Troubleshoot Remote desktop disconnected errors

  • Article
  • nineteen minutes to read

This commodity helps you lot understand the virtually common settings that are used to establish a Remote Desktop session in an enterprise environment, and provides troubleshooting information for Remote desktop asunder errors.

Applies to: Windows Server 2012 R2
Original KB number: 2477176

Annotation

This commodity is intended for utilise by support agents and It professionals.

Remote Desktop Server

A Remote Desktop Session Host server is the server that hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users tin can connect to an RD Session Host server to run programs, to save files, and to use network resources on that server. Users can access an RD Session Host server from within a corporate network or from the Internet.

Remote Desktop Session Host (RD Session Host) was formerly known as the Remote Desktop server role service, and Remote Desktop Session Host (RD Session Host) server was formerly known as Remote Desktop server.

Remote connections for administration

Remote Desktop supports two concurrent remote connections to the reckoner. You do non accept to have Remote Desktop Services client access licenses (RDS CALs) for these connections.

To allow more than than two administrative connections or multiple user connections, y'all must install the RD Session Host Role and have appropriate RDS CALs.

Symptom 1: Express Remote Desktop session or Remote Desktop Services session connections

When you try to make a Remote Desktop Connection (RDC) to a remote reckoner or to a Remote Desktop server (Terminal Server) that is running Windows Server 2008 R2, you receive i of the following error messages:

Remote Desktop Disconnected.
This reckoner can't connect to the remote computer.
Try connecting again. If the trouble continues, contact the owner of the remote calculator or your network administrator.

Also, you are express in the number of users who tin can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A express number of RDP connections tin can be acquired past misconfigured Group Policy or RDP-TCP properties in Remote Desktop Services Configuration. By default, the connection is configured to allow an unlimited number of sessions to connect to the server.

Symptom 2: Port assignment conflict

You experience a port assignment conflict. This problem might bespeak that another awarding on the Remote Desktop server is using the same TCP port equally the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.

Symptom iii: Incorrectly configured authentication and encryption settings

After a Remote Desktop server client loses the connection to a Remote Desktop server, yous experience one of the following symptoms:

  • You cannot make a connection by using RDP.
  • The session on the Remote Desktop server does non transition to a disconnected state. Instead, it remains active even though the customer is physically disconnected from the Remote Desktop server.

If the client logs dorsum in to the aforementioned Remote Desktop server, a new session may be established, and the original session may remain active.

Also, you receive one of the following error messages:

  • Error message ane

    Because of a security error, the client could not connect to the Concluding server. Afterwards making sure that you are logged on to the network, try connecting to the server again.

  • Fault message ii

    Remote desktop disconnected. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and so try connecting again.

Symptom 4: License document corruption

Remote Desktop Services clients are repeatedly denied access to the Remote Desktop server. If yous are using a Remote Desktop Services client to log on to the Remote Desktop server, you may receive i of the following error letters.

  • Error message 1

    Because of a security error, the client could not connect to the Last server. After making sure that you are logged on to the network, endeavor connecting to the server again.

  • Error bulletin ii

    Remote desktop asunder. Because of a security mistake, the client could not connect to the remote computer. Verify that you are logged onto the network and then try connecting again.

  • Error message 3

    Because of a security error, the client could not connect to the Terminal server. Later making sure that you are logged on to the network, try connecting to the server again.
    Remote desktop disconnected. Because of a security error, the client could not connect to the remote computer. Verify that you are logged onto the network and so try connecting again.

Additionally, the following event ID messages may exist logged in Issue Viewer on the Remote Desktop server.

  • Upshot message one

                      Event ID: fifty   Event Source: TermDD   Outcome Description: The RDP protocol component X.224 detected an error in the protocol stream and has asunder the client.

  • Event bulletin ii

                      Event ID: 1088 Upshot Source: TermService Upshot Description: The terminal services licensing grace flow has expired and the service has non registered with a license server. A concluding services license server is required for continuous performance. A terminal server can operate without a license server for xc days after initial commencement upward.

  • Event message 3

                      Event ID: 1004   Event Source: TermService   Consequence Description: The last server cannot issue a customer license.

  • Event message 4

                      Effect ID: 1010   Event Source: TermService   Upshot Clarification: The final services could not locate a license server. Ostend that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Last Services Licensing Service is running.

  • Effect message 5

                      Consequence ID: 28   Event Source: TermServLicensing   Outcome Description: Terminal Services Licensing can only be run on Domain Controllers or Server in a Workgroup. See Terminal Server Licensing assist topic for more information.

Resolution for Symptom 1

To resolve this problem, use the following methods, every bit appropriate.

Verify Remote Desktop is enabled

  1. Open the System item in Control Panel. To offset the System tool, click Get-go, click Command Console, click Organisation, and then click OK.

  2. Nether Control Panel Home, click Remote settings.

  3. Click the Remote tab.

  4. Nether Remote Desktop, select either of the bachelor options, depending on your security requirements:

    • Allow connections from computers from computers running any version of Remote Desktop (less secure)

    • Permit connections from computers just from computers running Remote Desktop with Network Level Authentication (more secure)

If you select Don't allow connections to this estimator on the Remote tab, no users will be able to connect remotely to this figurer, even if they are members of the Remote Desktop Users grouping.

Verify Remote Desktop Services Limit number of connections policy

  1. Kickoff the Grouping Policy snap-in, and then open the Local Security Policy or the appropriate Group Policy.

  2. Locate the following control:

    Local Computer Policy > Computer Configuration > Authoritative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections

  3. Click Enabled.

  4. In the RD Maximum Connections immune box, type the maximum number of connections that you want to allow, and and then click OK.

Verify Remote Desktop Services RDP-TCP properties

Follow these steps, depending on your operating system version.

Setting via Remote Desktop Services Configuration

Configure the number of simultaneous remote connections allowed for a connexion:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, bespeak to Remote Desktop Services.

  2. Under Connections, correct-click the name of the connection, and then click Properties.

  3. On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you want to allow for the connection, so click OK.

  4. If the Maximum connections choice is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.

Verify Remote Desktop Services Logon rights

Configure the Remote Desktop Users Group.

The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. You tin add together users and groups to the Remote Desktop Users group by using the following tools:

  • Local Users and Groups snap-in
  • The Remote tab in the Arrangement Properties dialog box on an RD Session Host server
  • Agile Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller

You lot tin utilise the following procedure to add together users and groups to the Remote Desktop Users group by using the Remote tab in the System Properties dialog box on an RD Session Host server.

Membership in the local Administrators grouping, or equivalent, on the RD Session Host server that you program to configure, is the minimum required to complete this procedure.

Add together users and groups to the Remote Desktop Users group by using the Remote tab

  1. Outset the System tool. To do this, click Start, click Control Console, click the Arrangement icon, and then click OK.

  2. Under Control Panel Dwelling house, click Remote settings.

  3. On the Remote tab in the System Properties dialog box, click Select Users. Add the users or groups that accept to connect to the RD Session Host server past using Remote Desktop.

Annotation

If you select the Don't allow connections to this computer option on the Remote tab, no users will be able to connect remotely to this computer, even if they are members of the Remote Desktop Users group.

Add users and groups to the Remote Desktop Users group by using Local Users and Groups snap-in

  1. Click Outset, click Administrative Tools, and then click Estimator Management.
  2. In the console tree, click the Local Users and Groups node.
  3. In the details pane, double-click the Groups folder.
  4. Double-click Remote Desktop Users, and then click Add.
  5. In the Select Users dialog box, click Locations to specify the search location.
  6. Click Object Types to specify the types of objects that yous want to search for.
  7. In the Enter the object names to select (examples) box, type the name you desire to add together.
  8. Click Check Names.
  9. When the name is located, click OK.

Annotation

  • You can't connect to a computer that's asleep or hibernating, so make sure the settings for sleep and hibernation on the remote estimator are ready to Never. (Hibernation isn't available on all computers.) For information near making those changes, see Change, create, or delete a power plan (scheme).
  • You can't employ Remote Desktop Connectedness to connect to a calculator using Windows seven Starter, Windows seven Home Basic, or Windows 7 Home Premium.
  • Members of the local Administrators grouping can connect fifty-fifty if they are non listed.

Resolution for Symptom ii

Important

This section, method, or task contains steps that tell y'all how to modify the registry. Notwithstanding, serious bug might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify information technology. Then, you lot can restore the registry if a problem occurs. For more than information about how to dorsum up and restore the registry, run across How to back up and restore the registry in Windows.

To resolve this problem, determine which application is using the aforementioned port equally RDP. If the port assignment for that application cannot exist changed, change the port assigned to RDP by changing the registry. After you lot alter the registry, you must restart the Remote Desktop Services service. After y'all restart the Remote Desktop Services service, you should verify that the RDP port has been inverse correctly.

Remote Desktop server listener availability

The listener component runs on the Remote Desktop server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) customer connections, thereby allowing users to establish new remote sessions on the Remote Desktop server. There is a listener for each Remote Desktop Services connection that exists on the Remote Desktop server. Connections can exist created and configured by using the Remote Desktop Services Configuration tool.

To perform these tasks, refer to the post-obit sections.

Determine which application is using the same port as RDP

Yous tin can run the netstat tool to make up one's mind whether port 3389 (or the assigned RDP port) is being used by another awarding on the Remote Desktop server:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and and then click OK.
  2. At the command prompt, type netstat -a -o and and then printing Enter.
  3. Await for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening. This indicates another awarding is using this port. The PID (Process Identifier) of the process or service using that port appears under the PID cavalcade.

To decide which application is using port 3389 (or the assigned RDP port), use the tasklist command-line tool along with the PID information from the netstat tool:

  1. On the Remote Desktop server, click Get-go, click Run, blazon cmd, and then click OK.
  2. Type tasklist /svc and then press Enter.
  3. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID appear on the right.

Alter the port assigned to RDP

Y'all should determine whether this application can use a different port. If you cannot change the awarding's port, you must change the port that is assigned to RDP.

Important

Nosotros recommend that y'all do non alter the port that is assigned to RDP.

If yous take to change the port assigned to RDP, you lot must change the registry. To do this, you must be a member of the local Administrators group, or y'all must have been granted the appropriate permissions.

To alter the port that is assigned to RDP, follow these steps:

  1. On the Remote Desktop server, open Registry Editor. To open Registry Editor, click Start, click Run, type regedit, and and so click OK.

  2. If the User Account Control dialog box appears, verify that the action information technology displays is what you want, so click Continue.

  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Desktop server\WinStations

RDP-TCP is the default connection name. To change the port for a specific connexion on the Remote Desktop server, select the connexion under the WinStations fundamental:

  1. In the details pane, double-click the PortNumber registry entry.
  2. Blazon the port number that you want to assign to RDP.
  3. Click OK to salve the change, then shut Registry Editor.

Restart the Remote Desktop Services service

For the RDP port assignment change to take effect, stop and start the Remote Desktop Services service. To do this, you lot must exist a member of the local Administrators group, or you must have been granted the appropriate permissions.

To cease and start the Remote Desktop Services service, follow these steps:

  1. On the Remote Desktop server, open up the Services snap-in. To practice this, click Start, point to Administrative Tools, and then click Services.

  2. If the User Business relationship Command dialog box appears, verify that the action it displays is what you desire, and so click Continue.

  3. In the Services pane, right-click Remote Desktop Services, and and then click Restart.

  4. If yous are prompted to restart other services, click Yeah.

  5. Verify that the Status column for the Remote Desktop Services service displays a Started condition.

Verify that the RDP port has changed

To verify that the RDP port assignment has been changed, utilise the netstat tool:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.

  2. At the command prompt, type netstat -a and then press Enter.

  3. Look for an entry for the port number that y'all assigned to RDP. The port should announced in the list and have a condition of Listening.

Important

Remote Desktop Connectedness and the Terminal server Web Client utilize port 3389, by default, to connect to a Remote Desktop server. If you change the RDP port on the Remote Desktop server, you will accept to modify the port used past Remote Desktop Connection and the Remote Desktop server Web Client. For more information, see Alter the listening port for Remote Desktop on your computer.

Verify that the listener on the Remote Desktop server is working

To verify that the listener on the Remote Desktop server is working correctly, use any of the following methods.

Note

RDP-TCP is the default connection proper noun and 3389 is the default RDP port. Use the connection name and port number specific to your Remote Desktop server configuration.

  • Method 1

    Use an RDP client, such every bit Remote Desktop Connection, to plant a remote connection to the Remote Desktop server.

  • Method ii

    Use the qwinsta tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Starting time, click Run, blazon cmd, then click OK.
    2. At the command prompt, type qwinsta, and then press Enter.
    3. The RDP-TCP session state should be Listen.

  • Method 3

    Use the netstat tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Showtime, click Run, type cmd, and and then click OK.
    2. At the command prompt, type netstat -a then press Enter.
    3. The entry for TCP port 3389 should exist Listening.

  • Method 4

    Use the telnet tool to connect to the RDP port on the Remote Desktop server:

    1. From another computer, click Start, click Run, type cmd, and and so click OK.
    2. At the command prompt, type telnet <servername> 3389 , where <servername> is the name of the Remote Desktop server, and then press Enter.

    If telnet is successful, yous receive the telnet screen and a cursor.

    If telnet is non successful, you receive the following error message:

    Connecting To servername... Could not open connection to the host, on port 3389: Connect failed

    The qwinsta, netstat, and telnet tools are too included in Windows XP and Windows Server 2003. You lot tin can also download and utilize other troubleshooting tools, such as Portqry.

Resolution for Symptom iii

To resolve the effect, configure hallmark and encryption.

To configure authentication and encryption for a connection, follow these steps:

  1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, betoken to Remote Desktop Services, and and then click Remote Desktop Session Host Configuration.

  2. Under Connections, right-click the name of the connexion, and so click Properties.

  3. In the Properties dialog box for the connexion, on the Full general tab, in Security layer, select a security method.

  4. In Encryption level, click the level that you want. Yous tin select Low, Client Compatible, Loftier, or FIPS Compliant. See Pace 4 higher up for Windows Server 2003 for Security layer and Encryption level options.

Annotation

  • To perform this procedure, you must be a member of the Administrators group on the local calculator, or you lot must have been delegated the appropriate authority. If the estimator is joined to a domain, members of the Domain Admins group might be able to perform this process. As a security best exercise, consider using Run as to perform this process.
  • To open Remote Desktop Services Configuration, click Start, click Control Console, double-click Administrative Tools, and so double-click Remote Desktop Services Configuration.
  • Any encryption level settings that you configure in Group Policy override the configuration that you set by using the Remote Desktop Services Configuration tool. Too, if yous enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Grouping Policy setting, this setting overrides the Set client connectedness encryption level Group Policy setting.
  • When you change the encryption level, the new encryption level takes effect the adjacent fourth dimension a user logs on. If you require multiple levels of encryption on i server, install multiple network adapters and configure each adapter separately.
  • To verify that certificate has a corresponding private central, in Remote Desktop Services Configuration, right-click the connection for which you lot want to view the certificate, click the General tab, click Edit, click the certificate that y'all want to view, and then click View Certificate. At the bottom of the General tab, the statement, You lot have a private key that corresponds to this certificate, should appear. You can also view this data by using the Certificates snap-in.
  • The FIPS compliant setting (the Arrangement cryptography: Utilize FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy or the FIPS Compliant setting in Remote Desktop server Configuration) encrypts and decrypts data sent from the customer to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. For more information, run into Concluding Services in Windows Server 2003 Technical Reference.
  • The High setting encrypts data sent from the client to the server and from the server to the client by using potent 128-bit encryption.
  • The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported past the customer.
  • The Low setting encrypts data sent from the customer to the server using 56-flake encryption.

Additional troubleshooting step: Enable CAPI2 outcome logs

To assistance troubleshoot this problem, enable CAPI2 event logs on both the client and server computers. This control is shown in the following screenshot.

Expand CAPI2, right-click Operational, and then select the Enable Log option.

Workaround for the issue (You cannot completely disconnect a Remote Desktop server connection) described in Symptom 3

To work around this problem, follow these steps:

  1. Click Commencement, click Run, type gpedit.msc, and so click OK.
  2. Aggrandize Calculator Configuration, expand Authoritative Templates, aggrandize Windows Components, aggrandize Remote Desktop Services, aggrandize Remote Desktop Session Host, and then click Connections.
  3. In the right pane, double-click Configure keep-alive connection interval.
  4. Click Enabled, and then click OK.
  5. Shut Grouping Policy Object Editor, click OK, so quit Active Directory Users and Computers.

Resolution for Symptom 4

Important

This section, method, or job contains steps that tell y'all how to change the registry. However, serious issues might occur if you change the registry incorrectly. Therefore, make sure that you lot follow these steps carefully. For added protection, back up the registry before you modify information technology. Then, y'all tin can restore the registry if a problem occurs. For more information about how to back upwardly and restore the registry, see 322756 How to back up and restore the registry in Windows.

To resolve this problem, back up so remove the X509 Certificate registry keys, restart the figurer, and then reactivate the Remote Desktop Services Licensing server. To do this, follow these steps.

Note

Perform the post-obit procedure on each of the Remote Desktop servers.

  1. Make sure that the Remote Desktop server registry has been successfully backed upwardly.

  2. Outset Registry Editor.

  3. Locate and and so click the post-obit registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM

  4. On the Registry bill of fare, click Consign Registry File.

  5. Type exported- Certificate in the File name box, and so click *Salvage.

    Note

    If you have to restore this registry subkey in the future, double-click the Exported-parameters.reg file that you lot saved in this step.

  6. Correct-click each of the following values, click Delete, and and so click Yes to verify the deletion:

    • Document
    • X509 Certificate
    • X509 Certificate ID
    • X509 Certificate2

  7. Leave Registry Editor, then restart the server.

References

For more information about Remote Desktop Gateway, meet the post-obit articles:

  • 967933 Fault message when a remote user tries to connect to a resource on a Windows Server 2008-based figurer through TS Gateway by using the FQDN of the resource: "Remote Desktop Asunder"

  • 329896 Considering of a security error, the client could not connect to the Remote Desktop server

  • Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2

  • Troubleshooting General Remote Desktop Error Letters

If this article does not aid yous resolve the problem, or if you experience symptoms that differ from those that are described in this article, visit the Microsoft Support for more than data. To search your consequence, in the Search back up for help box, type the text of the mistake message that you received, or blazon a description of the problem.