General considerations
Use a layer-to-layer troubleshooting when diagnosing any issue. First, make sure the basic connectivity is working, then move to the next level and continue up to the application layer. Apply the appropriate layer-specific troubleshooting methods.
SPS syslog usually guides you to the proper direction by displaying useful information regarding to the issue you are facing with.
-
It is strongly advised to collect SPS syslog at a central location, because it can contain useful information for future troubleshooting purposes.
-
SPS syslog can contain sensitive information, therefore make sure to limit access to SPS syslog to the appropriate operational staff.
To increase the protocol level debug, navigate to RDP Control > Global Options. Debug level 8 is usually more than enough for diagnostic purposes.
“Domain membership” configuration usually fails because of two reasons:
-
Too much time difference between SPS and the Domain Controller (DC). Make sure that the DC and and SPS are synched to a correct NTP source or SPS is synched to DC itself. To do this, navigate to Basic Settings > Timezone > NTP settings.
-
DNS accessibility / misconfiguration. Make sure your Active Directory DNS services are configured correctly and SPS uses this information (for example DC specified as DNS server in Basic Settings > Network).
Consider to limit the allowed channels for specific connection policies. Using some of the RDP channels may lead to security incidents and/or not allowed to be used by some of the security standards. To configure this, navigate to RDP Control > Channel Policies.
Smartcard authentication cannot be used when Enable Network Level Authentication option is enabled.
Kerberos-based authentication for RDP is currently not supported.
Most common errors and solutions
The following examples may help you to identify the root cause behind a not-working RDP connection
Server is not reachable:
Server is not reachable, either because it is down or network configuration prevents SPS to connect to the server.
Figure 17: Troubleshooting 1
Suggested action: if server can be reached by skipping SPS, verify network configuration
The following is in the log:
In case of domainless NLA the checkbox “Allow me to save credential” is not checked, or local security policy is not modified according to the admin guide.
In this case you may see the following in SPS’s RDP log
Figure 18: Troubleshooting 2
Crypt denied:
You may see “Crypt denied” errors in SPS’s RDP log if the server only supports CredSSP (NLA), but the connection policy allows only RDP5
Figure 19: Troubleshooting 3
The following is in the log during autologin:
User failed to enter ‘username’ in ‘password’ field, so auto logon cannot be performed
Figure 20: Troubleshooting 4
User failed to enter correct credentials for RD Gateway (Terminal Services GW)
Figure 21: Troubleshooting 5
User mapping policy problem. The user is not allowed (based on group membership) to map to the specified remote user
Figure 22: Troubleshooting 6
When user failed to enter domain name into RD Gateway login dialogue (e.g. used only the ‘username’ part of the credential, mstsc will not try to connect to RD Gateway, so nothing is seen in SPS’s log
Figure 23: Troubleshooting 7
