Why can't my Remote Desktop Server make proper use of the licensing server?
Symptoms:
The first time anyone logs into the Remote Desktop server after a reboot, TerminalServices-RemoteConnectionManager event ID 1130 is generated in the system log:
The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool.
Once the 120 day grace period expires, attempts to log on result in this error message:
The remote session was disconnected because there are no Remote Desktop client access licenses available for this computer. Please contact the server administrator.
However, the licensing server is already configured in Remote Desktop Session Host Configuration and the Licensing Diagnosis shows no problems.
Resetting the grace period as described here allows logons to succeed again but does not permanently resolve the problem; event ID 1130 continues to appear the first time someone logs in via Remote Desktop after a reboot, and after another 120 days logons will start failing again.
As described here, the failing server(s) do not have X509 Certificate entries in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM
What are possible causes of this issue?
Solution 1:
Start by checking the basics as described in Microsoft's technet article on event 1130:
Make sure the Remote Desktop server has network connectivity to the licensing server. If you can ping the licensing server, you're probably OK as far as the basics go (but see below).
Make sure the license server is configured to be automatically discovered. Use the "Review Configuration" Action in the Remote Desktop Licensing Manager.
Check that the Remote Desktop server can discover the license server. Using the Licensing Diagnosis option in Remote Desktop Session Host configuration, make sure the licensing server appears in the list.
Check that the licensing service is running on the license server. The service name is TermServLicensing, the friendly name may be "Terminal Services Licensing" or "Remote Desktop Licensing" depending on the version of Windows.
If you are using Windows Firewall, check that the Remote Desktop Licensing Server exceptions are enabled on the license server. If you are using a third-party firewall, or if there is an external firewall between the Remote Desktop server and the licensing server, make sure all the relevant ports are opened. See this forum thread, and also Which ports are used by a RDS 2012 deployment? on Technet.
In my case, however, the problem was with the Local Security Policy on the license server, specifically the "Access this computer from the network" option under User Rights Assignment. Although it does not appear to be documented, the Active Directory computer objects representing the Remote Desktop servers must be granted this right, either explicitly or indirectly. (The default setting includes Everyone, which is sufficient to allow Remote Desktop licensing to work.)
Once this access right was granted, the next Remote Desktop logon caused the missing X509 Certificate registry entries to be created, and event ID 1130 stopped appearing.
You should also check the "Deny access to this computer from the network" setting, which takes precedence, and any other configuration changes you might have made to the licensing server which could affect the Remote Desktop server's ability to establish an IPC logon. The security event log on the licensing server may be useful in determining whether the IPC logon is successful or not.
Additional notes:
-
If one of your Remote Desktop servers is experiencing this or any similar problem, you can still log into it remotely for troubleshooting purposes using this command line:
mstsc /admin /v:servername
-
In case the link in the question goes dead, you can reset the grace period as a temporary workaround by deleting the
REG_BINARY
value in this key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod
(This is of course unsupported and should be used only with due care and at your own risk.)
If you have experienced the same problem but due to a cause not covered by my self-answer, please post another answer (preferably) or a comment. Thanks in advance!