The Windows Terminal Services have been around for many years now, and are reliable and trouble free for the most part. Even so, there are some issues that could cause a Terminal Service client not to be able to connect to the terminal server. The good news however, is that these issues are almost always related to the server’s configuration rather than to an actual bug in the terminal server’s software. In this article, I will discuss some conditions that can lead to a terminal service connection failure, and the solution to those problems.
One of the most common Terminal Service connectivity problems involves clients logging in and then receiving an error message stating that “The Local Policy of this System Does Not Allow You to Log in Interactively”.
This problem is caused because of the fact that Windows Server 2003 is designed so that only administrators are allowed to log directly into the server console by default. When you add the Application Server role to the server (by means of installing the Terminal Services), the server’s permissions are automatically adjusted so that normal users have the right to log on to the server using the RDP protocol. That being the case, you most likely have a registry setting or a group policy setting in place that is denying the users the right to log into the server.
I recommend checking your group policy settings for a policy that prevents users from logging on locally. The offending policy should be located at Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ User Rights Assignment \ Log on Locally. As you search for this setting, keep in mind that group policies are hierarchical in nature and that the offending setting could be located at any level of your group policy hierarchy. If you have trouble locating the offending group policy setting, you can use the Resultant Set of Policy console to help track it down.
No Access to the Session
A Terminal Service connection problem that can be especially puzzling is a simple error message stating that “You do not have access to this session”. The reason why this error message can be so tricky to diagnose is because it doesn’t really give you any information as to the nature of the problem.
It has been my experience that this particular message usually happens when the user who is trying to establish the connection does not have the necessary permissions to establish an RDP-TCP connection.
Typically, the required permissions are established by default when the Terminal Services are initially installed. However, the permissions might have become messed up by an administrator who was trying to tighten security without fully understanding the impact of their actions.
To check the RDP-TCP permissions, open the Terminal Service Configuration console. When the console opens, click on the Connection container. When you do, the details pane should display an RDP-TCP connection. If the connection is missing, then you have another problem altogether, and you need to create a new connection. You can create a new connection by right clicking on the Connections container and selecting the Create New Connection command from the resulting shortcut menu.
Assuming that the RDP-TCP connection does exist, right click on the RDP-TCP connection, and select the Properties command from the resulting shortcut menu. When the RDP-TCP Properties sheet appears, go to the Permissions tab. Verify that the Remote Desktop Users group has been assigned the User Access permission. Depending on how your Terminal Service environment is configured, the Remote Desktop Users group may also need to be assigned the Guest Access permission.
The Server is Too Busy
Another common problem involves users receiving an error message stating that “The client could not connect to the Terminal Server. The Server may be too busy. Please try connecting later”.
I have heard various people in the IT industry refer to this as the world’s most unhelpful error message. The reason is because while the server really might be too busy, this error can be triggered by a number of situations that have nothing to do with how busy the server is.
When troubleshooting this particular error message, you are going to have to use a little bit of common sense to figure out where to begin the troubleshooting process. If you have been setting up a lot of new user accounts lately, then maybe the maximum number of connections to the server has been exceeded, and the server really is too busy to handle the request. Typically though, if the maximum number of connections have been exceeded, then you will see a different message stating that the terminal server has exceeded the maximum number of connections. I will talk more about this error message in a moment.
On the other hand, if you have been restructuring your network lately, then the problem is most likely related to a network glitch. For example, if the client cannot locate the subnet containing the terminal server, then you could end up seeing this error message.
This problem can also occur if an administrator has disabled one or more connections to a terminal server. To see if this is the case, open the Terminal Services Configuration console. When the console opens, select the Connections container, and make sure that none of the connections that are displayed in the Details pane have a red X on their icon. A red X indicates that the connection is disabled. If a connection does end up being disabled, then you can re-enable the connection by right clicking on it and selecting the All Tasks | Enable Connection commands from the resulting shortcut menus.
The Maximum Number of Connections Has Been Exceeded
The last type of connection problem that I want to talk about is what happens when the maximum number of connections to your terminal server have been exceeded. Typically, when this occurs you will see a message stating “The terminal server has exceeded the maximum number of allowed connections. The system cannot log you on. Please try again or consult your system administrator”.
If the terminal server happens to be running in remote administration mode, then Windows limits the terminal server to hosting two concurrent sessions. If the terminal server is acting as a true terminal server (not just as a remote administration server) then more connections are allowed. You can check to see how many connections the server supports (and adjust the maximum number of connections if necessary) by opening the Terminal Services Configuration console and clicking on the Connections container. When you do, the Details pane should display the RDP-TCP connector. Right click on this connector and choose the Properties command from the resulting shortcut menu. When the RDP-TCP Properties sheet appears, select the Network Adapters tab. This tab allows you to adjust the maximum number of connections to the server. Keep in mind that the maximum number of connections is set on a per NIC basis. Therefore, if your terminal server is multihomed, then you will have to set the maximum number of connections for each NIC.
As you can see, there are a number of situations that can cause a terminal server to reject client connections. If you have tried the techniques that I have suggested in this article and are still unable to connect to a terminal server, then you can always try looking up information in the Microsoft Knowledgebase, or comparing the server’s settings against the settings found on a terminal server that is functioning properly.