Can’t RDP to Lenovo Windows 7 Machine

I was setting up a new Lenovo M93p desktop using the OEM install of Windows 7 Pro x64. After joining the computer to a domain, as soon as I tried to connect to it via Remote Desktop, before even getting to the logon screen, I got the popup message:

This computer can’t connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator.

To rule out as many RDP issues as possible, I simplified the setup:

  • Reserved IP address assigned by router (so the IP stays constant)
  • Windows Firewall disabled.
  • Listening on standard port 3389.
  • Confirmed that 3389 is listening using
    netstat -ano | find /i "listening".
  • Remote Desktop is allowed from any version (Network Level Authentication not required).
  • Trying to connect within LAN, so no port forwarding required.
  • Trying to connect to IP address, so no DNS/NetBIOS required.
  • Trying to connect as a domain admin. Domain Admins, and this specific user, are both members of the local Administrators group. I also added the specific user to the Remote Desktop Users group, though that shouldn’t be necessary.
  • sfc /scannow finds no errors.
  • Take Control host works fine.
  • Remote Desktop to all other machines in the network works fine.

I see no errors in the event logs at the time of connection, however there are two errors at startup that might be related:

TerminalServices-LocalSessionManager 17:  "Remote Desktop Service start failed. The relevant status code was 0x800706b5." But by the time I check it Remote Desktop Services is already running.

System > TermDD 50:  "The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client." I see advice about replacing certificates here but so far haven’t found clear instructions.

It’s the LSA SSP—Why Didn’t I Think of That?

A colleague pointed me to this Spiceworks thread. On April 5, 2012, cheerchum suggested checking the list of Lsa Security Packages here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

Sure enough, the problem machine had this value in that key:

kerberos
msv1_0
schannel
wdigest

but a known good computer had two additional lines:

kerberos
msv1_0
schannel
wdigest
tspkg
pku2u

Once I added those two missing lines on the problem machine and rebooted, Remote Desktop started working. I then re-enabled Network-Level Authentication, set up a custom RDP listening port, started using the machine name instead of its IP address, and tried connecting through the router with port forwarding–it all works!

There are lots of articles on Credential Security Support Providers (SSPs). Most seem related to Windows XP, e.g. Microsoft KB 951608. I’m just glad that adding tspkg and pku2u solved this problem—and I’m wondering why those were apparently missing from a Lenovo OEM build of Windows 7.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.