Event ID 1004 — Remote Desktop Services Client Access License (RDS CAL) Availability

  • Article

Applies To: Windows Server 2008 R2

An RD Session Host server must be able to contact a Remote Desktop license server to request Remote Desktop Services client access licenses (RDS CALs) for users or computing devices that are connecting to the RD Session Host server. In addition, the Remote Desktop licensing mode configured on an RD Session Host server must match the type of RDS CALs available on the license server.

Event Details

Product: Windows Operating System
ID: 1004
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Version: 6.1
Symbolic Name: EVENT_CANNOT_ISSUE_LICENSE
Message: The Remote Desktop Session Host server cannot issue a client license. It was unable to issue the license due to a changed (mismatched) client license, insufficient memory, or an internal error. Further details for this problem may have been reported at the client's computer.

Diagnose

This error might be caused by one of the following conditions:

  • The licensing mode for the RD Session Host server does not match the type of RDS CALs installed on the license server.
  • The RDP encryption levels on the RD Session Host server and the client are not compatible.
  • The certificate on the RD Session Host server is corrupted.

The licensing mode for the RD Session Host server does not match the type of RDS CALs installed on the license server

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To determine the licensing mode for the RD Session Host server:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. In the left pane, click Licensing Diagnosis.
  4. Review the following information in Licensing Diagnosis:
    • Under RD Session Host Server Configuration Details, note the licensing mode for the RD Session Host server.
    • Under Remote Desktop Services License Server Information, note the type of RDS CALs installed on any license server that is listed as discovered. Information about the type of RDS CALs installed on a license server is listed under License Server Configuration Details, which is displayed when you click a license server listed as discovered under Remote Desktop Services License Server Information.
  5. If the licensing mode for the RD Session Host server does not match the type of RDS CALs installed on the license server, see the section titled "Specify the licensing mode for the RD Session Host server."

The RDP encryption levels on the RD Session Host server and the client are not compatible

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To determine the RDP encryption level compatibility:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Under Connections, right-click the connection (for example, RDP-Tcp), and then click Properties.
  4. On the General tab, note the value of Encyption level. For more information about encryption levels, see "Configure Server Authentication and Encryption Levels" in the Remote Desktop Session Host Configuration Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=177586).
  5. On the client computer, start Remote Desktop Connection. To start Remote Desktop Connection, click Start, click Run, type mstsc.exe, and then press ENTER.
  6. Click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. Look for the phrase "Maximum encryption strength" in the About Remote Desktop Connection dialog box. This value is the maximum encryption strength supported by the version of Remote Desktop Connection running on the computer.
  7. If the maximum encryption strength supported by the version of Remote Desktop Connection running on the client computer is not supported by the encryption level configured on the RD Session Host server, see the section titled "Change the RDP encryption level on the RD Session Host server."

The certificate on the RD Session Host server is corrupted

If the licensing mode for the RD Session Host server matches the type of RDS CALs installed on the license server, and the RDP settings on the RD Session Host server and the client are compatible, the certificate on the RD Session Host server might be corrupted. To resolve this issue, see the section titled "Delete the appropriate registry subkey."

Resolve

To resolve this issue, use the resolution that corresponds to the cause you identified in the Diagnose section. After performing the resolution, see the Verify section to confirm that the feature is operating properly

Cause

Resolution

The RDP encryption levels on the RD Session Host server and the client are not compatible

Change the RDP encryption level on the RD Session Host server

The certificate on the RD Session Host server is corrupted

Delete the appropriate registry subkey

The licensing mode for the Remote Desktop Session Host server does not match the type of RDS CALs installed on the license server.

Specify the licensing mode for the Remote Desktop Session Host server

Change the RDP encryption level on the RD Session Host server

To resolve this issue, change the RDP encryption level on the RD Session Host server to a level that is supported by the version of Remote Desktop Connection that is running on the client computer.

By default, Remote Desktop Services connections are encrypted at the highest level of security available (128-bit). However, some older versions of Remote Desktop Connection do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To change the RDP encryption level:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  3. Under Connections, right-click the connection (for example, RDP-Tcp), and then click Properties.
  4. On the General tab, change the value of Encyption level to a level that is appropriate for the version of Remote Desktop Connection that is running on the client computer. For more information about encryption levels, see "Configure Server Authentication and Encryption Levels" in the Remote Desktop Session Host Configuration Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=177586).

When you change the encryption level, the new encryption level takes effect the next time a user logs on. If you require multiple levels of encryption on one RD Session Host server, install multiple network adapters and configure each adapter separately.

Note:  You can also change the RDP encryption level on the RD Session Host server by using Group Policy.

  • To set the RDP encryption level for the RD Session Host server by using Group Policy, enable the Set client connection encryption level Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security. Note that the Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration.
  • To configure the RD Session Host server to use FIPS as the encryption level by using Group Policy, enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing Group Policy setting. This Group Policy setting is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. Note that this Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration and takes precedence over the Set client connection encryption level policy setting.
  • To configure the Group Policy setting in Active Directory Domain Services (AD DS), use the Group Policy Management Console (GPMC). To configure the Group Policy setting locally on an RD Session Host server, use the Local Group Policy Editor. For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=143317) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=143867) in the Windows Server 2008 R2 Technical Library.

Delete the appropriate registry subkey

To resolve this issue, delete the MSLicensing registry subkey on the client computer, restart the client computer, and then try again to connect remotely to the RD Session Host server from the client computer. If the issue persists, delete the Certificate, X509 Certificate, X509 Certificate2, and X509 Certificate ID registry entries on the RD Session Host server, restart the RD Session Host server, and then try again to connect to the RD Session Host server from the client computer.

Delete the MSLicensing registry subkey

To perform this procedure on the client computer, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To delete the MSLicensing registry subkey:

Caution:  Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

  1. On the client computer, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  3. Locate the HKEY_LOCAL_MACHINE\Software\Microsoft\MSLicensing registry subkey.
  4. Click MSLicensing.
  5. Before deleting the MSLicensing subkey, back up the subkey. To back up the subkey, do the following:
    1. Right-click MSLicensing, and then click Export.
    2. In the File name box, type mslicensingbackup, and then click Save. If you need to restore this registry subkey, double-click mslicensingbackup.reg.
  6. To delete the MSLicensing subkey, on the Edit menu, click Delete, and then click Yes.
  7. Close Registry Editor, and then restart the client.
  8. After the client computer is restarted, try again to connect remotely to the RD Session Host server from the client computer.

Delete the appropriate registry entries on the RD Session Host server

If the issue persists, delete the Certificate, X509 Certificate, X509 Certificate2, and X509 Certificate ID registry entries on the RD Session Host server.

To perform this procedure on the RD Session Host server, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To delete the appropriate registry entries:

Caution:  Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  1. On the RD Session Host server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  3. Locate the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM registry subkey.
  4. Click RCM.
  5. Before deleting the subkeys, back up the RCM subkey. To back up the subkey, do the following:
    1. Right-click RCM, and then click Export.
    2. In the File name box, type rdsrcm, and then click Save. If you need to restore this registry subkey, double-click rdsrcm.reg.
  6. To delete the Certificate, X509 Certificate, X509 Certificate2, and X509 Certificate ID registry entries, right-click each entry, click Delete, and then click Yes.
  7. Close Registry Editor, and then restart the RD Session Host server.
  8. After the RD Session Host server is restarted, try again to connect remotely to the RD Session Host server from the client computer.

If the issue persists, do the following:

  1. On the client computer, back up and then delete the MSLicensing registry key and its subkeys.
  2. On the RD Session Host server, back up and then delete the Certificate, X509 Certificate, X509 Certificate2, and X509 Certificate ID registry entries.
  3. Deactivate and then reactivate the license server.  For information about deactivating and reactivating a license server, see the topic "Managing Remote Desktop Licensing" in the RD Licensing Manager Help in the Windows Server 2008 R2 Technical Library (https://go.microsoft.com/fwlink/?LinkId=177615).
  4. Restart the RD Session Host server and the client computer and then try again to connect remotely to the RD Session Host server from the client computer.

Specify the licensing mode for the Remote Desktop Session Host server

To resolve this issue, specify the Remote Desktop licensing mode on the RD Session Host server.

The Remote Desktop licensing mode determines the type of Remote Desktop Services client access licenses (RDS CALs) that an RD Session Host server will request from a license server on behalf of a client connecting to the RD Session Host server. Although there is a licensing grace period during which no license server is required, after the grace period ends, clients must receive a valid RDS CAL issued by a license server before they can log on to an RD Session Host server.

Important:  The Remote Desktop licensing mode configured on an RD Session Host server must match the type of RDS CALs available on the license server.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To specify the Remote Desktop licensing mode:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Confiiguration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  3. Under Licensing, double-click Remote Desktop licensing mode.
  4. Select either Per Device or Per User, depending on your environment.
  5. Click OK.

Note:  You can also specify the Remote Desktop licensing mode for an RD Session Host server by using Group Policy.

  • To specify the Remote Desktop licensing mode for an RD Session Host server by using Group Policy, enable the Set the Remote Desktop licensing mode Group Policy setting. This Group Policy setting is located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing. Note that the Group Policy setting will take precedence over the setting configured in Remote Desktop Session Host Configuration.
  • To configure the Group Policy setting in Active Directory Domain Services (AD DS), use the Group Policy Management Console (GPMC). To configure the Group Policy setting locally on an RD Session Host server, use the Local Group Policy Editor. For more information about configuring Group Policy settings, see either the Local Group Policy Editor Help (https://go.microsoft.com/fwlink/?LinkId=143317) or the GPMC Help (https://go.microsoft.com/fwlink/?LinkId=143867) in the Windows Server 2008 R2 Technical Library.

Verify

To verify that the RD Session Host server can contact a Remote Desktop license server with the appropriate type of Remote Desktop Services client access licenses (RDS CALs), use Licensing Diagnosis in Remote Desktop Session Host Configuration.

To perform this procedure, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority.

To use Licensing Diagnosis in Remote Desktop Session Host Configuration:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
  3. In the left pane, click Licensing Diagnosis.
  4. Under Remote Desktop Session Host Server Configuration Details, the value for Number of RDS CALs available for clients should be greater than 0.

Remote Desktop Services Client Access License (RDS CAL) Availability

Remote Desktop Services