RDC for MAC cannot connect to TS server with error message “You were disconnected from the Windows-based computer because of problems during the licensing protocol”

As post here http://social.technet.microsoft.com:80/Forums/en-US/winserverTS/thread/8e28b0af-b374-4ca0-a255-5fd854bdc7fa

We have been having issues with getting Mac’s to run on RemoteApp. We are the only people in the world at mydanat.co.uk that know how to get Teredo Tunnels to run behind NAT devices. So why are we involved? A customer uses DirectAccess to access RemoteApp services like Sims .Net on a Mac, well they did until  the message popped up.

So as our motto is lets not wait around for Microsoft to fix this, we fixed it in 2 days after a lot of research on the Internet.

Error:

“You were disconnected from the Windows-based computer because of problems during the licensing protocol”

Cause:

There is currently a bug in RDC 2.1.1 that does not allow the client to download the correct licensing info from a 2008 R2 license server. This means that after the standard 90 days the clients will get the error message above even though windows based connections will still work correctly. This is because when a user first runs the RDC client it sets up a folder structure that only contains read & wright access rights for the currently logged on user. All other users are read only. This means no other users can download the correct file when available.

Fix:

This is a simple fix but also a little headache, as at this moment to rush this fix out onto the Internet we have not found a way to automate the process. Please leave useful comments to help automate this fix.

Go to Macintosh HD > Users > Shared > Microsoft.

Go into RDC Crucial Server Information and you should see a folder and no files

Go Back to Microsoft folder

Click on “RDC Crucial Server Information” and then click file > Get Info

Under Sharing & Permissions select “everyone” and change it to “Read & Write”

Run your RDC connection again and it will start working fine.

You will now notice a file in RDC Crucial Server Information folder that was not there before

Notes: If there was a file in there back it up and try trashing it then run through the fix again.

You may also need to set Read and Write for the everyone group on each folder inside the Microsoft folder.

If there is not a microsoft folder in the Shared folder then run the RDC client and connect to the server. This will be succesful but you will still need to setup the security structure

So, a Microsoft or Apple issue?

Don’t forget to check out the DirectAccess going Dubstep video

Notes on security:

Some people may feel it is a security problem by enabling everyone to read & write but we are happy with this setting. If you are concerned then add a new user group for the group of people you would like to use RDC rather than changing the everyone group.

Also see comments below for extra help

Comments 19

  1. Terry wrote:

    Doesn’t work for me.

    MacBook Air OS X 10.7.4
    RDC 2.1.1

    Posted 21 Jun 2012 at 12:33 am
  2. Scott Logan wrote:

    Hi Terry and welcome, Please answer the following to help diagnose the problem. This is generic so apologies if you have already answered some of them.

    Backup and then trash the files inside the RDC.. folder.

    Run RDC again so it makes the folder structure.

    Change the permissions as per the article

    Run RDC again

    You should get a file turn up in the RDC… folder eventually.

    Does that file turn up? if so name?

    If this still does not work i would double check your licence server. Have you got active licences on there or are you still using the 90 tempory ones? if you are using the 90 day tempory ones still then it will stay expired no matter what.

    Does it work on windows clients?

    Are you using remoteApp 2008 R2?

    Are you using 2008 R2 licence server?

    What is the name of the licences you have bought?

    What mac os is it?

    What RDC version is it?

    cheers

    Posted 21 Jun 2012 at 5:50 am
  3. drrjv wrote:

    Doesn’t work for me either. Tried on two separate computers. iTap and coRD both work. Microsoft RDC does not (license error). Followed instructions above without success!

    Posted 12 Jul 2012 at 9:31 pm
  4. Scott Logan wrote:

    Hi drrjv,
    Thanks for getting back.
    out of 200 ish people ish you are the sceond to unsucessfuly get this working. Unfortuatly all these people are not saying yay it works on this forum but then when you think about it why would they. Anyway like il wrote before try the below to try and fix the problem.

    If the fix below does not work it should point you in the right direction to fix it. Just think outside the box

    The fix on the blog link above has fixed it for many people however for those of you still having issues I will give you some suggestions on what might be wrong;

    Make sure your firewall on 2008 R2 is not blocking them.

    Make sure you allowed the macs to connect via RDC in the local security of the server by adding them to groups or what ever

    Make sure the macs and the server are using the same connection security settings. (2008 R2 defaults to high, stops XP clients connecting for example)

    Basically in my experience it all comes down to security. Either the mac cannot do things because it doesnt have enough security to do things on its own computer or enough security to connect to the server. Your best tool is Netmon. Setup a computer with 2 network cards and bridge them. Then connect server to the computer and the mac to the computer. Then run Netmon in p-mode to listen to the traffic.

    Try using bing to find info about best practices for allow macs to RDP to Windows.

    Hope this helps

    Posted 12 Jul 2012 at 9:50 pm
  5. Michael Varre wrote:

    os x 10.5.8 path /users/shared/microsoft does not exist.

    Posted 17 Jul 2012 at 12:23 pm
  6. Michael Kaufman wrote:

    On OS X 10.8, the path

    /users/shared/microsoft does not exist.

    I tried creating it and

    RDC Crucial Server Information

    underneath it, and set the permissions, but I still got the error.

    Posted 01 Aug 2012 at 8:44 pm
  7. franck wrote:

    Hi,
    I had the same problem and i tried your solution but no result…
    I tried to disable the firewall on server 2008 : no result
    For your solution, I remove all contents in the folder RDC.
    I change the permission to RW for everyone and wheel? .
    And when i restart rdc, no new file.
    Is it a problem?
    Do you have any idea to fix my problem?

    Posted 06 Aug 2012 at 10:33 am
  8. Scott Logan wrote:

    Hi franck.
    From what you are saying yes you are experiencing the exact problem we all had.
    2008 server or 2008 R2?
    By the way disabling the windows firewall quite often does not solve the problem. This is because even though the firewall is disabled the ports that were blocked remain blocked sometimes. You have to enable the firewall and allow the right rules.
    First thing to try though is install the RDC under a domain admin account and always use that account for testing.
    Then run through the problem testing on the blog.
    The reason yours is not working is because you are not receiving the file that should be in that RDC folder structure. (due to some security on your network, either the mac refusing the file or your servers refusing to send it)
    How have the macs joined the network? 3rd party solution?
    Failing that I would suggest putting a computer with 2 network cards between the mac and network. Bridge the 2 network cards in windows. Then attach the mac to one network card then attach the other network card to the network. Install netmon on the windows computer and run it in p-mode.
    Then run netmon on your domain controllers and the licencing server. Monitor all the traffic that is going on when you are running through the troubleshooting steps in the blog. This should help to diagnose which computers are not playing ball.
    Have you updated your active directory schema for the mac versions you have? If not bing how to do that. (This can cause the mac not to comunicate properly to your servers as it is speaking a new language windows does not understand yet)

    Posted 06 Aug 2012 at 11:58 am
  9. franck wrote:

    My problem is with a 2008 R2.
    We tried to connect a rdp mac without the role TS and it worked fine but we couldn’ have licenses.
    When we add TS Role, rdp mac doesn’t work… but all Windows client can connect to TS Server with all licences.
    A difference with your problem is that we are not working in a domain so we don’t have to add computers (Windows or mac).
    I don’t think it’s the real problem because all works fine for Windows Client or for rdp mac when we remove TS Role.
    Maybe TS Role modify the security but where exactly? Which option can we modify to test it?
    We are not with the server and it’s difficult to run your test.
    Maybe I have added new tips for your help… Thanks

    Posted 06 Aug 2012 at 3:59 pm
  10. Scott Logan wrote:

    Hi Franck.
    Your problem is still the same in my view. Your Mac basically cannot download the correct licence file from the TS server. The file you deleted earlier was the 90 day demo version. So when you installed the TS role the Mac tries to download the file but fails hence the error (this is alos why you see no file in that folder. You must have a file in that folder). Thus You need to either make sure the Mac is not blocking the file from downloading to that location because of its own security settings or the request to download being blocked by the server. Try running netmon on the server then run an RDC connection from the mac and look at the requests. If all looks normal on the server then error is likly to be at Mac level.
    Another thing I just though of.
    If you have no domain then how do the Mac’s connect to the server? as in what accounts do you use. Possibly the account you log on to the Mac does not have enough security to contact the TS server. Remember the accounts need to be in the RDP security group on the server (Also the local settings must allow that account to log on to the server to perform certain actions. Similar to a backup user, he must be allowed to logon as a batch job plus be in the backup security group on the local security groups.
    There may also be something to do with the sort of encryption you use for connections like
    All windows RDP’s work correctly. Its just the Mac’s that have the issue.
    Hope this puts you on the right path.

    Posted 06 Aug 2012 at 4:37 pm
  11. Brian W. wrote:

    Hi Scott, Thanks for the info. Unfortunately, it didn’t solve my connection problem.

    I though I’d add my experience in case it helps others:
    1) To change the permissions you can do the following from a terminal:
    chmod -R 777 /Users/Shared/Microsoft

    2) From the same mac, I can access a W2K8R2 using RDC with the 120-Day grace period. As soon as I apply the RDS licenses (per User mode) then I’m unable to connect anymore

    3) From the same mac, I can access a W2K8R2 server that has RDS licenses installed (do not connect before installing the RDS licenses otherwise same issue)

    4) My “RDC Crucial Server Information” contains the following file “RDC Global Data” and folders “0006000/A02″ and nothing else

    5) CoRD does not work with easy print (couldn’t get it to work by installing the printer’s drivers either)

    Conclusion: looks like a problem with the Mac side. Permissions do not seems to be my problem because of 3) above.

    All test done with mac admin.

    Posted 07 Aug 2012 at 6:27 pm
  12. Scott Logan wrote:

    Hi Brian,
    Usfull comments there thanks.
    This is what I am reading off of your comments.
    2) From the same mac, I can access a W2K8R2 using RDC with the 120-Day grace period. As soon as I apply the RDS licenses (per User mode) then I’m unable to connect anymore
    – Yes this is because when you install RDC on the Mac it automatically installs the 120 day grace period. This is not download from the TS server therefore it works. Thus when you apply the RDS licence the Mac asks the server for the licence file but does not recieve it due to some security setting somewhere. For me if I delete the licence file and remove the everyone group from the folder it fails. if i simply add the everyone group back and try reconnecting even without closing the RDC session ( so just click retry) it instally downloads the file and we are away.
    3) From the same mac, I can access a W2K8R2 server that has RDS licenses installed (do not connect before installing the RDS licenses otherwise same issue)
    – Yes you are using macs file explorer. This is a different technology. For example you may access a web server via HTTP but not FTP, its just differnt. You will see what i mean if you run a netmon computer between the Mac and server. You will see a request from the Mac and no reply, or a reply but still fails (folder security)

    Conclusion: looks like a problem with the Mac side. Permissions do not seems to be my problem because of 3) above.
    – I still think its security.
    All test done with mac admin.
    – You need an account that the 2008 R2 server accepts to connect to it. 2) just because the mac admin can access the server does not mean it is allowed to download the licence file. In my example in another comment that alot of people will be aware of if they have ever used windows backup – You will first think by adding a user to the windows backup security group means they can run backups that are scheduled. You will quickly find the scheduled backup will fail, this is because that user account is not in the “allow log on as batch job” local security on the server. Just remember that 2008 R2 security is very very granular so just because you can access something one way does not mean you can do something else.
    Below are some more helpful hints.

    - The only way I got mine to work is to install the RDC 2.1 as a domain user account.
    - You must explicitly add each Remote Desktop Session Host server computer account to the Terminal Server Computers group on the license server
    -Granting Users or Groups Access

    To grant users or groups access to an RD Session Host server, use the following steps:

    Log on to the desired server with local administrator privileges.
    Click Start, and then click Run.
    In the Run dialog box, type in ServerManager.msc and click OK.
    After the Server Manager console is displayed, select the Configure Remote Desktop task.
    In the Systems Properties dialog box, on the Remote tab, and in the Remote Desktop section, click the Select Users button.
    Next, click the Add button, and in the Select Users or Groups dialog box, choose to find the users or groups you want to grant access to, and click OK.
    Click OK, and in the System Properties dialog box, click OK.

    NOTE

    Completion of the previous steps actually just results in the modification of the lo-cal Remote Desktop Users group. When managing a number of RD Session Host servers in a farm, it is recommended that access to these servers be controlled using a Restricted Groups policy in a Group Policy Object.

    Hope this makes sense its quite late when I am writing this.
    Keep up the comments they are very useful for us all. Thanks for chmod code hopeful this can be intigrated into some sort of script.

    Posted 07 Aug 2012 at 9:34 pm
  13. Scott Logan wrote:

    Also these may be useful
    http://technet.microsoft.com/en-us/library/cc731605.aspx
    http://technet.microsoft.com/en-us/library/hh553163%28v=ws.10%29.aspx

    Posted 07 Aug 2012 at 9:53 pm
  14. Brian W wrote:

    Hi Scott,

    thanks for the reply and the extended comments.

    3) From the same mac, I can access a W2K8R2 server that has RDS licenses installed (do not connect before installing the RDS licenses otherwise same issue)
    Here I meant using RDC to connect to a W2K8R2 that has RDS licenses installed (not the 120-D grace period) – this works fine. What does not work is to connect to a W2K8R2 server that has 120-D grace period enabled, then apply RDS licenses. As soon as the licenses are applied, the connection problem kicks in

    All test done with mac admin
    Here I meant that I’m logged in on the Mac as a Mac admin (not using the same login in RDC). Since I’m admin on the mac, RDC shouldn’t have any problem saving the license on the local mac drive.

    See, the way I see it is that I can connect using RDC to a W2K8R2 that is fully licensed, which means that I don’t have any local security issues on the Mac to download and save the RDS license.

    The problem is very specific and only happens when I first connect to a server that has the grace period, then install the licenses on the W2K8R2 server and then try to connect again to that server.

    In this case the Windows’ user that I use is not the problem since I already successfully connected with it to the windows server before applying the RDS licenses.

    The problem is really tricky, Thanks for the hints.

    Posted 07 Aug 2012 at 11:12 pm
  15. Chris Hawver wrote:

    I too am still having this problem. I’ve tried all suggestions. This didn’t start until I brought up a new RDS and decommissioned the old one. I never connected to the server prior to installing the licenses though. None of my macs can connect and I am hoping Microsoft fixes this quickly.
    All of my Windows computers connect fine. Remote App works and I don’t have any problems except for the Macs.

    Posted 07 Aug 2012 at 11:22 pm
  16. Scott Logan wrote:

    Hi Brian,
    I think you have hit the jackpot and havent realised. I have tried to get what you have said accross but oviously I have not written it completly right.
    So here goes-
    3) From the same mac, I can access a W2K8R2 server that has RDS licenses installed (do not connect before installing the RDS licenses otherwise same issue)
    Here I meant using RDC to connect to a W2K8R2 that has RDS licenses installed (not the 120-D grace period) – this works fine. What does not work is to connect to a W2K8R2 server that has 120-D grace period enabled, then apply RDS licenses. As soon as the licenses are applied, the connection problem kicks in
    – So when you have a fully licenced server and then install RDC and connect Mac’s it works fine.
    When you go from grace period to fully licence then issue happens.
    Yes this again down to security. This is what I had. When you have a grace server the RDC makes a temp grace file which is fine. The issue is the Mac then cannot over write the grace file for what ever reason when you bring up a fully licenced server. Therefore if you have a full licence server first you won’t get the issue (hopefully minus the other issues I have posted).
    ALSO BIG NOTE IF ANYTHING CHANGES WITH YOUR LICENCING SERVER WHICH REQUIRES A NEW FILE TO BE DOWNLOADED YOU WILL END UP IN THE SAME BOAT. THEREFORE THIS COULD HAPPEN EVERY LICENCE RENEWAL :(

    All test done with mac admin
    Here I meant that I’m logged in on the Mac as a Mac admin (not using the same login in RDC). Since I’m admin on the mac, RDC shouldn’t have any problem saving the license on the local mac drive.
    – No you missed the point, the account you use to connect to the server is different to the account running RDC. The account you use to connect to the server is just to log on to the server. This has no bearing on the account running RDC which is requesting the file. This is why the account you log on to the Mac must be in the RDP security group and with the Mac computer name you must explicitly add each Remote Desktop Session Host server computer account to the Terminal Server Computers group on the license server

    In this case the Windows’ user that I use is not the problem since I already successfully connected with it to the windows server before applying the RDS licenses.
    – If I install RDC under a domain account / local mac admin with the grace file all works. If I then change user to install the fully licence file it fails. This is because the folder security structure on the mac has been setup under the original user account. Therefore adding the everyone group fixes this issue.

    On a side note I understand where you are coming from where why if fully licence server works straight away against the grace to fully licence.
    The only thing I can think of is that during RDC install it scans for licence servers. If it finds one it installs the file. If not it installs the grace file. This process is probably different to the process that checks to see if there are any new licence files if already installed because every time you run RDC it checks to make sure it is up to date licence wise.
    So I think the bug is in the RDC where it checks to see if it is up to date and not the install process.
    Hopefully we are getting closer
    I have also just heard some exciting news. MyDANAT is going to give away a completly free DirectAccess Installation soon for people behind NAT’s. Make sure you keep checking their homepage http://www.mydanat.co.uk (expect something by end of the week fingers crossed, very exciting)

    Posted 07 Aug 2012 at 11:57 pm
  17. Jason Bray wrote:

    This worked for me. Thanks a bunch!

    Posted 05 Mar 2014 at 4:16 pm
  18. Sm Robert wrote:

    Why These problems occurs

    Posted 25 Mar 2014 at 10:53 am
  19. Dharmendra wrote:

    I had the same problems. However, it works fine with ‘Microsoft Remote Desktop’ app, but doesn’t work with ‘Remote Desktop Connection’ app.

    Posted 03 Jun 2014 at 3:51 pm

Post a Comment

Your email is never published nor shared. Required fields are marked *

This blog is protected by Dave\'s Spam Karma 2: 11140 Spams eaten and counting...