Error message when you try to connect to a terminal server using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled: The logon attempt failed

Error message when you try to connect to a terminal server using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled: The logon attempt failed

Article ID : 954397
Last Review : July 3, 2008
Revision : 1.0

SYMPTOMS

You are using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled. When you try to connect to a terminal server that has Windows Vista Remote Desktop Protocol (RDP) clients that use the default credentials, you experience one of the following symptoms.

Symptom 1

When you try to connect to a terminal server that is hosted behind a corporate firewall by using a Terminal Services (TS) Gateway server, the terminal server client does not have direct connectivity to the key distribution center that is hosted on a domain controller behind the corporate firewall. Therefore, the server authentication that uses the Kerberos protocol fails. Additionally, you receive the following error message:

The logon attempt failed

Symptom 2

When you try to connect to a stand-alone computer, you receive the following error message:

The logon attempt failed

Symptom 3

When you try to connect to a terminal server farm, you notice that the farm names do not have accounts in Active Directory. Therefore, the Kerberos-based server authentication fails. Additionally, you receive the following error message:

The logon attempt failed.

Back to the top

CAUSE

This problem occurs because the Windows Vista Credential Delegation policy does not allow the Windows Vista RDP client to send default credentials to a terminal server when the terminal server is not authenticated. By default, the Windows Vista RDP clients use the Kerberos protocol for server authentication. They do not use SSL server certificates. By default, the default credentials do not work if the SSL server certificates are not deployed.

Back to the top

RESOLUTION

Resolution for Symptom 1 and Symptom 2

To resolve the problems that are explained in Symptom 1 and Symptom 2, follow these steps:

1. Use SSL certificates that are issued by a trusted certification authority, and put the server name in the subject field. This is required to enable server authentication.
2. Install the SSL certificates to all the servers that require server authentication.

Resolution for Symptom 3

To resolve the problem that is explained in Symptom 3, follow these steps:

1. Use SSL certificates that are issued by a trusted certification authority, and put the farm name in the subject field. This is required to enable server authentication in a server farm.
2. Install the SSL certificates on all the servers that are available in the farm.

Back to the top

MORE INFORMATION

To set the SSL certificate for a connection, follow these steps:

1. Click Start, click Run, type tsconfig.msc, and then click OK.
2. Double-click the RDP-Tcp connection object.
3. On the General tab, click Select.
4. Select the certificate that you want to assign to the connection, and then click OK.

Back to the top


APPLIES TO
• Windows Server 2008 Standard
• Windows Server 2008 Enterprise
• Windows Server 2008 Datacenter
• Windows Server 2008 Standard without Hyper-V
• Windows Server 2008 Enterprise without Hyper-V
• Windows Server 2008 Datacenter without Hyper-V
• Windows Server 2008 for Itanium-Based Systems

Back to the top

Keywords: 
kbexpertiseadvanced kbtshoot kberrmsg kbprb KB954397

Back to the top

 

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image