Troubleshoot Remote desktop disconnected errors

  • Commodity
  • xix minutes to read

This article helps yous empathise the most mutual settings that are used to establish a Remote Desktop session in an enterprise environment, and provides troubleshooting data for Remote desktop disconnected errors.

Applies to: Windows Server 2012 R2
Original KB number: 2477176

Note

This article is intended for use by support agents and IT professionals.

Remote Desktop Server

A Remote Desktop Session Host server is the server that hosts Windows-based programs or the full Windows desktop for Remote Desktop Services clients. Users can connect to an RD Session Host server to run programs, to relieve files, and to use network resources on that server. Users can access an RD Session Host server from within a corporate network or from the Internet.

Remote Desktop Session Host (RD Session Host) was formerly known as the Remote Desktop server office service, and Remote Desktop Session Host (RD Session Host) server was formerly known as Remote Desktop server.

Remote connections for assistants

Remote Desktop supports 2 concurrent remote connections to the computer. Y'all practise not have to have Remote Desktop Services client access licenses (RDS CALs) for these connections.

To allow more than two administrative connections or multiple user connections, you must install the RD Session Host Role and accept appropriate RDS CALs.

Symptom one: Limited Remote Desktop session or Remote Desktop Services session connections

When you try to brand a Remote Desktop Connectedness (RDC) to a remote computer or to a Remote Desktop server (Concluding Server) that is running Windows Server 2008 R2, you receive one of the post-obit error messages:

Remote Desktop Disconnected.
This computer can't connect to the remote calculator.
Endeavour connecting again. If the problem continues, contact the owner of the remote reckoner or your network administrator.

Also, you lot are limited in the number of users who can connect simultaneously to a Remote Desktop session or Remote Desktop Services session. A limited number of RDP connections can be caused by misconfigured Group Policy or RDP-TCP properties in Remote Desktop Services Configuration. By default, the connectedness is configured to allow an unlimited number of sessions to connect to the server.

Symptom ii: Port assignment conflict

Y'all experience a port assignment disharmonize. This problem might indicate that another application on the Remote Desktop server is using the same TCP port as the Remote Desktop Protocol (RDP). The default port assigned to RDP is 3389.

Symptom 3: Incorrectly configured authentication and encryption settings

Afterwards a Remote Desktop server client loses the connection to a Remote Desktop server, you experience one of the following symptoms:

  • You cannot make a connection by using RDP.
  • The session on the Remote Desktop server does non transition to a disconnected state. Instead, it remains active even though the client is physically asunder from the Remote Desktop server.

If the client logs back in to the same Remote Desktop server, a new session may be established, and the original session may remain agile.

Also, you receive ane of the following error messages:

  • Error message 1

    Because of a security error, the client could not connect to the Terminal server. After making sure that you are logged on to the network, try connecting to the server again.

  • Error bulletin 2

    Remote desktop disconnected. Considering of a security error, the client could non connect to the remote computer. Verify that you are logged onto the network so endeavor connecting again.

Symptom 4: License certificate corruption

Remote Desktop Services clients are repeatedly denied access to the Remote Desktop server. If you are using a Remote Desktop Services client to log on to the Remote Desktop server, y'all may receive one of the following mistake messages.

  • Error message one

    Because of a security error, the client could not connect to the Terminal server. Later making sure that you are logged on to the network, try connecting to the server again.

  • Error message 2

    Remote desktop disconnected. Because of a security mistake, the client could not connect to the remote computer. Verify that you are logged onto the network and and so try connecting again.

  • Error message 3

    Considering of a security error, the customer could non connect to the Terminal server. After making sure that you lot are logged on to the network, try connecting to the server again.
    Remote desktop disconnected. Because of a security mistake, the client could not connect to the remote computer. Verify that you are logged onto the network then endeavour connecting again.

Additionally, the following event ID messages may be logged in Event Viewer on the Remote Desktop server.

  • Event message i

                      Outcome ID: l   Consequence Source: TermDD   Upshot Description: The RDP protocol component X.224 detected an fault in the protocol stream and has disconnected the customer.

  • Event message 2

                      Upshot ID: 1088 Event Source: TermService Event Description: The last services licensing grace period has expired and the service has not registered with a license server. A terminal services license server is required for continuous operation. A terminal server tin can operate without a license server for ninety days after initial start up.

  • Event bulletin 3

                      Event ID: 1004   Event Source: TermService   Consequence Description: The last server cannot issue a client license.

  • Event message 4

                      Event ID: 1010   Event Source: TermService   Outcome Clarification: The terminal services could non locate a license server. Confirm that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Terminal Services Licensing Service is running.

  • Event message 5

                      Event ID: 28   Event Source: TermServLicensing   Event Description: Terminal Services Licensing tin can only be run on Domain Controllers or Server in a Workgroup. See Terminal Server Licensing aid topic for more information.

Resolution for Symptom one

To resolve this problem, employ the post-obit methods, as appropriate.

Verify Remote Desktop is enabled

  1. Open the Arrangement item in Control Panel. To start the System tool, click Start, click Command Panel, click Organization, and then click OK.

  2. Under Command Console Abode, click Remote settings.

  3. Click the Remote tab.

  4. Under Remote Desktop, select either of the available options, depending on your security requirements:

    • Allow connections from computers from computers running any version of Remote Desktop (less secure)

    • Allow connections from computers only from computers running Remote Desktop with Network Level Authentication (more secure)

If you select Don't allow connections to this calculator on the Remote tab, no users will be able to connect remotely to this estimator, even if they are members of the Remote Desktop Users group.

Verify Remote Desktop Services Limit number of connections policy

  1. Start the Grouping Policy snap-in, then open the Local Security Policy or the appropriate Group Policy.

  2. Locate the following command:

    Local Estimator Policy > Reckoner Configuration > Authoritative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections Limit number of connections

  3. Click Enabled.

  4. In the RD Maximum Connections allowed box, type the maximum number of connections that yous desire to let, and then click OK.

Verify Remote Desktop Services RDP-TCP properties

Follow these steps, depending on your operating system version.

Setting via Remote Desktop Services Configuration

Configure the number of simultaneous remote connections allowed for a connexion:

  1. On the RD Session Host server, open up Remote Desktop Session Host Configuration. To open up Remote Desktop Session Host Configuration, click Commencement, signal to Administrative Tools, indicate to Remote Desktop Services.

  2. Under Connections, right-click the name of the connectedness, and then click Properties.

  3. On the Network Adapter tab, click Maximum connections, enter the number of simultaneous remote connections that you want to allow for the connection, and then click OK.

  4. If the Maximum connections selection is selected and dimmed, the Limit number of connections Group Policy setting has been enabled and has been applied to the RD Session Host server.

Verify Remote Desktop Services Logon rights

Configure the Remote Desktop Users Group.

The Remote Desktop Users group on an RD Session Host server grants users and groups permission to remotely connect to an RD Session Host server. Yous can add together users and groups to the Remote Desktop Users grouping by using the following tools:

  • Local Users and Groups snap-in
  • The Remote tab in the Organization Properties dialog box on an RD Session Host server
  • Agile Directory Users and Computers snap-in, if the RD Session Host server is installed on a domain controller

You can employ the following procedure to add users and groups to the Remote Desktop Users grouping by using the Remote tab in the System Backdrop dialog box on an RD Session Host server.

Membership in the local Administrators group, or equivalent, on the RD Session Host server that you plan to configure, is the minimum required to complete this process.

Add users and groups to the Remote Desktop Users grouping by using the Remote tab

  1. Showtime the System tool. To do this, click Start, click Control Console, click the System icon, and and then click OK.

  2. Under Command Panel Home, click Remote settings.

  3. On the Remote tab in the System Backdrop dialog box, click Select Users. Add the users or groups that have to connect to the RD Session Host server past using Remote Desktop.

Note

If you select the Don't allow connections to this computer option on the Remote tab, no users will exist able to connect remotely to this figurer, even if they are members of the Remote Desktop Users group.

Add users and groups to the Remote Desktop Users group by using Local Users and Groups snap-in

  1. Click Start, click Administrative Tools, and and so click Computer Management.
  2. In the console tree, click the Local Users and Groups node.
  3. In the details pane, double-click the Groups folder.
  4. Double-click Remote Desktop Users, so click Add.
  5. In the Select Users dialog box, click Locations to specify the search location.
  6. Click Object Types to specify the types of objects that you desire to search for.
  7. In the Enter the object names to select (examples) box, type the proper name you want to add together.
  8. Click Check Names.
  9. When the proper name is located, click OK.

Note

  • Yous can't connect to a computer that'southward comatose or hibernating, and then brand sure the settings for sleep and hibernation on the remote calculator are set to Never. (Hibernation isn't bachelor on all computers.) For information nearly making those changes, run into Change, create, or delete a power programme (scheme).
  • Y'all can't utilize Remote Desktop Connexion to connect to a estimator using Windows seven Starter, Windows 7 Habitation Bones, or Windows seven Home Premium.
  • Members of the local Administrators group tin can connect even if they are not listed.

Resolution for Symptom 2

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if y'all modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, support the registry earlier you alter it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, come across How to back up and restore the registry in Windows.

To resolve this trouble, determine which application is using the same port as RDP. If the port consignment for that application cannot exist changed, change the port assigned to RDP by changing the registry. After you change the registry, you must restart the Remote Desktop Services service. After you restart the Remote Desktop Services service, you should verify that the RDP port has been changed correctly.

Remote Desktop server listener availability

The listener component runs on the Remote Desktop server and is responsible for listening for and accepting new Remote Desktop Protocol (RDP) customer connections, thereby assuasive users to establish new remote sessions on the Remote Desktop server. There is a listener for each Remote Desktop Services connection that exists on the Remote Desktop server. Connections can exist created and configured by using the Remote Desktop Services Configuration tool.

To perform these tasks, refer to the following sections.

Make up one's mind which application is using the same port as RDP

Y'all tin run the netstat tool to determine whether port 3389 (or the assigned RDP port) is existence used by another application on the Remote Desktop server:

  1. On the Remote Desktop server, click Start, click Run, blazon cmd, and and so click OK.
  2. At the command prompt, blazon netstat -a -o and so press Enter.
  3. Look for an entry for TCP port 3389 (or the assigned RDP port) with a condition of Listening. This indicates some other application is using this port. The PID (Process Identifier) of the process or service using that port appears under the PID column.

To determine which application is using port 3389 (or the assigned RDP port), employ the tasklist command-line tool along with the PID data from the netstat tool:

  1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
  2. Type tasklist /svc and then press Enter.
  3. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID announced on the correct.

Alter the port assigned to RDP

You should decide whether this application tin utilize a different port. If you cannot modify the application's port, you lot must modify the port that is assigned to RDP.

Important

Nosotros recommend that you do not change the port that is assigned to RDP.

If you have to change the port assigned to RDP, you must change the registry. To practise this, you must be a member of the local Administrators grouping, or yous must have been granted the advisable permissions.

To change the port that is assigned to RDP, follow these steps:

  1. On the Remote Desktop server, open Registry Editor. To open up Registry Editor, click Beginning, click Run, type regedit, and and so click OK.

  2. If the User Account Control dialog box appears, verify that the action it displays is what yous want, and and so click Continue.

  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Remote Desktop server\WinStations

RDP-TCP is the default connectedness name. To alter the port for a specific connection on the Remote Desktop server, select the connection under the WinStations key:

  1. In the details pane, double-click the PortNumber registry entry.
  2. Type the port number that you desire to assign to RDP.
  3. Click OK to relieve the alter, and then close Registry Editor.

Restart the Remote Desktop Services service

For the RDP port assignment change to take issue, end and start the Remote Desktop Services service. To do this, you must be a fellow member of the local Administrators group, or you must have been granted the appropriate permissions.

To end and first the Remote Desktop Services service, follow these steps:

  1. On the Remote Desktop server, open the Services snap-in. To do this, click Start, point to Administrative Tools, and and then click Services.

  2. If the User Account Control dialog box appears, verify that the activeness information technology displays is what you want, and so click Go along.

  3. In the Services pane, right-click Remote Desktop Services, then click Restart.

  4. If you are prompted to restart other services, click Yes.

  5. Verify that the Status column for the Remote Desktop Services service displays a Started condition.

Verify that the RDP port has changed

To verify that the RDP port assignment has been changed, use the netstat tool:

  1. On the Remote Desktop server, click Get-go, click Run, type cmd, and then click OK.

  2. At the command prompt, type netstat -a then printing Enter.

  3. Look for an entry for the port number that you assigned to RDP. The port should appear in the list and accept a status of Listening.

Important

Remote Desktop Connection and the Terminal server Web Client use port 3389, by default, to connect to a Remote Desktop server. If you change the RDP port on the Remote Desktop server, y'all will have to modify the port used by Remote Desktop Connectedness and the Remote Desktop server Web Client. For more than information, see Change the listening port for Remote Desktop on your computer.

Verify that the listener on the Remote Desktop server is working

To verify that the listener on the Remote Desktop server is working correctly, utilise any of the following methods.

Note

RDP-TCP is the default connection name and 3389 is the default RDP port. Use the connection proper name and port number specific to your Remote Desktop server configuration.

  • Method 1

    Use an RDP client, such as Remote Desktop Connection, to found a remote connection to the Remote Desktop server.

  • Method 2

    Use the qwinsta tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type qwinsta, and then press Enter.
    3. The RDP-TCP session country should be Listen.

  • Method three

    Use the netstat tool to view the listener status on the Remote Desktop server:

    1. On the Remote Desktop server, click Showtime, click Run, type cmd, and then click OK.
    2. At the command prompt, type netstat -a then press Enter.
    3. The entry for TCP port 3389 should be Listening.

  • Method 4

    Utilise the telnet tool to connect to the RDP port on the Remote Desktop server:

    1. From another computer, click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type telnet <servername> 3389 , where <servername> is the name of the Remote Desktop server, and and so printing Enter.

    If telnet is successful, you receive the telnet screen and a cursor.

    If telnet is not successful, you receive the following error message:

    Connecting To servername... Could non open connection to the host, on port 3389: Connect failed

    The qwinsta, netstat, and telnet tools are besides included in Windows XP and Windows Server 2003. You lot can also download and use other troubleshooting tools, such every bit Portqry.

Resolution for Symptom 3

To resolve the outcome, configure authentication and encryption.

To configure authentication and encryption for a connection, follow these steps:

  1. On the RD Session Host server, open up Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Starting time, point to Authoritative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.

  2. Nether Connections, right-click the name of the connection, and and then click Properties.

  3. In the Properties dialog box for the connection, on the General tab, in Security layer, select a security method.

  4. In Encryption level, click the level that y'all want. You can select Depression, Customer Compatible, Loftier, or FIPS Compliant. Come across Footstep iv higher up for Windows Server 2003 for Security layer and Encryption level options.

Notation

  • To perform this process, you must be a member of the Administrators grouping on the local estimator, or y'all must have been delegated the appropriate authority. If the figurer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  • To open Remote Desktop Services Configuration, click Start, click Control Panel, double-click Authoritative Tools, and and then double-click Remote Desktop Services Configuration.
  • Any encryption level settings that you configure in Group Policy override the configuration that yous fix past using the Remote Desktop Services Configuration tool. Also, if you enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Grouping Policy setting, this setting overrides the Prepare client connexion encryption level Group Policy setting.
  • When y'all change the encryption level, the new encryption level takes upshot the next time a user logs on. If yous require multiple levels of encryption on 1 server, install multiple network adapters and configure each adapter separately.
  • To verify that certificate has a corresponding private central, in Remote Desktop Services Configuration, right-click the connexion for which you want to view the certificate, click the General tab, click Edit, click the document that you lot desire to view, then click View Certificate. At the bottom of the General tab, the statement, You accept a private key that corresponds to this certificate, should appear. You lot can besides view this information by using the Certificates snap-in.
  • The FIPS compliant setting (the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting in Group Policy or the FIPS Compliant setting in Remote Desktop server Configuration) encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Data Processing Standard (FIPS) 140-1 encryption algorithms, using Microsoft cryptographic modules. For more than data, see Concluding Services in Windows Server 2003 Technical Reference.
  • The Loftier setting encrypts data sent from the client to the server and from the server to the client by using stiff 128-flake encryption.
  • The Client Compatible setting encrypts data sent betwixt the customer and the server at the maximum primal strength supported by the customer.
  • The Low setting encrypts data sent from the client to the server using 56-bit encryption.

Additional troubleshooting step: Enable CAPI2 effect logs

To help troubleshoot this trouble, enable CAPI2 event logs on both the client and server computers. This command is shown in the following screenshot.

Expand CAPI2, right-click Operational, and then select the Enable Log option.

Workaround for the upshot (Y'all cannot completely disconnect a Remote Desktop server connexion) described in Symptom 3

To work around this trouble, follow these steps:

  1. Click Start, click Run, type gpedit.msc, and so click OK.
  2. Expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, expand Remote Desktop Session Host, and and then click Connections.
  3. In the right pane, double-click Configure keep-live connection interval.
  4. Click Enabled, so click OK.
  5. Shut Group Policy Object Editor, click OK, and then quit Active Directory Users and Computers.

Resolution for Symptom 4

Important

This department, method, or chore contains steps that tell yous how to alter the registry. However, serious bug might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry earlier you modify information technology. Then, y'all can restore the registry if a problem occurs. For more information most how to support and restore the registry, encounter 322756 How to back up and restore the registry in Windows.

To resolve this problem, back upward and then remove the X509 Certificate registry keys, restart the computer, and so reactivate the Remote Desktop Services Licensing server. To practice this, follow these steps.

Note

Perform the post-obit process on each of the Remote Desktop servers.

  1. Brand sure that the Remote Desktop server registry has been successfully backed up.

  2. Start Registry Editor.

  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\Arrangement\CurrentControlSet\Control\Terminal Server\RCM

  4. On the Registry menu, click Export Registry File.

  5. Type exported- Certificate in the File proper name box, and and then click *Save.

    Note

    If you lot have to restore this registry subkey in the future, double-click the Exported-parameters.reg file that you saved in this step.

  6. Right-click each of the following values, click Delete, and and so click Yes to verify the deletion:

    • Certificate
    • X509 Certificate
    • X509 Certificate ID
    • X509 Certificate2

  7. Get out Registry Editor, and and then restart the server.

References

For more information most Remote Desktop Gateway, see the following manufactures:

  • 967933 Error message when a remote user tries to connect to a resource on a Windows Server 2008-based computer through TS Gateway past using the FQDN of the resource: "Remote Desktop Asunder"

  • 329896 Because of a security error, the customer could not connect to the Remote Desktop server

  • Group Policy Settings for Remote Desktop Services in Windows Server 2008 R2

  • Troubleshooting General Remote Desktop Fault Messages

If this article does not help y'all resolve the trouble, or if you feel symptoms that differ from those that are described in this article, visit the Microsoft Back up for more information. To search your issue, in the Search support for help box, blazon the text of the error bulletin that you lot received, or blazon a description of the problem.