminal server, create a backup of the registry.
Navigate to the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\TermServices\Parameters.
On the Registry menu, click Export Registry File.
In the File name box, type exported-parameters, and then click Save.
If you need to restore this registry subkey in the future, double-click exported-parameters.reg.
Under the Parameters registry subkey, right-click each of the following values:
Certificate
X509 Certificate
X509 Certificate ID
Click Delete, and then click Yes to confirm the deletion.
Close Registry Editor, and then restart each terminal server.
Warning
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
To back up and then delete the MSLicensing registry key
On the client, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing.
Click MSLicensing.
On the Registry menu, click Export Registry File.
In the File name box, type mslicensingbackup, and then click Save.
If you need to restore this registry key in the future, double-click mslicensingbackup.reg.
On the Edit menu, click Delete, and then click Yes to confirm the deletion of the MSLicensing registry subkey.
Close Registry Editor, and then restart the client.
If the client still cannot connect to the terminal server, then perform the following procedures.
On the client, back up and then delete the MSLicensing registry key and its subkeys.
On each terminal server, back up and then delete the Certificate, X509 Certificate, and X509 Certificate ID registry subkeys.
Deactivate the license server.
Reactivate the license server by using the Telephone connection method in the Terminal Server License Server Wizard.
You might need to deactivate a Terminal Server license server when the certificate of the server has expired or becomes corrupted, or when the server is being redeployed. You will be prompted to reactivate the Terminal Server license server when its registration has expired. When you deactivate a Terminal Server license server, you will not be able to license additional clients from this server until it is reactivated.
You can deactivate a server by using doing one of the following:
Using the Automatic method
Using the Telephone method
- You cannot deactivate a Terminal Server license server by using the Web browser connection method.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To deactivate a license server using the Automatic method
Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.
In the console tree, right-click the Terminal Server license server you want to deactivate, point to Advanced, and then click Deactivate Server. The Terminal Server License Server Wizard starts.
In Required Information, confirm that your name, phone number, company, and country or region are correct, and then click Next.
Your request to deactivate the Terminal Server license server is sent to the Microsoft Clearinghouse for processing.
Click Finish.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To deactivate a license server using the Telephone method
Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.
In the console tree, right-click the Terminal Server license server you want to deactivate, point to Advanced, and then click Deactivate Server. The Terminal Server License Server Wizard starts.
Select Telephone, and then click Next.
Specify your location, and then click Next.
Call the telephone number displayed in the wizard, and give the Customer Support representative the Product ID that is displayed below the telephone number.
In the boxes in the wizard, type the 35-digit confirmation code provided by the Customer Support representative, then click Next.
Click Finish.
When you activate Terminal Server Licensing by using the Telephone option, Terminal Server Licensing uses a different certificate. You will receive a telephone call from the Microsoft Clearinghouse confirming that the license server has been reactivated. When a license server is reactivated, a record of your licenses is retained. Licenses that were already issued remain valid, and any un-issued licenses are also valid, but must be reissued through the Microsoft Clearinghouse.
You must reactivate a license server when its registration has expired.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To reactivate a license server
Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.
In the console tree, right-click the Terminal Server license server you want to reactivate, point to Advanced, and then click Reactivate Server. The Terminal Server License Server Wizard starts.
In Information Needed, confirm that your name, phone number, and e-mail address are correct.
In Reason, select the appropriate reason for reactivating the license server, and click Finish.
Your request to reactivate the license server is sent to the Microsoft Clearinghouse for processing.
Windows XP-based clients might be attempting to connect to a Windows 2000 terminal server in a low-bandwidth network environment, in which client sessions are encrypted. In this case, IP packet fragmentation can cause encrypted frames that are sent by a client to be decrypted incorrectly.
- On the terminal server, install Windows 2000 Service Pack 4 (SP4). To download SP4, see Windows 2000 Service Packs (https://go.microsoft.com/fwlink/?LinkID=28213) on the Microsoft Web site .
The Remote Desktop Protocol (RDP) encryption settings on the terminal server and the client might not be compatible. For example, the terminal server might be running 128-bit encryption with an encryption level set to High. When this occurs, "Event ID 50, Source: TermDD" appears in the system event log on the terminal server.
Change the RDP encryption level on the terminal server to Medium or Low (if the terminal server is running Windows 2000) or to Client Compatible or Low (if the terminal server is running Windows Server 2003).
You can change the RDP encryption level on the terminal server by doing one of the following:
Using Terminal Services Configuration (Windows 2000)
Using Group Policy (Windows Server 2003)
Using Terminal Services Configuration (Windows Server 2003)
When you change the encryption level, the new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To change the RDP encryption level Using Terminal Services Configuration (Windows 2000)
Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Configuration.
In the console tree, click Connections.
In the details pane, right-click the connection that you want to modify, and then click Properties.
On the General tab, in Encryption level, click Low or Medium:
The Low setting encrypts data sent from the client to the server by using either 40-bit or 56-bit encryption. A Windows 2000 terminal server uses 56-bit encryption when Windows 2000 clients connect to it and 40-bit encryption when earlier versions of the client connect to it.
The Medium level encrypts data sent from client to server and from server to client by using either 40-bit encryption or 56-bit encryption. A Windows 2000 terminal server uses 56-bit encryption when Windows 2000 clients connect to it and 40-bit encryption when earlier versions of the client connect.
Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Terminal Services Configuration tool. Use this procedure to configure the local Group Policy object. To change a policy for a domain or an organizational unit, you must log on as an administrator. Then, you must open Group Policy by using the Active Directory Users and Computers snap-in.
Important
You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To change the RDP encryption level using Group Policy (Windows Server 2003)
Open Group Policy.
In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Encryption and Security, double-click the Set client connection encryption level setting, and verify that the setting is set to Enabled.
In the Encryption Level list, click Client Compatible or Low Level, and then click OK.
The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client.
The Low setting encrypts data sent from the client to the server using 56-bit encryption.
Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Terminal Services Configuration tool.
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).
To change the RDP encryption level using Terminal Services Configuration (Windows Server 2003)
Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.
In the console tree, click Connections.
In the details pane, right-click the connection you want to modify, and then click Properties.
On the General tab, in Encryption level, click Low or Client Compatible.
The Low setting encrypts data sent from the client to the server using 56-bit encryption.
The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client.
Windows XP Clients Cannot Connect to a Windows 2000 Terminal Services Server