Terminal license troubles

Heya!

Today I will tell you about issue I discovered recently with terminal license server. It was windows 2012R2 with 100 per user licenses installed. I configured license usage report for it which was described here. For about 1 year it was showing usage of about 10 from 100 licenses. That was confusing so I started investigation. First I checked license usage report fromĀ RD Licensing Manager and noticed there:

Failed Per User License Issuance Detail

User,CAL Version,CAL Type,Tried Issuance On

ddc.com\m_okla,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 14:00:10″

ddc.com\m_dvbl,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 14:00:20″

ddc.com\m_lpdn,Windows Server 2012,RDS Per User CAL,”den 7 april 2017 16:06:33″

ddc.com\m_opda,Windows Server 2012,RDS Per User CAL,”den 10 april 2017 09:44:58″

ddc.com\d_elam,Windows Server 2012,RDS Per User CAL,”den 10 april 2017 09:48:33″

Failed Per User License Issuance Summary

DomainName,FailedPerUserLicenseIssuanceCount

ddc.com,5

First I checked logs on server and there were no any recent events regarding terminal licenses. So I asked a question on MS support forums and got reply to search for event 4105 in windows application log.

I searched and found a lot of such events. So this issue is about permissions for RD License server on user accounts in AD. You can check this permissions on security tab of user account in AD, but before you need to enable “Advanced Features” in AD Users and Computers

Untitled

In our case “Terminal Server License Servers” group was added as Allow entry in users ACL, but did not had any permissions on user account at all.

Untitled

It should be “Read/Write Terminal Server license server”

First I was planning to write some script to update permissions for each user object, but then I found this article from MS. It is not stated there that it applies for windows 2012 and windows 2012R2, but it does šŸ™‚

I used both methods from scenario #2 and each of them worked.

1 warning here. Permissions forĀ “Terminal Server License Servers” group will not be updates, new ACL entry will be added for each user object instead. So keep it in mind when checking results, just look at all ACL entries to make sure it worked.

After correct permissions were applied license usage increased twice during 1 day only!

 

Advertisements

Terminal Services Licensing problem

Hi,

today I faced an issue with Terminal Server Licensing problem. It was not possible to start its service.

It failed with:

The following error occurred:Can’t initialize Cryptographic – error code 5

An error occurred during the Terminal Services license server initialization phase

The terminal Services licensing service terminated with service-specific error 3221295105 (0xC0011001)

After googling a bit I found out that it is about permissions to folder

C:\Users\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys (in my case it was windows 2008, for windows 2003 path is different)

So it was necessary to grant read permissions for “Network Service” account to this folder and files inside. Unfortunately inheritance is broken for files inside of folder and I did not had any permissions for them. I used “takeown” tool to get necessary permissions

takeown /F “C:\Users\all users\Application Data\Microsoft\Crypto\RSA\MachineKeys” /A /R /D Y

/F specifies folder or file

/A key sets owner to be local administrators group, ofc you need to be a member of this group

/R is necessary toĀ operate on files and subfolders of specified directory

/D Y used to disable popup warnings

Afterwards I navigated to “MachineKeys” folder properties > “Security” tab > “Advanced” button > “Edit” button > “Add” button. Type “Network Service” as service name. Choose permissions as specified on picture and make sure “Apply to” is set to be same as on a picture below.

Screenshot_2

Now you will be able to launch Terminal Server Licensing service without any troubles. Files for this service are located under C:\Windows\system32\LServer, so if you need backup it is enough to copy this folder.

Good luck!

#Ā Can’t initialize Cryptographic #3221295105 #0xC0011001 #Terminal Services licensing service #Cryptographic – error code 5