Skip navigation.

Blog

Slow Login to Windows Server 2008 R2 Remote Desktop

Remote Desktop ServicesHaving spent 5 weeks with Microsoft technicians trying to work this one out, and seeing plenty of unsolved forum posts on this topic, it seemed worth sharing as the final solution was fairly basic.

Problem

While logging into Terminal/Remote Desktop Services (TS/RDS) on Windows Server 2008 R2, both the "Securing remote connection..." and "Applying User Settings..." phases take a very long time (45 to 90 seconds in some cases) to complete.

Solution

Ensure that the IPv6 address assigned to the 6TO4 Tunnel (as well as the IPv4 address) of the Terminal Server is allowed on the domain controller for the following:

  • All Active Directory rules
  • All Kerberos rules
  • Core Networking - IPv6 (IPv6-In) for just the IPv4 address.

 

During the case with Microsoft, many logs were taken from various machines, but it was the Netmon traces that showed that multiple Kerberos packets were being sent by the TS server and not being acknowledged by the DC.

Checking the firewall logs for dropped packets on the domain controller showed that the Terminal Server was trying to connect to port 88 (Kerberos) using protocol 41 (used by the 6TO4 tunnel) from the IPv4 address and having the packets dropped. Once that had been opened, further packets from the 6TO4 tunnel IPv6 address were then being dropped for LDAP requests.

This was on Server 2008 R2, but there's no reason to think this wouldn't also solve similar issues on previous versions of Windows Server.

August 23, 2011 | Permalink | Comment

Reader Comments

Skip to form

October 8, 2011, Edward says:

Can you tell how to do this solution?

October 10, 2011, Theo Gray says:

Hello Edward,

It will depend on what firewall you are using, but if it's the standard Windows one, go to "Windows Firewall with Advanced Security" which is under "Administrative Tools", and click on "Inbound Rules" on the tree on the left.

You may have to manually add a new rule for Protocol #41 traffic - click "New Rule" (top right) and follow the wizard through.

For the other two, just double-click each of the rules listed for Kerberos and Active Directory in turn and make sure that on the "Scope" tab either "Any IP Address" is selected under "Remote IP Address", or that the list includes the IPv6 address of the 6to4 tunnel adapter (which you can find by running ipconfig /all from a command prompt), as well as the IPv4 address.

December 26, 2011, jackcalara says:

Hello,
i found it good. information is also helpful.

thanks.

jackcalara

Comment on This Article:

Your Name:
Your Email Address:
 
Your Email Address will not be made public.
Comment:
All HTML, except <i>, <b>, <u> will require your comment to be moderated before it is publicly displayed.
 
If you would like your own avatar displayed, read about comment avatars.