Terminal Server login fails even though user is a member of Remote Desktop Users group

When attempting to create an ICA or RDP connection to a Citrix Metaframe or Terminal Services server, you receive the error:

To log on to this remote computer, you must have Terminal Server User Access Permissions on this computer. By default, members of the Remote Desktop group have these permissions. If you are not a member of the Remote Desktop Users group or another group that has these permissions, or if the Remote Desktop User group does not have these permissions, you must be granted these permissions manually.

All user accounts are unable to login to the affected server(s), even those that are members of the Remote Desktop Users group or have the Terminal Server User Access Permissions through another group. The affected accounts may still be able to log on to certain servers in the Citrix Farm.

On the Metaframe server or Terminal Server, the following entry is logged in the System event log when the user is denied login:

Event Type: Warning Event Source: TermService Event Category: None Event ID: 1010 User: N/A Description: The terminal server could not locate a license server. Confirm that all license servers on the network are registered in WINS/DNS, accepting network requests, and the Terminal Server Licensing Service is running.

This problem is usually caused by a Terminal Server being configured for the wrong Terminal Server Licensing server or somehow becoming "disassociated" with the Terminal Server Licensing service in some way.

The simplest check is to confirm through the Terminal Services Configuration tool, under Server Settings that the License server discovery mode is configured to point to the correct TS License server for your environment and the Name Check is successful.

Assuming the TS License server responds correctly, we have also successfully used this solution to "re-associate" with the License Server. This solution was taken from this article from the Citrix Knowledgebase: http://support.citrix.com/article/CTX564283&searchID=11915722 but has been re-written here for clarification to show the steps we have successfully used to correct this issue:

If the TS is a member of a domain and is not a domain controller, join it to a workgroup. This move from the domain is only temporary. It should not cause any long-term effects, though you should consider your environment. If the TS is not a domain member, you can try promoting it to a DC of a temporary domain, however we have not tested this scenario. Nor have we tested a solution where the TS is a domain controller, though in theory you should be able to demote it and re-promote it later (assuming that you have more than one DC).
Install the Terminal Services Licensing Windows component from Add/Remove Programs and Activate it.
Open the Terminal Services Configuration administrative tool. Under Server Settings, make note of the License server discovery mode, then ensure it is configured either to: A) Automatic with the server's name appearing in the In/Domain Workgroup Role field at the bottom of the screen, or B) Use these license servers with the server's own name specified. This will ensure the server is temporarily using its own newly created Licensing Server. This license server has a built-in 120 day grace period, but you will only need it for a few quick tests.
Create at least two ICA or RDP sessions to this server.
In the Terminal Server Licensing window, Deactivate the license server.
Rejoin the original domain or demote the server to restore it to its original domain context.
If appropriate, open the Terminal Services Configuration window and reset the License server discovery mode to its original setting.
Attempt to create an ICA or RDP session. It should be successful.

Author: ASAK
Created: Jan 11 2007 (last modified Jan 12 2007)
Categories: Citrix Metaframe/Presentation Server - Terminal Services
TechByte #146

Warning: By visiting this site and/or by using any information contained herein, you agree to the Techbytes.ca terms of use.