Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Error message when you try to connect to a terminal server using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled: "The logon attempt failed"


View products that this article applies to.

Symptoms

You are using a Windows Server 2008-based computer that has the Single Sign-on functionality enabled. When you try to connect to a terminal server that has Windows Vista Remote Desktop Protocol (RDP) clients that use the default credentials, you experience one of the following symptoms.

Symptom 1

When you try to connect to a terminal server that is hosted behind a corporate firewall by using a Terminal Services (TS) Gateway server, the terminal server client does not have direct connectivity to the key distribution center that is hosted on a domain controller behind the corporate firewall. Therefore, the server authentication that uses the Kerberos protocol fails. Additionally, you receive the following error message:
The logon attempt failed

Symptom 2

When you try to connect to a stand-alone computer, you receive the following error message:
The logon attempt failed

Symptom 3

When you try to connect to a terminal server farm, you notice that the farm names do not have accounts in Active Directory. Therefore, the Kerberos-based server authentication fails. Additionally, you receive the following error message:
The logon attempt failed.

↑ Back to the top


Cause

This problem occurs because the Windows Vista Credential Delegation policy does not allow the Windows Vista RDP client to send default credentials to a terminal server when the terminal server is not authenticated. By default, the Windows Vista RDP clients use the Kerberos protocol for server authentication. They do not use SSL server certificates. By default, the default credentials do not work if the SSL server certificates are not deployed.

↑ Back to the top


Resolution

Resolution for Symptom 1 and Symptom 2

To resolve the problems that are explained in Symptom 1 and Symptom 2, follow these steps:
  1. Use SSL certificates that are issued by a trusted certification authority, and put the server name in the subject field. This is required to enable server authentication.
  2. Install the SSL certificates to all the servers that require server authentication.
Resolution for Symptom 3

To resolve the problem that is explained in Symptom 3, follow these steps:
  1. Use SSL certificates that are issued by a trusted certification authority, and put the farm name in the subject field. This is required to enable server authentication in a server farm.
  2. Install the SSL certificates on all the servers that are available in the farm.

↑ Back to the top


More information

To set the SSL certificate for a connection, follow these steps:
  1. Click Start, click Run, type tsconfig.msc, and then click OK.
  2. Double-click the RDP-Tcp connection object.
  3. On the General tab, click Select.
  4. Select the certificate that you want to assign to the connection, and then click OK.

↑ Back to the top


Keywords: KB954397, kbprb, kberrmsg, kbtshoot, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 954397
Revision : 1
Created on : 7/3/2008
Published on : 7/3/2008
Exists online : False
Views : 282