TERMINAL SERVER: CANNOT CREATE A SESSION / SESSION DISCONNECTS

Description: There are different situations that need to be specifically identified and isolated while troubleshooting problems about connecting to a Terminal Server, creating a session, suddenly disconnected or logged off. Those different behaviors will have different causes and the troubleshooting method might be completely different from each other.

Scoping the Issue:  Let’s isolate the different symptoms first:

1. Do we actually create a session?  If either of the two scenarios below is what you are experiencing, then a session is being created:
• If we see the desktop loaded, but we are suddenly disconnected, or ..
• We stay in the "Applying User Settings" screen after entering credentials but never get access to the session
2. If neither of the above scenarios applies, then we are probably not creating a session at all:
• You open rdp client (mstsc.exe), inform the server you want to connect to and you just receive a message like “the computer can’t connect to the remote computer”
• You open rdp client (mstsc.exe), inform the server you want to connect to and receive a message like this: “Because of a security error, the client could not connect to the terminal server ... "

Data Gathering:  In all instances, collecting either MPS Reports with the General, Internet and Networking, Business Networks and Server Components diagnostics, or a Performance-oriented MSDT manifest must be done.  Additional data required may include the following:

• Details on your Terminal Server Web Access configuration, including the name of the server where a list of RemoteApps will be loaded and if you are trying to load RemoteApps from a Terminal Server Farm.
• If you are having problems installing the Terminal Server Web Access role, ensure that you capture the Server Manager log and the CBS logs

Troubleshooting / Resolution:  Troubleshooting will depend on which problem you are experiencing:

If a Session is being Created:

• Besides the MPS Reports or MSDT described above, a screen shot of any error messages
• If we are able to identify that an actual logoff happens, or we are stuck at the “Applying User Settings” screen, we will probably need to engage Directory Services and capture Userenv logs for analysis
• However, if the session is being disconnected, then we may need to capture a Network Monitor trace at the time of the failure
• Check to see if there are any policies that determine session disconnection (or logoff) after idle time.  Run the command “gpresult –v” from a cmd while logged on as the user with problems and save the output to a text file.  If we are unable to do this because of the disconnects, then capturing the RSOP data from the Terminal Servers OU in Active Directory would be an alternative.  An overview of group policies can be found in our post, The Basics of Group Policies
• If we have the specific message : “Because of a security error, the client could not connect to the terminal server………” we want to follow steps indicated on the doc 329896

If a Session is not being Created:

• Collect an output of the following cmd command from the Terminal server “netstat –an”
• Check to see if the same symptom happens using IP Address of the server instead of Name of TS
• Check to see if the same error is happening while connecting from a different client
• Verify if the same behavior happens while client is on the same subnet of Terminal Server
• Verify if the same behavior happens while connecting from the console of TS itself
• Collect a screen shot of the message you get during the failure
• Collect a network trace using Network Monitor 3
  

Additional Resources:

• Microsoft KB Article 221833: How to enable User environment debug logging in retail builds of Windows
• Microsoft KB Article 933741: Information about Network Monitor 3
• Microsoft KB Article 323276: How to install and use RSoP in Windows Server 2003
• Microsoft KB Article 329896: Because of a security error, the client could not connect to the Terminal Server
• TechNet: All Group Policy Settings for Terminal Services in Windows Server 2008 
• AskPerf Blog: The Basics of Group Policies