Categories
blog server windows

Windows 7 profile SID wrong mstsc can’t login

This is a very strange problem I came across on a windows 7 Embedded thin client. I don’t quite understand what went wrong but I’ll give you a detailed description.

CASE:
The user has a thin client with Windows 7 Embedded that’s been entered in to the Active Directory domain. On the public desktop of the thin client there is a RDP file to connect to a Remote Desktop Server (a.k.a. Terminal Server). The user logs on to the thin client using their AD credentials. The user was able to log on to the server using the RDP file without problems until today.

SYMPTOMS:
– User can’t log on to the Remote Desktop Server, the error received is:

The connection was denied because the user account is not authorized for remote login

TROUBLESHOOTING:
Normally this just means that the user is not a member of the “Remote Desktop Users” local group on the server.
– I verified the user was a member of the correct groups to log on to the server.
– I then tried to log on the server with the same credentials from a different workstation. This worked without a problem. Which led me to conclude at the server-side everything was OK.
– On the troublesome workstation (thin client with WIN 7 E in my case) I launched remote desktop with the “Run As Administrator” option and supplied credentials for an admin account. I tried to connect to the Remote Desktop server using the credentials of the troublesome user account. This worked without a problem.
– I tried again without the run as, and it failed again with the same error.

This led me to my conclusion that something was very wrong with the user profile on the workstation for this domain user.

SOLUTION:
I decided to delete the user profile on the local workstation since nothing is stored in it (they don’t work locally). However when I opened Explorer and went to see in “C:\Users” I saw 2 identical folders with the same name (the username of the troublesome user). It seems there were 2 identical profile folders. I didn’t think it was possible for 2 folders to have the same name.
I deleted both folders!
I then opened REGEDIT and went to HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST
I saw multiple user SID’s and checked them all. To my surprise there were 2 different user SID’s that both had a value c:\users\problem.username underneath it. So 2 different user SID’s for the same username. I thought that was impossible. I deleted both registry keys.
After deleting the profiles and the keys I logged back in with the user and profile was recreated and the remote desktop worked perfectly.

So it seems that the remote desktop client was sending the wrong SID to the server and that was the reason for the unauthorized error message.

Categories
blog howto network server windows

RDWeb shows no icons with Internet Explorer 10 TSWeb (server side fix)

RDWeb or TSWeb is the Microsoft Remote Desktop service web access page from Windows 2008 or Windows 2008 R2.

When using Internet Explorer 10 to browse to an RDWeb (>=2008 R2) or TSWeb (=2008) the icons for the published apps are missing or blank and WKSPRT.EXE (provides SSO) does not load. You have to click the compatibility icon in the browser and then it does work.

If you want to make sure that users don’t have to click compatibility mode, you can send the header to emulate IE9 from server side, so Internet Explorer automatically uses the right mode.

You can choose between 2 options (I prefer option2, easier and less work):

1) Edit all the *.aspx pages (except logoff.aspx) under the %windir%\Web\RDWeb\Pages\en-US\ folder.
Add <META HTTP-EQUIV="X-UA-COMPATIBLE" CONTENT="IE=9"> right below the lines <html><head id=”Head1″ runat=”server”>
screenshot source code

2) Add the header in IIS for the RDweb so that it is automatically added to all pages served from RDweb.
Open IIS Management under Administrative tools in the start menu.
Expand the Default Web Site using the plus sign next to it. Click on RDWeb and then in the middle pane double click on HTTP Response Headers (under the IIS category). In the list with headers right click on the empty space and click Add. Under name fill in: X-UA-Compatible and under value fill in: IE=9
IIS-add-header-compatibility-IE9