NeuroAgent

Why RDP doesn't work from a new computer

Solution for RDP connection issue from one computer but successful from another. Analysis of SSL/TLS errors, certificates, and Windows Server 2019 group policies.

#group-policies#rdp-certificates#rdp-issues#remote-desktop#ssl-tls-configuration#windows-server-2019
Question

Why can’t I connect to RDP from one computer, but it works successfully from another?

I have a Windows Server 2019 server that is not part of a domain (as required), with terminal services enabled. I have two Windows 11 computers, both of which are domain members. From the old computer (PC1), I can connect to the server using both the IP address and the name. However, from the new computer (PC2), the connection fails, and a similar issue is observed from other computers as well.

When attempting to connect from PC2 via mstsc, I get the message “logon attempt failed.” The username and password are exactly the same as on PC1, where the connection works successfully.

In the logs on PC2 (Microsoft-Windows-TerminalServices-RDPClient), the following errors were found:

  • RDP ClientActiveX disconnection (Reason= 2055)
  • Server supports SSL = supported
  • Base64(SHA256(username)) = ***
  • RDPClient_SSL: Error occurred while transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed. (Error code: 0x80004005).
  • Multitransport connection disconnected.

What could be the possible causes of this problem and how can it be fixed?

NeuroAgent

RDP Connection Error from One Computer but Successful from Another: SSL/TLS Configuration Issues

RDP connection errors from one computer but successful connections from another are most commonly related to differences in security settings, especially SSL/TLS configuration or certificate problems. In your case with error code 2055 and SSL handshake failures, the main issue is TLS version incompatibility or security settings between the new PC2 computer and the Windows Server 2019.

Table of Contents

Main Causes of the Problem

Several key factors can cause this situation:

  1. TLS/SSL Version Incompatibility - The new PC2 likely uses stricter security settings compared to the old PC1. Windows Server 2019 supports TLS 1.2 by default but may have cipher restrictions.

  2. Certificate Issues - The error in the logs indicates an SSL failure. The certificate on the server may be misconfigured or there may be issues with trusted root authorities on PC2.

  3. Group Policy Differences - Since both computers are domain-joined, stricter security policies may be applied to PC2 that restrict RDP connections.

  4. Network Differences - Different networks or proxy servers between PC1 and PC2 can affect the connection.

From your logs, the main issue is RDPClient_SSL: Error transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting, which indicates an SSL handshake failure.

Solutions: SSL/TLS Settings

On Windows Server 2019:

  1. Check and Modify TLS Protocols:

    • Run regedit and navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    • If there are no subkeys for TLS 1.0, 1.1, 1.2, create them
    • In each subkey, create a DWORD parameter Enabled with value 0 to disable unnecessary protocols
    • For TLS 1.2, set Enabled = 1

  2. Configure Cipher Suites:

    • Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
    • Create necessary subkeys for required ciphers (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
    • Set the Enabled parameter to 1

  3. Disable Channel-Level Authentication:

    • In the registry, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    • Create a DWORD parameter UserAuthentication with value 0 (allows connection without channel-level authentication)

On PC2:

  1. Temporarily Disable TLS 1.3 (if in use):
    • Check if an update enabling TLS 1.3 is installed and temporarily roll it back
    • On PC2 registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
    • Set DisabledByDefault = 1

Solutions: Certificate Issues

Checking the Certificate on the Server:

  1. Export and Verify the Certificate:

    cmd
    certutil -f -viewstore -v -user my

    Look for certificates for RDP connections

  2. Install the Certificate on PC2:

    • Export the certificate from the server (including the private key)
    • Install it on PC2 in the “Trusted Root Certification Authorities” store

Manual Certificate Configuration:

  1. Using a Self-Signed Certificate:

    • On the server, run:
    cmd
    New-SelfSignedCertificate -DnsName "your-server-name" -CertStoreLocation "cert:\LocalMachine\My"
    • Export and install on PC2

  2. Modify RDP Settings to Ignore Certificate Errors:

    • In the .rdp file, add the line: use multimon:i:0
    • Or use the parameter prompt for credentials:i:1

Solutions: Group Policies and Client Settings

Configuring Group Policies on PC2:

  1. Security Policies for RDP:

    • Open gpedit.msc
    • Navigate: Computer Configuration > Administrative Templates > Network > Network Connections > SSL/TLS Security Settings
    • Set policies to support required TLS versions

  2. Authentication Policies:

    • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
    • Configure policies to allow connections

Comparison with Working PC1:

  1. Export Registry Security Settings:
    • On PC1, export registry sections related to RDP and SSL
    • Import them on PC2:
    cmd
    regedit /e rdp_settings.reg "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
regedit /s rdp_settings.reg

Additional Checks and Solutions

Network Checks:

  1. Firewall Check:

    • On the server, ensure port 3389 is open for incoming connections
    • On PC2, verify that the Windows Firewall is not blocking outgoing connections on port 3389

  2. Routing Check:

    cmd
    tracert your-server-ip
ping your-server-ip

    Ensure routes are available

Alternative Connection Methods:

  1. Use a Different RDP Client:

  2. Temporarily Disable Antivirus:

    • Temporarily disable antivirus software on PC2 to check for conflicts

  3. Create a New User on the Server:

    • Create a test user with administrator rights
    • Try connecting with the new credentials

Conclusion

The main causes of RDP connection problems from PC2 include:

  1. TLS/SSL Incompatibility - The most likely cause given error code 2055
  2. Certificate Issues - Especially if the server uses a self-signed certificate
  3. Strict Group Policies on PC2 that restrict RDP connections
  4. Network Differences between the PC1 and PC2 environments

Recommended Actions in Priority Order:

  1. Check and configure TLS protocols on the server and client
  2. Export and install the certificate from the server on PC2
  3. Compare group policies between PC1 and PC2
  4. Temporarily disable antivirus and firewall to check for conflicts
  5. Try connecting with a different RDP client

If the issue persists, check for the latest Windows updates on PC2, as Microsoft has released fixes for known TLS handshake issues in recent system updates.

Sources

  1. Troubleshoot Remote desktop disconnected errors - Windows Server | Microsoft Learn
  2. Incorrect TLS is displayed - Windows Server | Microsoft Learn
  3. SSL/TLS handshake failed - Microsoft Q&A
  4. SSL handshake failed errors in RDP (4315954) - One Identity
  5. RDP unable to connect due to TLS issue - Super User
  6. Microsoft fixes Windows TLS handshake failures in out-of-band updates - BleepingComputer
  7. Remote Desktop Connection Certificate Error - Microsoft Q&A
How to check and configure SSL/TLS for Remote Desktop?How to create a self-signed certificate for RDP connection?How to compare Group Policy settings between two computers?How to temporarily disable certificate verification in RDP connection?Which ports need to be opened for Remote Desktop in Windows Server?How to update TLS protocols on Windows Server 2019?
Ask NeuroAgent