Microsoft Remote Desktop For Mac App Updated Password Expired

Posted on by

Feb 08, 2018 Connecting Microsoft Remote Desktop on Mac. Download the Microsoft Remote Desktop app from the App Store to get started. Open the app and click New.Here, give your PC a name in the Connection. Remote desktop won't allow login when a password has expired We have Mac clients connecting to our Server 2008 server using the Mac RDC client. The problem we have is this.

-->

Remote Desktop Services uses certificates to sign the communication between two computers. When a client connects to a server, the identity of the server and the information from the client is validated using certificates.

Using certificates for authentication prevents possible man-in-the-middle attacks. When a communication channel is set up between the client and the server, the authority that generates the certificates vouches that the server is authentic. As long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure.

Certificates in Remote Desktop Services need to meet the following requirements:

  • The certificate is installed in the local computer’s “Personal” certificate store.

  • The certificate has a corresponding private key.

  • The Enhanced Key Usage extension has a value of either “Server Authentication” or “Remote Desktop Authentication” (1.3.6.1.4.1.311.54.1.2). You can also use certificates with no Enhanced Key Usage extension.

Create a Server Authentication certificate

As the name suggests, a Server Authentication certificate is required. You can use the Workstation Authentication template to generate this certificate, if necessary.

Here are the steps for creating the Server Authentication certificate from the template:

  1. Open CERTSRV.MSC and configure certificates.

  2. Open the Certificate Authority.

  3. In the Details pane, expand the computer name.

  4. Right-click Certificate Templates, and then click Manage. Right-click Workstation Authentication, and then click Duplicate Template.

  5. On the General tab, change the Template display name to Client Server Authentication, and select Publish certificate in Active Directory.

  6. On the Extensions tab, click Application Policies > Edit. Click Add, and then select Server Authentication. Click OK until you get back to the Properties page.

  7. On the Security tab, select Allow Autoenroll next to Domain Computers. Click OK, and then close the Certificates Templates console.

  8. In the certsrv snap-in right-click Certificate Templates, and then click New > Certificate Template.

  9. Select Client-Server Authentication, and then click OK.

Microsoft Remote Desktop For Mac App Updated Password Expired 2017

You can validate that the certificate was created in the Certificates MMC snap-in. When you open the new certificate, the General tab of the certificate will list the purpose as “Server Authentication.”

The easiest way to get certificates, if you control the client computers, is by using Active Directory Certificate Services. You can request and deploy your own certificates, and they will be trusted by every computer in the AD domain.

If you are going to let users to connect externally, and they are not part of your AD domain, you need to deploy certificates from a public CA, such as GoDaddy, Verisign, Entrust, Thawte, or DigiCert.

Certificate contents

In Windows 2008 and Windows 2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, then to the connection broker, and finally to the server that hosts your session.

In Windows 2012, you connect to the connection broker, and it then routes you to the collection by using the collection name.

The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to. For example, for Publishing, the certificate needs to contain the names of all the RDSH servers in the collection. The certificate for RDWeb needs to contain the FQDN or the URL, based on the name the users connect to. If you have users connecting externally, this needs to be an external name (it needs to match what they connect to). If you have users connecting internally to RDWeb, the name needs to match the internal name. For Single Sign On, the subject name needs to match the servers in the collection.

For example, imagine a Remote Desktop deployment with the following computers:

Computer name

Description

RDSH.CONTOSO.COM

Session Host with RemoteApp configured

RDSH2.CONTOSO.COM

Session Host with RemoteApp configured

RDVH1.CONTOSO.COM

Virtualization host with VDI VMs configured

RDVH2.CONTOSO.COM

Virtualization host with VDI VMs configured

RDCB.CONTOSO.COM

Connection Broker

RDWEB.CONTOSO.COM

RDWeb and Gateway server

When clients connect internally, they enter the FQDN for the server that hosts the web page, for example, RDWEB.CONTOSO.COM.

The name of the certificate needs to be the same as the URL. So in this example, “RDWEB.CONTOSO.COM.” But the connection does not end there – the connection flows from the web server to one of the session hosts or virtualization hosts and also to the connection broker. The certificate can be common on all of these servers. That is why we recommend that the Subject Alternate Name for the certificate contain the names of all the servers that are part of the deployment.

So the certificate for our example deployment would contain:

Type: Server Authentication

Name: RDWEB.CONTOSO.COM

SAN: RDSH1.CONTOSO.COM; RDSH2.CONTOSO.COM; RDVH1.CONTOSO.COM; RDVH2.CONTOSO.COM; RDCB.CONTOSO.COM

This certificate approach works as long as you have five or fewer servers in your deployment. If you have more servers, you can’t use the Subject Alternate Name field (it is limited to just five servers). Instead, you need to get a wildcard certificate to cover all the servers in the deployment.

A wildcard certificate for our example deployment would contain:

Type: Server Authentication

Name: RDWEB.CONTOSO.COM

SAN: *.CONTOSO.COM

Even with a wildcard certificate, you might run into problems in the following scenario if you have external users that access the deployment:

External name: RDWEB.CONTOSO.com

Internal name: RDWEB.CONTOSO.local

If you have a certificate with RDWEB.CONTOSO.COM in the name, you will see certificate errors. This is because the certificate is supposed to validate a server with the FQDN of “RDWEB.CONTOSO.COM,” but your server name is “RDWEB.CONTOSO.local.” (Changing the .com to .local occurs at your public firewall or router using port forwarding.)

In this case, you can get a certificate from a public CA with the external name (RDWEB.CONTOSO.COM) and bind it to the RD Web Access and RD Gateway roles. (These are the only roles that are exposed to the Internet.) For the RD Connection Broker – Publishing and RD Connection Broker – Enable Single Sign On roles, you can use an internal certificate with the DOMAIN.local name on it. However, be aware that this only works if your clients are connecting through RDC 8.0 or later.

The RD Gateway and Remote Desktop Client version 8.0 (and later) provides external users with a secure connection to the deployment. Once connected to the deployment, the internal certificate with the ‘.local’ name will take care of RemoteApp signing (publishing) and Single Sign On.

Selecting which certificate to use

Now that you have created your certificates and understand their contents, you need to configure Remote Desktop to use those certificates.

  1. On the Connection Broker, open the Server Manager. Click Remote Desktop ServicesMac microsoft office for students. in the left navigation pane.

  2. Click Tasks > Edit Deployment Properties.

  3. In the Configure the deployment window, click Certificates.

  4. Click Select existing certificates, and then browse to the location where you saved the certificate you created previously. Look for the file with the .pfx extension.

  5. Import the certificate.

    You can use a single certificate for all the roles if your clients are internal to the domain only, by generating a wildcard certificate (*.CONTOSO.local) and binding it to all roles.

    Note that, even if you have multiple servers in the deployment, Server Manager will import the certificate to all servers, place the certificate in the trusted root for each server, and then bind the certificate to the respective roles.

-->

Use these steps when a Remote Desktop client can't connect to a remote desktop but doesn't provide messages or other symptoms that would help identify the cause.

Check the status of the RDP protocol

Check the status of the RDP protocol on a local computer

To check and change the status of the RDP protocol on a local computer, see How to enable Remote Desktop.

Note

If the remote desktop options are not available, see Check whether a Group Policy Object is blocking RDP.

Check the status of the RDP protocol on a remote computer

Important

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

Microsoft remote desktop for mac app updated password expired windows 7

To check and change the status of the RDP protocol on a remote computer, use a network registry connection:

  1. First, go to the Start menu, then select Run. In the text box that appears, enter regedt32.
  2. In the Registry Editor, select File, then select Connect Network Registry.
  3. In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  4. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server.
    • If the value of the fDenyTSConnections key is 0, then RDP is enabled.
    • If the value of the fDenyTSConnections key is 1, then RDP is disabled.
  5. To enable RDP, change the value of fDenyTSConnections from 1 to 0.

Check whether a Group Policy Object (GPO) is blocking RDP on a local computer

If you can't turn on RDP in the user interface or the value of fDenyTSConnections reverts to 1 after you've changed it, a GPO may be overriding the computer-level settings.

To check the group policy configuration on a local computer, open a Command Prompt window as an administrator, and enter the following command:

After this command finishes, open gpresult.html. In Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnections, find the Allow users to connect remotely by using Remote Desktop Services policy.

  • If the setting for this policy is Enabled, Group Policy is not blocking RDP connections.

  • If the setting for this policy is Disabled, check Winning GPO. This is the GPO that is blocking RDP connections.

Check whether a GPO is blocking RDP on a remote computer

To check the Group Policy configuration on a remote computer, the command is almost the same as for a local computer:

The file that this command produces (gpresult-<computer name>.html) uses the same information format as the local computer version (gpresult.html) uses.

Modifying a blocking GPO

You can modify these settings in the Group Policy Object Editor (GPE) and Group Policy Management Console (GPM). For more information about how to use Group Policy, see Advanced Group Policy Management.

To modify the blocking policy, use one of the following methods:

  • In GPE, access the appropriate level of GPO (such as local or domain), and navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services.
    1. Set the policy to either Enabled or Not configured.
    2. On the affected computers, open a command prompt window as an administrator, and run the gpupdate /force command.
  • In GPM, navigate to the organizational unit (OU) in which the blocking policy is applied to the affected computers and delete the policy from the OU.

Check the status of the RDP services

On both the local (client) computer and the remote (target) computer, the following services should be running:

  • Remote Desktop Services (TermService)
  • Remote Desktop Services UserMode Port Redirector (UmRdpService)

You can use the Services MMC snap-in to manage the services locally or remotely. You can also use PowerShell to manage the services locally or remotely (if the remote computer is configured to accept remote PowerShell cmdlets).

On either computer, if one or both services are not running, start them.

Note

If you start the Remote Desktop Services service, click Yes to automatically restart the Remote Desktop Services UserMode Port Redirector service.

Check that the RDP listener is functioning

Important

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

Check the status of the RDP listener

For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can also use a command prompt that has administrative permissions. However, this procedure uses PowerShell because the same cmdlets work both locally and remotely.

  1. To connect to a remote computer, run the following cmdlet:

  2. Enter qwinsta.

  3. If the list includes rdp-tcp with a status of Listen, the RDP listener is working. Proceed to Check the RDP listener port. Otherwise, continue at step 4.

  4. Export the RDP listener configuration from a working computer.

    1. Sign in to a computer that has the same operating system version as the affected computer has, and access that computer's registry (for example, by using Registry Editor).
    2. Navigate to the following registry entry:
      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
    3. Export the entry to a .reg file. For example, in Registry Editor, right-click the entry, select Export, and then enter a filename for the exported settings.
    4. Copy the exported .reg file to the affected computer.

  5. To import the RDP listener configuration, open a PowerShell window that has administrative permissions on the affected computer (or open the PowerShell window and connect to the affected computer remotely).

    1. To back up the existing registry entry, enter the following cmdlet:

    2. To remove the existing registry entry, enter the following cmdlets:

    3. To import the new registry entry and then restart the service, enter the following cmdlets:

      Replace <filename> with the name of the exported .reg file.

  6. Test the configuration by trying the remote desktop connection again. If you still can't connect, restart the affected computer.

  7. If you still can't connect, check the status of the RDP self-signed certificate.

Check the status of the RDP self-signed certificate

  1. If you still can't connect, open the Certificates MMC snap-in. When you are prompted to select the certificate store to manage, select Computer account, and then select the affected computer.
  2. In the Certificates folder under Remote Desktop, delete the RDP self-signed certificate.
  3. On the affected computer, restart the Remote Desktop Services service.
  4. Refresh the Certificates snap-in.
  5. If the RDP self-signed certificate has not been recreated, check the permissions of the MachineKeys folder.

Check the permissions of the MachineKeys folder

  1. On the affected computer, open Explorer, and then navigate to C:ProgramDataMicrosoftCryptoRSA.
  2. Right-click MachineKeys, select Properties, select Security, and then select Advanced.
  3. Make sure that the following permissions are configured:
    • BuiltinAdministrators: Full control
    • Everyone: Read, Write

Check the RDP listener port

On both the local (client) computer and the remote (target) computer, the RDP listener should be listening on port 3389. No other applications should be using this port.

Important

Follow this section's instructions carefully. Serious problems can occur if the registry is modified incorrectly. Before you starty modifying the registry, back up the registry so you can restore it in case something goes wrong.

To check or change the RDP port, use the Registry Editor:

  1. Go to the Start menu, select Run, then enter regedt32 into the text box that appears.
    • To connect to a remote computer, select File, and then select Connect Network Registry.
    • In the Select Computer dialog box, enter the name of the remote computer, select Check Names, and then select OK.
  2. Open the registry and navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStations<listener>.
  3. If PortNumber has a value other than 3389, change it to 3389.

    Important

    You can operate Remote Desktop services using another port. However, we don't recommend you do this. This article doesn't cover how to troubleshoot that type of configuration.

  4. After you change the port number, restart the Remote Desktop Services service.

Check that another application isn't trying to use the same port

For this procedure, use a PowerShell instance that has administrative permissions. For a local computer, you can also use a command prompt that has administrative permissions. However, this procedure uses PowerShell because the same cmdlets work locally and remotely.

  1. Open a PowerShell window. To connect to a remote computer, enter Enter-PSSession -ComputerName <computer name>.

  2. Enter the following command:

  3. Look for an entry for TCP port 3389 (or the assigned RDP port) with a status of Listening.

    Note

    The process identifier (PID) for the process or service using that port appears under the PID column.

  4. To determine which application is using port 3389 (or the assigned RDP port), enter the following command:

  5. Look for an entry for the PID number that is associated with the port (from the netstat output). The services or processes that are associated with that PID appear on the right column.

  6. If an application or service other than Remote Desktop Services (TermServ.exe) is using the port, you can resolve the conflict by using one of the following methods:

    • Configure the other application or service to use a different port (recommended).
    • Uninstall the other application or service.
    • Configure RDP to use a different port, and then restart the Remote Desktop Services service (not recommended).

Microsoft Remote Desktop For Mac App Updated Password Expired Windows 10

Check whether a firewall is blocking the RDP port

Microsoft Remote Desktop For Mac App Updated Password Expired Email

Use the psping tool to test whether you can reach the affected computer by using port 3389.

Microsoft Remote Desktop For Mac App Updated Password Expired Free

  1. Go to a different computer that isn't affected and download psping from https://live.sysinternals.com/psping.exe.

  2. Open a command prompt window as an administrator, change to the directory in which you installed psping, and then enter the following command:

  3. Check the output of the psping command for results such as the following:

    • Connecting to <computer IP>: The remote computer is reachable.
    • (0% loss): All attempts to connect succeeded.
    • The remote computer refused the network connection: The remote computer is not reachable.
    • (100% loss): All attempts to connect failed.

  4. Run psping on multiple computers to test their ability to connect to the affected computer.

  5. Note whether the affected computer blocks connections from all other computers, some other computers, or only one other computer.

  6. Recommended next steps:

    • Engage your network administrators to verify that the network allows RDP traffic to the affected computer.
    • Investigate the configurations of any firewalls between the source computers and the affected computer (including Windows Firewall on the affected computer) to determine whether a firewall is blocking the RDP port.