Remote Desktop Connection Troubleshooting and Terminal Services Server Common Issues and Fixes

Article ID: 56258898

Issue / Question

The mobile device cannot connect to the remote server. Remote Desktop Terminal Services Server Errors 0xc000018 0x80090304

Applicable To

MC75A , VC6090 , VC70N0 , WT41N0 , VC6096 , MC9000 and 9060 CE , MC75 , MC70 , MC55 , MC9200 , MC67NA , MC50 , MC9190-G , MC55N0 , MC65 , MC67ND , MC9090 WM , MC9090 CE , MC9000 and 9060 WM , ES400 , MC9500-K , MC45 , MC55A0 , MC55A0-HC , MC67 , VC5090 , VC6000 , VC70 , MC2100 , MC3000 , MC3100 , WT4000 , MC17

Resolution / Answer

Device Side Issues

Connection Issues

  1. The Date and Time is set incorrectly on the device
    • Set the date and time on the device
  2. The domain is not specified when connecting (Error 0xc000018b)
    • Try hostname: computername.domain.com
    • Try username: domain\username
  3. If you have a Windows CE device
    • Try: In the “Advanced” settings of the client, change the authentication setting to “Connect, even if authentication fails”
  4. If you have a Windows CE 7 device
    • Error 0x8009304 - Read More>> in an article 8372 Read More>>
  5. If your server uses a SHA2 or 2048-bit certificate:
    • Windows CE 5, Windows Mobile 5, 6 - You will not be able to connect to your server with this device.
    • Windows Mobile 6.1, 6.5, 6.5.3, and Windows Embedded Handheld (WEH) builds less than 29299 - You must update your OS to WEH build 29299 or higher. These are available on the product page for your device
  6. If you receive the error “Because of a security error, the client could not connect to the remote computer. Verify that you are logged on to the network, and then try connecting again.” See “Server Side Issues” below
  7. If you are having any other connection issue, capturing a network trace of the connection attempt may reveal additional errors within the RD protocol. Provide the trace to support for analysis.


 
Client Issues

  1. Windows CE5
    1. Unit does not go to sleep with no activity while RDP client is running - SPR 15909
  2. Windows CE6
    • GUI Errors (SPR 18709 )
    • Redraw issue  (SPR 23637)
    • 14 Character max in username field (SPR 23637 / SPR 20465 / SPR 23317 / 26247)
    • RDP in CE6 doesn't show the reconnect message immediately after disconnection ( SPR 21371 )
  3. Windows  CE7
    • WT41N0 Client not visible (Update to the latest OS or contact support regarding SPR 18709)
    • MC92N0 Client not visible (Update to the latest OS or contact support regarding SPR 18709)
    • Redraw issue  (SPR 24637 / SPR 25142)
  4. Windows Mobile 6.1
    • Client is missing (Update to the latest OS / SPR 16551)
  5. ​Windows Mobile 6.5
    1. RDP displays grid on remote windows applications ( SPR 23112 )
    2. White bar left when RDP client screen is opened - SPR25677
    3. Client does not support TLS
    4. Client does not support CredSSP
    5. Client does not support Early User Authorization Result PDU


Server Side Issues

After each step, check to see if the error has changed or the issue has been resolved.

  1. On Server 2008 or below, the security settings in general may be too strict to allow the client on the device to connect, lower them to allow it.
    • Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
    • With RD Session Host Configuration selected view under Connections.
    • Right click RDP Listener with connection type Microsoft RDP x.y and choose Properties.
    • In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
    • Click OK
  2. If you recently configured Remote Desktop Licensing or receive the error: “Because of a security error, the client could not connect to the remote computer. Verify that you are logged on to the network, and then try connecting again.”
    1. Go to RD Licensing Manager
    2. Right click on your Licensing Server name and select properties.
    3. Change Connection Method to 'Web Browser'
    4. Go back to the Licensing Server and right click on your server.  Select Advanced -> 'Reactivate Server'
    5. Reactive server via the given Wizard + web browser
    6. Delete the following registry keys (they will be reset when you reboot) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
      • Certificate
      • X509 Certificate
      • X509 Certificate ID
      • X509 Certificate2​
    7. Reboot
    • or try additional the solutions on this link - Read More>>.
  3. . If you receive “An internal error has occurred” error message from the remote desktop client:
    1. ​Try disabling Network Level Authentication (NLA) in your remote desktop services role
      1. Windows Vista, 7, Server 2008 and Server 2008R2:
        1. Open the Control Panel. Ensure that the control panel is showing items by Category (i.e. not in Classic View). Click on System and Security and under System click on Allow remote access.
        2. Under the Remote Desktop group choose Allow connections from computers running any version of Remote Desktop (less secure).
      2. Windows 8 and Windows Server 2012 and Server 2012R2
        1. Open the Control Panel. Ensure that the control panel is showing items by Category. Click on System and Security and under System click on Allow remote access.
        2. Under the Remote Desktop group un-tick the checkbox Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)
      3. ​Windows 10 and Server 2016
        1. Open the Control Panel. Ensure that the control panel is showing items by Category (i.e. not in Classic View). Click on System and Security and under System click on Allow remote access.
        2. Under the Remote group choose Allow remote connections to this computer.
      4. With the RD Session Host Role
        1. On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
        2. Under Connections, right-click the name of the connection, and then click Properties.
        3. On the General tab, un-tick the Allow connections only from computers running Remote Desktop with Network Level Authentication check box. (For maximum compatibility ensure that Security Layer is set to Negotiate)
        4. If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is not enabled, the Require user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the RD Session Host server.
        5. Click OK.
      5. Windows Server 2012, 2012R2, and Server 2016
        1. On the RD Session Host server, open the Server Manager.
        2. Click on Remote Desktop Services, then under Collections click on the name of the session collection name that you want to modify. Click on Tasks and select Edit properties.
        3. Under the Security tab un-tick the option Allow connections only from computers running Remote Desktop with Network Level Authentication. (For maximum compatibility ensure that Security Layeris set to Negotiate)
        4. If the Allow connections only from computers running Remote Desktop with Network Level Authentication check box is selected and is not enabled, theRequire user authentication for remote connections by using Network Level Authentication Group Policy setting has been enabled and has been applied to the RD Session Host server.
        5.  Click OK.
    2. You may need to setup/enable a domain for the server
    3. You may need to setup/enable licensing  servers for the server
    4. Disable CredSSP on the server
      1. The Disable-WSManCredSSP cmdlet disables Credential Security Support Provider (CredSSP) authentication on a client or on a server computer. When CredSSP authentication is used, the user credentials are passed to a remote computer to be authenticated.

        Use this cmdlet to disable CredSSP on the client by specifying Client in the Role parameter. This cmdlet performs the following actions:

      2. Disables CredSSP on the client. This cmdlet sets the WS-Management setting <localhost|computername>\Client\Auth\CredSSP to false.
      3. Removes any WSMan/* setting from the Windows CredSSP policy AllowFreshCredentials on the client.
      4. Use this cmdlet to disable CredSSP on the server by specifying Server in Role. This cmdlet performs the following action:

      5. Disables CredSSP on the server. This cmdlet sets the WS-Management setting <localhost|computername>\Service\Auth\CredSSP to false.
      6. Caution: CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.

        Examples

        Example 1: Disable CredSSP on a client

        PowerShell
        PS C:\> Disable-WSManCredSSP -Role Client
        

        This command disables CredSSP on the client, which prevents delegation to servers.

        Example 2: Disable CredSSP on a server

        PowerShell
        PS C:\> Disable-WSManCredSSP -Role Server
        

        This command disables CredSSP on the server, which prevents delegation from clients.

        Required Parameters

        -Role

        Specifies whether to disable CredSSP as a client or as a server. The acceptable values for this parameter are: Client and Server.

        If you specify Client, this cmdlet performs the following actions:

      7. Disables CredSSP on the client. This cmdlet sets WS-Management setting <localhost|computername>\Client\Auth\CredSSP to false.
      8. Removes any WSMan/* setting from the Windows CredSSP policy AllowFreshCredentials on the client.
      9. If you specify Server, this cmdlet performs the following action:

      10. Disables CredSSP on the server. This cmdlet sets the WS-Management setting <localhost|computername>\Service\Auth\CredSSP to false.
      11. Type: String
        Position: 1
        Default value: None
        Accept pipeline input: False
        Accept wildcard characters: False

        Inputs

        None

        This cmdlet does not accept any input.

        Outputs

        None

        This cmdlet does not generate any output.

        Notes

      12. To enable CredSSP authentication, use the Enable-WSManCredSSP cmdlet.
 

+ Product Codes

  • ES400 Enterprise Smartphone
  • MC17
  • MC2100 Mobile Computer
  • MC3000 Mobile Device
  • MC3100 Mobile Computer
  • MC45 Mobile Computer
  • MC50 Mobile Computer
  • MC55 Mobile Computer Series
  • MC55A0
  • MC55A0-HC
  • MC55N0
  • MC65 Mobile Computer
  • MC67 NA Mobile Computer
  • MC67ND Mobile Computer
  • MC70 Mobile Computer
  • MC75 3.5G Worldwide Enterprise Digital Assistant (EDA)
  • MC75A Mobile Computer
  • MC9090 CE Mobile Computer
  • MC9090 WM Mobile Computer
  • MC9190-G Mobile Computer
  • MC9200 Mobile Computer
  • MC9500-K Mobile Computer
  • VC5090 Vehicle-mounted Computer
  • VC6000 Vehicle Mounted Computer
  • VC6090 Vehicle-mounted Computer
  • VC70N0
  • WT4000 Wearable Mobile Computer
  • WT41N0