Because of a security error, the client could not connect to the terminal server

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Cause

If you upgraded a Windows NT domain to Windows 2000 or Windows Server 2003, then the certificate on the terminal server might be corrupted. As a result, Windows 2000 Terminal Services clients might be repeatedly denied access to the terminal server.

Solution

On each terminal server, back up and then delete the Certificate, X509 Certificate, andX509 Certificate ID registry subkeys. Then, on each client, back up and then delete the MSLicensing registry key.

Back Up and Then Delete the Certificate, X509 Certificate, and X509 Certificate ID Registry Subkeys

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To back up and then delete the Certificate, X509 Certificate, and X509 Certificate ID registry subkeys

  1. On each terminal server, create a backup of the registry.

  2. Navigate to the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\TermServices\Parameters.

  3. On the Registry menu, click Export Registry File.

  4. In the File name box, type exported-parameters, and then click Save.

  5. If you need to restore this registry subkey in the future, double-click exported-parameters.reg.

  6. Under the Parameters registry subkey, right-click each of the following values:

    • Certificate

    • X509 Certificate

    • X509 Certificate ID

  7. Click Delete, and then click Yes to confirm the deletion.

  8. Close Registry Editor, and then restart each terminal server.

Back Up and Then Delete the MSLicensing Registry Key

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

To back up and then delete the MSLicensing registry key

  1. On the client, navigate to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSLicensing.

  2. Click MSLicensing.

  3. On the Registry menu, click Export Registry File.

  4. In the File name box, type mslicensingbackup, and then click Save.

  5. If you need to restore this registry key in the future, double-click mslicensingbackup.reg.

  6. On the Edit menu, click Delete, and then click Yes to confirm the deletion of the MSLicensing registry subkey.

  7. Close Registry Editor, and then restart the client.

Solution

If the client still cannot connect to the terminal server, then perform the following procedures.

  1. On the client, back up and then delete the MSLicensing registry key and its subkeys.

  2. On each terminal server, back up and then delete the Certificate, X509 Certificate, and X509 Certificate ID registry subkeys.

  3. Deactivate the license server.

  4. Reactivate the license server by using the Telephone connection method in the Terminal Server License Server Wizard.

Deactivate the License Server

You might need to deactivate a Terminal Server license server when the certificate of the server has expired or becomes corrupted, or when the server is being redeployed. You will be prompted to reactivate the Terminal Server license server when its registration has expired. When you deactivate a Terminal Server license server, you will not be able to license additional clients from this server until it is reactivated.

You can deactivate a server by using doing one of the following:

  1. Using the Automatic method

  2. Using the Telephone method

  • You cannot deactivate a Terminal Server license server by using the Web browser connection method.

Using the Automatic method

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To deactivate a license server using the Automatic method

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

  2. In the console tree, right-click the Terminal Server license server you want to deactivate, point to Advanced, and then click Deactivate Server. The Terminal Server License Server Wizard starts.

  3. In Required Information, confirm that your name, phone number, company, and country or region are correct, and then click Next.

  4. Your request to deactivate the Terminal Server license server is sent to the Microsoft Clearinghouse for processing.

  5. Click Finish.

Using the telephone method

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To deactivate a license server using the Telephone method

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

  2. In the console tree, right-click the Terminal Server license server you want to deactivate, point to Advanced, and then click Deactivate Server. The Terminal Server License Server Wizard starts.

  3. Select Telephone, and then click Next.

  4. Specify your location, and then click Next.

  5. Call the telephone number displayed in the wizard, and give the Customer Support representative the Product ID that is displayed below the telephone number.

  6. In the boxes in the wizard, type the 35-digit confirmation code provided by the Customer Support representative, then click Next.

  7. Click Finish.

Reactivate the License Server

When you activate Terminal Server Licensing by using the Telephone option, Terminal Server Licensing uses a different certificate. You will receive a telephone call from the Microsoft Clearinghouse confirming that the license server has been reactivated. When a license server is reactivated, a record of your licenses is retained. Licenses that were already issued remain valid, and any un-issued licenses are also valid, but must be reissued through the Microsoft Clearinghouse.

You must reactivate a license server when its registration has expired.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To reactivate a license server

  1. Open Terminal Server Licensing. To open Terminal Server Licensing, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Server Licensing.

  2. In the console tree, right-click the Terminal Server license server you want to reactivate, point to Advanced, and then click Reactivate Server. The Terminal Server License Server Wizard starts.

  3. In Information Needed, confirm that your name, phone number, and e-mail address are correct.

  4. In Reason, select the appropriate reason for reactivating the license server, and click Finish.

  5. Your request to reactivate the license server is sent to the Microsoft Clearinghouse for processing.

Cause

Windows XP-based clients might be attempting to connect to a Windows 2000 terminal server in a low-bandwidth network environment, in which client sessions are encrypted. In this case, IP packet fragmentation can cause encrypted frames that are sent by a client to be decrypted incorrectly.

Solution

Cause

The Remote Desktop Protocol (RDP) encryption settings on the terminal server and the client might not be compatible. For example, the terminal server might be running 128-bit encryption with an encryption level set to High. When this occurs, "Event ID 50, Source: TermDD" appears in the system event log on the terminal server.

Solution

Change the RDP encryption level on the terminal server to Medium or Low (if the terminal server is running Windows 2000) or to Client Compatible or Low (if the terminal server is running Windows Server 2003).

You can change the RDP encryption level on the terminal server by doing one of the following:

  • Using Terminal Services Configuration (Windows 2000)

  • Using Group Policy (Windows Server 2003)

  • Using Terminal Services Configuration (Windows Server 2003)

    When you change the encryption level, the new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one server, install multiple network adapters and configure each adapter separately.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

Using Terminal Services Configuration (Windows 2000)

To change the RDP encryption level Using Terminal Services Configuration (Windows 2000)

  1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Configuration.

  2. In the console tree, click Connections.

  3. In the details pane, right-click the connection that you want to modify, and then click Properties.

  4. On the General tab, in Encryption level, click Low or Medium:

    • The Low setting encrypts data sent from the client to the server by using either 40-bit or 56-bit encryption. A Windows 2000 terminal server uses 56-bit encryption when Windows 2000 clients connect to it and 40-bit encryption when earlier versions of the client connect to it.

    • The Medium level encrypts data sent from client to server and from server to client by using either 40-bit encryption or 56-bit encryption. A Windows 2000 terminal server uses 56-bit encryption when Windows 2000 clients connect to it and 40-bit encryption when earlier versions of the client connect.

Using Group Policy (Windows Server 2003)

Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Terminal Services Configuration tool. Use this procedure to configure the local Group Policy object. To change a policy for a domain or an organizational unit, you must log on as an administrator. Then, you must open Group Policy by using the Active Directory Users and Computers snap-in.

Important

You should thoroughly test any changes you make to Group Policy settings before applying them to users or computers.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To change the RDP encryption level using Group Policy (Windows Server 2003)

  1. Open Group Policy.

  2. In Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Encryption and Security, double-click the Set client connection encryption level setting, and verify that the setting is set to Enabled.

  3. In the Encryption Level list, click Client Compatible or Low Level, and then click OK.

    • The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client.

    • The Low setting encrypts data sent from the client to the server using 56-bit encryption.

Using Terminal Services Configuration (Windows Server 2003)

Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Terminal Services Configuration tool.

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider Using Run as (https://go.microsoft.com/fwlink/?LinkID=48886).

To change the RDP encryption level using Terminal Services Configuration (Windows Server 2003)

  1. Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.

  2. In the console tree, click Connections.

  3. In the details pane, right-click the connection you want to modify, and then click Properties.

  4. On the General tab, in Encryption level, click Low or Client Compatible.

    • The Low setting encrypts data sent from the client to the server using 56-bit encryption.

    • The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client.

See Also

Other Resources

Windows XP Clients Cannot Connect to a Windows 2000 Terminal Services Server