2.2 Connection Configuration
A
user’s ability to connect and log on to a terminal server is determined
by a number of factors, each of which, if not functioning properly,
produces a unique error message:
The
connection on the terminal server must be accessible. If the client
cannot reach the server using TCP/IP or if the terminal server’s
RDP-Tcp connection is disabled, a particularly uninformative error
message appears that indicates the client cannot connect to the server.
Remote
Desktop must be enabled. The ability of a terminal server to accept new
connections can be controlled on the Remote tab of the System
properties dialog box or by using the change logon /disable and change logon /enable
commands. If logon has been disabled, an error message appears
indicating that terminal server sessions are disabled or that remote
logons are disabled.
The server must
have available connections. The properties of the connection—the
default RDP-Tcp connection, for example—determine the number of
available connections on the Network Adapter tab shown in Figure 6. If sufficient connections are not available, an error message appears that indicates a network error is preventing connection.
Encryption
must be compatible. The default allows any client to connect to a
terminal server without regard to its encryption capability. If you
modify the encryption requirements for a connection using the
Encryption Level list on the General tab of the connection properties,
shown in Figure 7, clients that are not capable of that encryption mode will not be allowed to connect.
The user must have sufficient connection permissions. As shown in Figure 8,
the Remote Desktop Users group has User Access permissions, which gives
the group sufficient permissions to log on to the server. The access
control list (ACL) of the connection can be modified to control access
in configurations that differ from the default. Refer to the Help And
Support Center for more information. If a user does not have sufficient
permission to the connection, an error message will appear that
indicates the user does not have access to the session.
The
user must have the user logon right to log on to the terminal server.
Windows Server 2003 separates the right required to log on locally
to a server from the right required to log on to a server using a
remote desktop connection. The user rights Allow Log On Through
Terminal Services, seen in Figure 9,
and Deny Log On Through Terminal Services can be used to manage this
right, using either local policy or Group Policy. On member servers,
the local Administrators and Remote Desktop Users groups have the right
to log on through terminal services. On domain controllers, only
Administrators have the right by default. If a user does not have
sufficient logon rights, an error message will appear that clearly
indicates the policy of the terminal server does not allow logon.
The
user must belong to the right group or groups. Assuming you have
managed connection permissions and the right to log on through terminal
services by assigning rights and permissions to a group, the user
attempting to connect to the terminal server must be in that group.
With the default configuration of Terminal Server on a member server,
users must be members of the Remote Desktop Users group to successfully
connect to a terminal server.
Allow Logon To Terminal Server must be enabled. The user account’s Terminal Services Profile tab, seen in Figure 3,
indicates the user is allowed to log on to a terminal server. If this
setting is disabled, the user will receive an error message indicating
the interactive logon privilege has been disabled. This error message
is easy to confuse with insufficient user logon rights; however, in
that case, the error message indicates the local policy of the server
is not allowing logon.
Note
A
terminal server has one RDP-Tcp connection by default and can have only
one connection object per network adapter, but if a terminal server has
multiple adapters you can create connections for those adapters. Each
connection maintains properties that affect all user sessions connected
to the connection on that server. |
