Skip navigation.

Blog

Slow Login to Windows Server 2008 R2 Remote Desktop

Remote Desktop ServicesHaving spent 5 weeks with Microsoft technicians trying to work this one out, and seeing plenty of unsolved forum posts on this topic, it seemed worth sharing as the final solution was fairly basic.

Problem

While logging into Terminal/Remote Desktop Services (TS/RDS) on Windows Server 2008 R2, both the "Securing remote connection..." and "Applying User Settings..." phases take a very long time (45 to 90 seconds in some cases) to complete.

Solution

Ensure that the IPv6 address assigned to the 6TO4 Tunnel (as well as the IPv4 address) of the Terminal Server is allowed on the domain controller for the following:

  • All Active Directory rules
  • All Kerberos rules
  • Core Networking - IPv6 (IPv6-In) for just the IPv4 address.

 

During the case with Microsoft, many logs were taken from various machines, but it was the Netmon traces that showed that multiple Kerberos packets were being sent by the TS server and not being acknowledged by the DC.

Checking the firewall logs for dropped packets on the domain controller showed that the Terminal Server was trying to connect to port 88 (Kerberos) using protocol 41 (used by the 6TO4 tunnel) from the IPv4 address and having the packets dropped. Once that had been opened, further packets from the 6TO4 tunnel IPv6 address were then being dropped for LDAP requests.

This was on Server 2008 R2, but there's no reason to think this wouldn't also solve similar issues on previous versions of Windows Server.

Share|
By on August 23, 2011 | Permalink | Comment

Reader Comments

Skip to form

October 8, 2011, Edward says:

Can you tell how to do this solution?

October 10, 2011, Theo Gray says:

Hello Edward,

It will depend on what firewall you are using, but if it's the standard Windows one, go to "Windows Firewall with Advanced Security" which is under "Administrative Tools", and click on "Inbound Rules" on the tree on the left.

You may have to manually add a new rule for Protocol #41 traffic - click "New Rule" (top right) and follow the wizard through.

For the other two, just double-click each of the rules listed for Kerberos and Active Directory in turn and make sure that on the "Scope" tab either "Any IP Address" is selected under "Remote IP Address", or that the list includes the IPv6 address of the 6to4 tunnel adapter (which you can find by running ipconfig /all from a command prompt), as well as the IPv4 address.

December 26, 2011, jackcalara says:

Hello,
i found it good. information is also helpful.

thanks.

jackcalara

April 4, 2012, SysAdmin Davis says:

What a great little fix.. Thank you, made my Terminal Server much faster.

June 14, 2012, Riste Ristevski says:

Add this to the server's registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DWORD, DisableTaskOffload. Set its value to 1.

June 14, 2012, Theo Gray says:

Thanks Riste,

Your registry change is a fix for when the network card is struggling under the load of traffic. This could be another source of slow logon, but the logon delays would most likely fluctuate during the day.

I'm not sure whether this would be relevant after Windows XP/Server 2003.

July 30, 2012, William hunter says:

could you provide information on how you open those ports up?

Thank you

August 29, 2012, Mike says:

Had the exact same wait time issue but checking the firewall logs on the DC didn't show any dropped packets. Started happening right after installed a new server and the TS had the IP of the old DNS server hard coded. Changing to the new DNS server solved the wait time issue. Something else simple to check if firewall doesn't seem to be the cause.

December 9, 2012, mahmoud says:

i have problem in my network.

- im working IT Administrator in software company and i have Server 2003 and i`m store the sources on the serve .
my problem when i connect on the form , from on server he take few seconds . what the resolve

February 4, 2013, Russell Newman says:

Thanks for sharing your findings in such depth. I'm experiencing similar problems, so your article means I have some potential solutions to explore.

Also, I was pleasantly surprised to find that you are a fellow ECS-er. Small world indeed!

June 14, 2013, stratman says:

Excited to try this. Still testing new 2008R2 RDS farm with four servers. This is about the only remaining issue before going into full production. If this works I owe you a beer!

July 15, 2013, jgray says:

If we have multiple domain controllers, must this be done on each one?

July 31, 2013, Theo Gray says:

If you have a firewall enabled on each DC, then yes.

December 1, 2013, rijo says:

An account was logged off.

Subject:
Security ID: WIN-QLW5WXZTIFL\myaccount
Account Name: myaccount
Account Domain: WIN-QLW5WXZTIFL
Logon ID: 0x8670ae

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated
with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

Keeps hanging in securing remote connection..

February 3, 2014, JT says:

Thanks for the tip with the ipv6 adresses. That solved the slow RDP login problem. I had to add the link local range as well: fe80::/10

Cheers

August 27, 2014, Shivakumar says:

Hi

U made my job easy
Its Very simple & usefull info

Thanks a lot

January 22, 2015, Alex says:

Also there could be another issue. If your LAN is isolated then you're not able to update root certificates used for securing RDP connection resulting in requests timing out.
http://support.microsoft.com/kb/2915774

February 26, 2016, Shivika says:

Hi Theo,

Facing same problem on my azure 2008 R2 server . Slow login for more than 5 minutes . Any suggestion?

November 8, 2016, Josonic says:

Windows Server with Terminal Services TS / Remote Desktop Services RDS role installed takes up to an hour to allow logon ( stuck at Please wait for Group Policy Client ) then takes up to 90 minutes for logon ( stuck at Applying User Settings ) logging Winlogon 6005 Warnings with the following text:- The winlogon notification subscriber <GPClient> is taking a long time to handle the notification event (CreateSession) was solved by Microsoft KB2655998

Comment on This Article:

Your Name:
Your Email Address:
 
Your Email Address will not be made public,
but the MD5 hash of it will be used to display your Gravatar.
Comment:
All HTML, except <i>, <b>, <u> will require your comment to be moderated before it is publicly displayed.
 
If you would like your own avatar displayed, read about comment avatars.