since 1-2 months I have problems on some machines in my environment when I try to connect via RDP.
The environment configuration uses a Microsoft PKI (Windows Server Certificate Authority). All computers that are integrated in the domain, request and are given a certificate from:
Computer
RDP (as server)
All machines in the domain have the ROOT CA and SUBCA certificate installed.
The problem is intermittent, on the same machine it does not work, the computer is restarted and for a while it works.
The credentials with which I connect work and the user with which I connect has permissions for RDP (he is a domain administrator).
When I connect using the FQDN (pc1.mydomain.com) the window to enter credentials appears, I enter them correctly and it tells me that the credentials are invalid. I make several tests to verify that I have not made a mistake when entering the credentials. It seems to fail in the connection protection process.
When I connect using IP to the same machine as before, the certificate appears, but if checked, the certificate is valid for the FQDN indicated above, so the certificate is OK (in date, valid and has not been revoked). If I accept the certificate, it starts the connection protection and finally connects.
If I access the same machine physically or through VMWare console, it lets me login correctly.
I have gone to check the Windows event log both in system, as application, as in RDP and I do not see any error, neither in the client from which I connect, nor from the server from which I connect.
If I connect from another machine that is not Windows (Mac) using the Microsoft RDP application, if it lets me connect, even when from Windows it fails.
It happens from several clients and on several machines to which I connect via RDP.
At the Firewall level all the rules are correct, both in the Windows Firewall and in the Network Firewall.
What is the operating system of the pc/server with the issues? I have an issue with an old Windows 2008 r2 server similar to this.
Related
I have a shared folder on a windows 10 host machine. I could access it from a windows 10 client machine, where I had set "remember credentials" when first accessing the share. I changed the password on the host. Now the client cannot access the shared folder. That was expected. But I could not find a way on the client to allow the user to re-establish access to the shared folder.
I expected it would ask for credentials again. However I got a network error saying that windows cannot access the host machine.
Based on a number of entries on various forums, I tried a few things. The credentials manager on the client does not show the host. I stopped and restarted file and printer sharing on the client, without any change in the result. Network diagnosis and the windows troubleshooter gave no help.
The problem was due to some previous connections remaining in the network table, even though disconnected, as presented by the "net use" command from the command prompt.
>net use
Status Local Remote Network
--------------------------------------------------------------------------
Disconnected \\192.168.1.71\IPC$ Microsoft Windows Network
Disconnected \\HOST\IPC$ Microsoft Windows Network
After deleting them (via "net use /delete") the next attempt to access the host asked for credentials. Yay!
I began the path to the solution when I tried
net use z: \\host\shared /user:admin password
which gave system error 1219 stating multiple connections to a server are not allowed. Disconnect all previous connections and try again. Obviously, even though known to be disconnected, the entries prevented reconnection.
I'm using Windows Server 2008 R2 which runs a VB6.0 application that uses a smartcard locally.
I then connect to this machine remotely using Remote Desktop Connection (6.3). However now the application shows the following error (SmartCard):
0x8010001d The Smart card resource manager is not running.
Research so far:
I don't want to use redirection as the card is on the remote machine already.
Using RDP the way I am trying to use it for is wrong and tightVNC is more appropriate (This does fix the issue)
Unsure - SCardEstablishContext API is returning that error because it gets an Access Denied error when trying to open an event called "Global\Microsoft Smart Card Resource Manager Started" with OpenEvent API. The default security for that event on Vista and Windows 7 specifies that only SYSTEM, LOCAL SERVICE and INTERACTIVE users have access to it. NETWORK SERVICE or non-interactive users won’t be able to access the event.
Why is the SmartCard not being recognised?
Any Information would be appreciated.
NOTE: The smartcard works fine when the application is on Windows Server 2008 R2 - however only fails when connecting remotely.
It is not possible, you can't use the locally plugged smartcard of the server you RDP into, as your session is redirected to the client then only the clients smartcard is accessible in the rdp session.
Microsoft made it like this for security reasons.
But there is a turn around, like sharing the device (smartcard reader, Usb token, Usb devices ) using software or hardware :
softawre examples (i only found paid solutions), see link
or hardware using a Device server but it doesn't work through WAN only LAN.
Use VNC instead of RDP
TLDR: Use VNC as a Windows Service
If you insist on using RPD, then you'll have to patch your RDP DLLs. If you don't want to do this, then instead use ANY OTHER PROTOCOL other than RDP. If it's a vmware VM, then just use the vcenter console. If it's an Azure VM where you don't GET a console, then just install VNC-server-softer on the server that has the Smart Cards and then access from somewhere else via VNC-client. "TightVNC" (https://community.chocolatey.org/packages/tightvnc) worked nicely for me.
There are two ways to run TightVNC server:
TightVNC Server (Service Mode) -- Connecting with VNC-client will take you to the Windows logon screen.
TightVNC Server (Application Mode)
You will need to run TightVNC as a Windows Service. Then you will start a NEW session. Otherwise you'll just be on top of the existing RDP session and still not see remote Smart Cards.
Long Version
If you RDP into a remote server, then that remote server's Smart Cards will be hidden. That behavior is baked into RDP and it is BY DESIGN.
You can optionally take your LOCAL Smart Cards along into the RDP session. (Via mstsc.exe's "Local Resources" tab and then checking "Smart cards".) But these are the Smart Cards connected LOCALLY to your laptop. And NOT the Smart Cards connected to the remote server.
So if you use RDP, then you have option to either see no Smart Cards at all (neither local, nor remote) or just see your LOCAL Smart Cards. To see the REMOTE Smart Cards is NOT possible via RDP.
This is by design inside RDP. And if you want to change it, then you have to manually patch some .DLL files. And somebody has actually done this. See this question here:
How to Access Remote USB Smartcard during RDP
Before you create your Remote Desktop session, click on "Show options". Under the "Local Resources" tab there is a "Local devices and resources" panel. Click the "More" button.
Click on "Smart Cards". No complete the remote desktop session.
We use a VisualSVN Server (Windows) server at work. It uses a https:// connection with a SSL certificate. On our Windows (7 and 8) workstation machines we use TortoiseSVN to connect. On Windows I couldn't get a connection to this SVN server (at first) using a regular SVN username and password, got SVN auth error:
Error during context: An error occurred during authentication
On Windows we got it working
So we figured out we need to supply a (Windows) credential to this domain name. Like suggested on this website:
http://tigris-scm.10930.n7.nabble.com/Issue-with-basic-authentication-td95075.html
On Windows we opened Control Panel > Credential Manager and added a new Windows credential to a network address (website): URL of our SVN server and a (domain) username (which is the SVN username) and my password.
Now this worked on our Windows workstations, we can connect to the SVN server with a supplied (Windows) credentials (supplied in Windows Credential Manager).
On Mac (not yet)
In Cornerstone we get a similar error:
Error running context: The requested authentication type(s) are not supported
Now we need this to work on our (Maverick) Mac's in Cornerstone (Mac SVN client). I've searched the net and found various articles, even on Zennaware's (Cornerstone) own support site explaining how to add the certificate to the SVN connection within Cornerstone:
http://zennaware.com/cornerstone/helpbook/pages/getting-started/client-certificates.html
But the above on Mac is 'step 2' ... I need a way to (like on Windows) to first create the credentials (step 1).
Now I know it must be done in Mac's KeyChain Access program. In this KeyChain Access program I tried to generate a certificate using the Certificate Assistant. But I'm unable to generate certificate for an internet address (our svn server) and provide my own username and password for this SVN server.
I've played around with OpenSSL on the command-line to somehow 'save' the SSL certificate from our SVN server (for import into KeyChain Access program), but I can't provide my username and password.
Cornerstone SVN Mac client needs a certificate (from KeyChain Access) with a public and private key. Like you see in their screenshots on their support site.
On Mac; how do I (generate?) the certificate or credentials (like on Windows Credential Manager) for a specific SVN server address and providing my own SVN username and password?
It's completely unrelated to client-side certificates / HTTPS at all.
On Windows machines that are in the same AD domain as VisualSVN Server, you can authenticate without any additional actions (via Integrated Windows Authentication / Single Sign-On).
If you are not in the same AD domain as VisualSVN Server or you need to authenticate under another AD user account, you must use Windows Credential Manager to specify user account's credentials. (lol, it looks like that my support instruction helped on the mailing list).
No certificate setup is required on OSX machines. The instruction on Zennaware's website is irrelevant to VisualSVN Server. You have to either join the OSX machine to your AD domain and login under the AD domain user account or enter domain credentials to some OSX password store (unfortunately I'm not really familiar with OSX so no step-by-step instruction here).
The other way to login from OSX machine is to enable Basic Windows authentication on VisualSVN Server and enter user account's credentials when you attempt to access a repository hosted on VisualSVN Server.
BTW, make sure to run the latest available Subversion client on OSX.
I am trying to Remote Desktop onto an Azure instance from Mac OS X, but can't find a tool that allows me to do it. Address and username is fine, but none of the clients seem to have the capabilities to include the instance information.
I have so far tried the Miscrosoft RDC and CoRD but to no avail.
Has anyone succeeded in using RDP to an Azure instance on a Mac?
By default, you can't connect to an Azure Windows server except through the Windows Remote Desktop client.
To connect from OS X, whether through CoRD or the Microsoft Remote Desktop client for Mac, you need to turn off network level authentication:
Connect to the Azure server using the Remote Desktop client on a Windows machine
Under Control Panel, go to System, then open 'Advanced system settings'
On the Remote tab, uncheck "Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)"
Re-connect from OS X
you need to create connect from microsoft remote desktop on mac
add ip, user, password
and you can connect now
if you still can't connect , check your azure endpoint setting
set the port that your firewall can pass
I have the same problem with you, and I think there is nothing to do with the network level authentication. The main reason is the default remote desktop app will connecting through port 3389, but your VM's default endpoint set another public port, here is what i do to solve it:
Download the latest version of Microsoft Remote Desktop app at Mac app store.
Add the port after your connection's DOMAIN/IP like yourvmdomain.com:yourpublicport. You will find the public port on endpoint setting tab. To me, the public port of Remote Desktop is 58494, so the connection will be xx.xx.xx.xx:58494.
This works for me.
Download the new Microsoft remote desktop client, which will allow you to connect to Azure instances without changing the configuration.
(As suggested in the comment from Kim Burgess)
It's tricky to connect to an Azure Cloud Service (aka Web or Worker Role) from a Mac, since PaaS instances sit behind a load balancer. You therefore need to specify which instance to connect to via cookies.
Royal TS supports cookies, so I got this working:
Install Royal TS free version (http://www.royalapplications.com/ts/osx/features)
Add the Remote Desktop plugin
Create new connection
Enter usual details (server/username/password)
Advanced > Connection > Load Balance Info > Cookie: mstshash=Your.Server#Your.Server_IN_0
This cookie info is available in the RDP file you can download for your instance from the Azure management portal (just open it in a text editor).
I use the Microsoft Remote Desktop application on OSX to connect to an Azure VM.
Recently I set up a VM from a Windows machine and was able to connect successfully using the admin username and password, but found that I had to reset the admin password to connect from OSX.
You can easily reset the password from the Azure portal for the VM. Go to "Support + troubleshooting/Reset Password".
I often have to enter the user name in the form:
PC name: xxx.xxx.xxx.xxx:yyyyy
Gateway: No gateway configured
User name: localhost\user.name
Hope that helps someone.
To access Azure instances from a MAC download Microsoft Remote Desktop client in Appstore. The default RDP client Azure provides doesnt work on a MAC. Worked for me
Check that your Networking Inbound Port rules (typically port 3389, but will change behind a load balancer) for the Azure VM allow you in.
I am supporting a .NET 4.0 (Visual Studio 2010) web application that authenticates to a SQL Server 2008 database which resides on my work intranet. The application authenticates to the database using windows authentication. Thats all fine and dandy if Im developing on my host, but I am developing on a virtual machine that is not on the work domain. Thus when the project build and runs, it throws a SqlClient.SqlException
"Login failed. The login is from an untrusted domain and cannot be used with Windows authentication."
Short of developing on my host and abandoning the VM, what can I do to avoid this error and successfully authenticate to the database so I can build/run the web app? I am willing to store my credentials somewhere locally, though preferably not somewhere that would be under TFS source control (like the web.config) because I couldnt keep the file checked out since there are other developers on the project.
I have tried running Visual Studio as a different user (as the user on my work domain) but I get a "unknown user name or bad password" error.
Note, adding the Virtual Machine to the domain (or connecting to it via VPN) are not options. The VM must remain off the domain. Also note, the virtual machine is running on the computer that is on the domain, and the VM uses a shared connection. So it CAN access the intranet but it can't perform windows authentication to SQL Server.
You can run Visual Studio (or SQL Server Management Studio) as the user on the domain. The trick is, you have to use the “/netonly” option of the “runas” Windows tool, so that you can run as a domain user on a non-domain machine.
Namely, in a command prompt you run this command (filling in your own criteria):
runas /netonly /user:<Domain>\<User_Name> "<Your_Program.exe>"
Alternatively, you can create a shortcut on your desktop, and set this command as the shortcut target. Upon running the shortcut/command, you enter your credentials when prompted and visual studio (or whatever program you like) will run as the domain user.
Join the domain using vpn connection if possible. Vpn can connect you with specific domain credentials. Alternative would be connecting using SQL Server Authentication if SQL Server is configured with mixed authentication.
From what I understand, you have several options:
You could add a user account to the SQL db to allow password authentication
Have the VM join the domain
Create an SSH tunnel to the host SQL server port