Terminal Services Logon Error 1

[AntiEarnie]

I was hoping someone here has seen this error before:

The system can not log you on(5). Please try again or consult your system administrator.

I'm not sure what has brought on this error. TS was working ok yesterday morning. After some non-MS installs it was noticed that TS clients connecting in were getting the "hit ctrl-alt-del" box to popup when they tried to connect. To get rid of this initial box I went into Local Policies->Security Options and enabled "Disable CTRL+ALT+DEL requirement". This got rid of that annoying message box on logon. However, now when even Administrator tries to logon we get the message listed above. I can not really change that Local Policy back and still get to the logon screen. Also, removing TS Server and reinstalling it did not resolve the problem. Not much luck sifting through the MS web site on this awfully generic error either.

This server is running Windows 2000 Server sp3.

 

[mattjurado]

This is an awfully generic error message, there are many things that can cause this. I need some more info on your setup, and perhaps this will give you something else to look at. Where is your TS Licensing server (same box, or on a separate domain controller)? Can you communicate with the Licensing Server if its on a different box? Are your licenses active? What mode is the TS server running (application or administrative)? What changes have been made recently? How long was it running before you had this problem?

Since you reinstalled Terminal Services, it sounds an awful lot like a licensing issue.

Matt

 

[Stevehewitt]

Anything in the Server Event Viewer?

Steve Hewitt
Systems Manager

 

[AntiEarnie]

mattjurado - The machine is just using administrative TS. There is no License Server. As for changes a couple Rockwell Automation software packages were installed. Neither of them are related in any way I know of to TS. Terminal Services was reinstalled because of this issue. Though nothing totaly uninstalls anymore...

SteveHewitt - I have been unable to find anything consistant when searching the event logs. In the realm of the inconsistant I have a error in the System Log that shows for around 1 in 5 attempted connects.
Cirtificate could not be found. Connections that use the L2TP protocol over IPSer require the installation of a machine certificate, also known as a Computer Certificate. No L2TP calls will be accepted.
These warnings have an Event ID of 20192.
I was unable to locate anything that was using L2TP. Also as near as I can find ALL our other Terminal Servers are using the same settings. What there are at any rate.

 

[chrishudson03]

I have this error too, in fact found this thread searching for the answer. My server is also SP3 and the problem started a month or two ago (possibly when I added SP3?) I have not managed to find any useful references anywhere. My machine is only in my home lab so not critical and only used for testing, sharing internet etc but still a pain. Maybe there are some notes we can compare to move forward on this ?

No special errors seem to be apparant in any of the event logs and this machine is only ever used with the admin access not with the built in licenses. I thought the days of useless cryptic error messages like that were gone!

 

[Stevehewitt]

Hmmm. As its running Admin mode I presume that you are the only person having problems with it?
Can you do it locally? E.G. in your own network (If your not already done it/doing it) and even TS the server from the Server?!

Steve Hewitt
Systems Manager

 

[chrishudson03]

Yes, only really me using the server, using it only via local LAN (or WLAN but makes no difference either way). Just tried it on the console with the same result.
I'm no expert on this but looking at the TS manager it shows the connection and it captures my IP etc, challenges for password, I enter Admin and p/w then I get the error (5) message. Session is still active as far as the management tool is concerned.

Tried reseting all the connections, reboot server etc, nothing seems to make a difference. Did notice an advance TS debugging tool mentioned somewhere on one of the MS sites but I feel this is an authentication issue rather than a TS issue so not downloaded that yet, any thoughts ?

 

[Stevehewitt]

Hey,

I'll keep hunting, but try Q259874 on MS KB. Its a Terminal Server error on NT4 but sounds similar

Steve Hewitt
Systems Manager

 

[AntiEarnie]

Steve -
I've tried getting to TS from LAN and Modem, same error. Can't try from the server itself since I'm out of floppy disks and can't make a client.

Q259874 might be related since we had a service acting screwy on that box for a bit so there might be some other problems lurking in services. I will not be able to tinker with services for a day or two since this is a production box.

Chris -
I know what you mean on authentication. That is one of the more annoying things about this problem. I only gives this error on a succesful logon.

I found something yesterday you might be able to try Chris. I can't do it since in my vast and infinate wisdom I did't do the uninstall option when I installed SP3. There was a Terminal Server issue with NT when a bad SP install was done. I don't have the Q# since some kind soul tossed the printout. I'll do some searching again to see if I can find it.

 

[chrishudson03]

I'll take a look at SP3 again, maybe I will reapply it or remove it or both ?

I also read the Q article that Steve referenced but not certain that I am clear what it is asking me to do ? I have a couple of other tasks that I need to complete before I can start messing with SP3 so will probably come back in a couple of days on this one unless someone has a blinding flash of insight!

Thanks for your advice so far, will report back when I have more news.

 

[Dmasch]

We are having the same problems with our machines. Of course no one has done anything to it, but today we are getting the same message. I will try and figure out a solution also, let me know if you find a fix. Thanks!

 

[Stevehewitt]

Please don't take this the wrong way - I just want to check some facts: You have ensured that the user you are logging on as has rights to TS (in the config/manager mmc I think) and theres no conflicting access rights to TS to the server?
Obviously you can logon locally - so its not a standard server authentication issue... Just a TS one.

Also what client are you using? The Windows 2000 Terminal Services Client (on the two floppy disks) or the Remote Desktop Connection application that ships with WinXP and avaliable on the MS site?

Steve Hewitt
Systems Manager

 

[Stevehewitt]

Hey,

The error message in this Q article is identical to yours, but the actual number (6) is different. Try Q286272.

Steve Hewitt
Systems Manager

 

[Ohmitee]

Funny this thread is new...I had the same thing happen to me. I installed terminal services this morning: no licence, in Administration mode.
I got the Ctrl+alt+del screen instead of the usual login.
When I used Ctrl+alt+end (the remote equiv.) I could attempt to log in, but got the "The system can not log you on(5). Please try again or consult your system administrator" message.

After playing around an hour or so I went into the "terminal services configuration" and decided to add the default "everyone" in the "Permissions" section of the "RDP-Tcp Properties" with only guest access allowed.

I can now log in. The domain controller will validate and allow other network uses to logon also (if they also have RD connection), but rights are limited and configurable.
In my case, it doesn't matter.

Hope this helps.

Ohmitee

 

[chrishudson03]

Bingo! I checked again the permissions tab in the Terminal Services Configuration and found that for the Administrator I found that the only permission set was "Deny Guest Access". So I clicked on "Advanced" (button at the bottom) then selected Administrator and clicked "View/Edit" in there are a load of settings, Logon was disabled. I selected Logon Enabled and click ok, try again - everything works! I did not need to add "Everyone" to the permissions.

I am wondering if this the result of SP3 or a recent Service Pack. I have been to a couple of MS Server 2003 launch seminars recently and they seem very hot on pushing the message that they disable unecessary services these days rather than leaving everything turned on. Perhaps they got a bit carried away with something. I haven't checked through all the Service Packs I have to see if there is any mention of this but worth bearing in mind.

Thanks for everyones help on this one.

 

[AntiEarnie]

Ohmitee - That got it. Darn if I know how but it got it.

Chris - I think your on to something. I'll do some tinkering but it seems like you have to have at least one group listed in Permissions on Terminal Services Configuration. I'll try it on another server to find out.

In my case I had two users with permission in TS. Admin and a generic user. No Groups. The Admin user has Full Control(everything was checked off), the user had User Access. I added in the Administrators group, checked off all the values under advanced, and removed the Admin user from permissions. Now even the generic user works... How strange. I wonder if you have to have a Group listed in permissions for it to work? I'll have to tinker with this.

 

[AntiEarnie]

AH HA! TS Configuration requires a group to be added to permissions. I tried it on another machine and it didn't matter what level of access the users had set in TS Configuration. Until a group valid for that machine was added it spit out this error. Adding a Domain Level group didn't see to do any good though.