# Windows 7 remote access into, access denied



## sjpiv44 (Aug 16, 2010)

Before updating to windows 7 from XP, remote access was working. Now enableing remote terminal access, we get access denied. The pc trying to gain access are a Vista and 7. The pc being accessed is using a sticky IP. We have been accessing for sometime until upgrade. 
This is between 2 cities. NLR has sticky IP and is to be accessed, Searcy had dynamic, class C. 

Thanks in advance for your help.
Jack Privitt


----------



## btop (Jun 10, 2011)

Does the user account that you are trying to use to gain remote access belong to the Remote Desktop User account group in that remote desktop server? Did you enable the "Remote Desktop" exception in Windows firewall, or similar if using a 3rd party firewall?

And confirm this remote computer is in the same LAN in the same subnet as it was before updating to Windows 7.


----------



## sjpiv44 (Aug 16, 2010)

I will check the Windows firewall in 7 and make sure that "Remote Desktop" is in exception. 
As to the LAN settings, they are the same as before. NLR Sticky IP, and Searcy is Dynamic. Do they have to be the same class IP addresses??
They were not before. 
Thanks.


----------



## btop (Jun 10, 2011)

If they weren't in the same class of IP address, they weren't in the same subnet.


----------



## vive1 (May 3, 2011)

To host a *Remote Desktop Connection *Windows 7 must be one of these versions *Professional*, *Ultimate*, and *Enterprise*


----------



## sjpiv44 (Aug 16, 2010)

Yes the have different subnets. and all OS, Vista, 7 is professional. 
If we are suppose to have the same subnet, then we need to keep the sticky IPs at both ends? If that is the case, we need to change the DHCP on the new router, is Searcy, to the class of the host?


----------



## vive1 (May 3, 2011)

I read somewhere that allowing "edge traversal" on incoming firewall settings may help. I'm not sure exactly what this means though.


----------



## TerryNet (Mar 23, 2005)

Is the Windows 7 computer connected to a router? If so, does it have a static IP or always get the same IP through the router's Dhcp server's IP reservation feature? Is the proper port (3389 I think) forwarded to the Windows 7 machine?

Do you know the public IP address of the router (or computer if it is connected directly to a modem)?

I am not familiar with the terms "sticky IP," "NLR" and "Searcy." What does each mean?


----------



## btop (Jun 10, 2011)

The access denied error shows that Remote Desktop is finding the remote server, so ports are forwarded correctly.

sjpiv44, please confirm/provide answers for the following:


You are using a Windows account on the remote host/server that is a member of the Remote Desktop Users security group on that computer.
 The firewall on the remote host is configured to allow Remote Desktop connections.
The remote host is configured with a static IP.
You are supplying the correct IP address or name of the correct remote host in the Remote Desktop Connection interface on the client.
Client and host/server computers are on different subnets. (ig: 192.168.1.x, 192.168.2.x)
Are all computers on the same local area network, or do you connect through the internet?
All Windows updates have been applied on all computers.


----------



## sjpiv44 (Aug 16, 2010)

Yes, the host is in host is NLR, North Little Rock, Arkansas and the clients are in Searcy Arkansas, about 50 miles appart. NLR has static, "Sticky IPs" as what ATT call them. NLR's subnet is 255.255.255.240, and Searcy's is 255.255.255.0. Both systems are behind a router. 

Again, before I upgraded to Windows 7, this was all working and for a couple of years.

Now, we have static IP at Searcy, but because we have not had the need for Searcy to access NLR, and we will have to change the router in Searcy, because that Netopia there will not address address forwarding. 

Sense I have upgraded NLR, I will check Windows 7 firewall and make sure that is has "Remote Access" and make sure that all the machines have "Remote Access" enabled. 

Where I am not clear is the subnet???


----------



## btop (Jun 10, 2011)

sjpiv44 said:


> NLR's subnet is 255.255.255.240, and Searcy's is 255.255.255.0.


Those are subnet masks, not subnets (or subnetworks). Subnets are groups or subdivisions of IP addresses. In a LAN, they will be numbered similar to what I stated in step 5. They also may be 10.x.x.x'

I have one more question for you, in addition to the 7 above: Are you attempting to connect to Remote Desktop through a VPN from Searcy to North Little Rock?


----------



## sjpiv44 (Aug 16, 2010)

Thanks for clearing the subnet issue, Yes, at this point NLR, being the server, has 65.64.20.---, and the client, Searcy, has 192.168.1.--. At this point, I am going to make 4 stations able to be servers. We only have the need for Searcy to access NLR to update information. 
And I am not using a VPN.
Thanks


----------



## TerryNet (Mar 23, 2005)

OK, as I understand it now you know the sticky or static public IP at NLR. But you also indicated that the Windows 7 at NLR is behind a router. Is the proper port forwarded to the Windows 7 machine?


----------



## mucker2010 (May 24, 2011)

It doesn't matter if they are on different subnets or not. It only matters if going through a VPN.
Also hasn't he said it worked before? Which indicates an issue with the Win 7 PC.
@SJP, Does the error actually say "Access Denied"? What IP address do you actually type into the RDP window? And do you get as far as typing in your username and password? basically do you get an "access denied" before or after typing username and password?


----------



## mucker2010 (May 24, 2011)

> Thanks for clearing the subnet issue, Yes, at this point NLR, being the server, has 65.64.20.---, and the client, Searcy, has 192.168.1.--. At this point, I am going to make 4 stations able to be servers. We only have the need for Searcy to access NLR to update information.


Only just saw this. So you are saying you type 65.64.20.--- in the RDP connection? What happens then? do you THEN get access denied or does it prompt you for a username and password?
I am just trying to save us a lot of time here with this question. IF you get a prompt for username and password then the networking, port forwarding is working fine. We don't have look at anything else except the PC then.


----------



## sjpiv44 (Aug 16, 2010)

Thanks all. 

We do not get a login prompt. "Access Denied" comes as we are trying to connect. 
As to the address forwarding, the router has the addresses forwarded. I gave the new 7 computers their own address. ie... 65.64.20.130. That address was working with XP. I realize that 7's access is another ball game. I have tried to open the door where possible. There is no ports blocked. 

I will be back at sight, NLR, Thursday to check all the 7 and XP firewalls.


----------



## btop (Jun 10, 2011)

sjpiv44 said:


> Thanks for clearing the subnet issue, Yes, at this point NLR, being the server, has 65.64.20.---, and the client, Searcy, has 192.168.1.--. At this point, I am going to make 4 stations able to be servers. We only have the need for Searcy to access NLR to update information.
> And I am not using a VPN.
> Thanks


Then what TerryNet said is correct. You must forward a port (3389) for this to work. Assuming your RDP host/server is connected to the outside world via _one_ router, you must configure that router to forward TCP protocol to port 3389 to the _private_ IP address of your RDP server(s). Port 3389 is standard; of course, if you changed the port, forward _that_ port. In this case, you should configure a private static IP for your RDP servers(s) in addition to proper user account permissions and firewall rules.


----------



## btop (Jun 10, 2011)

mucker2010 said:


> It doesn't matter if they are on different subnets or not. It only matters if going through a VPN.


It does matter when traversing subnets within a LAN.


----------



## sjpiv44 (Aug 16, 2010)

Thanks all again, I will check all the PCs out and make sure router in NLR, Static IPs, is forwarded to the right ports. I will post back Thursday when I get through. 

Thanks for your help,
Jack Privitt
Little Rock, Ar


----------



## btop (Jun 10, 2011)

sjpiv44 said:


> Thanks all.
> 
> I gave the new 7 computers their own address. ie... 65.64.20...


That is a public IP address. Don't use that. Instead, you need a _private_ IP address, something that is in the subnet of the router. For example, if your router's private IP is 192.168.1.1 with subnet mask of 255.255.255.0, your RDP server(s) must be statically assigned somewhere 192.168.1.2 and 192.168.1.254--but _outside_ the scope of addresses that your DHCP server assigns.


----------



## sjpiv44 (Aug 16, 2010)

I am comfortable with setting DHCP server to assign around used address, like a printer or away from the gateway or broadcast.


----------



## TerryNet (Mar 23, 2005)

Just for emphasis I want to ditto btop's post # 20. If you have a router at NLR and its WAN has the public sticky IP address 65.64.20... each computer connected to the router has (should have) a private IP address. The Windows 7 computer (and the XP before it) would be assigned the public IP address only if you were not using a router.


----------



## sjpiv44 (Aug 16, 2010)

Again the hosts are going to be class 'C', 192.168.1.**. [Searcy] The servers has the static IPs. [NLR]. There will only be one person in Searcy connecting to NLR. She may go to a different address if busy.


----------



## sjpiv44 (Aug 16, 2010)

NLR is not using DHCP because of the static IPs.


----------



## sjpiv44 (Aug 16, 2010)

I will be at the NLR sight Thursday, June 23. I will be working with Searcy and see if we can get this going. If I have any problem, I will get online with you and we will go from there.


----------



## vive1 (May 3, 2011)

sjpiv44 said:


> Thanks all.
> 
> We do not get a login prompt. "Access Denied" comes as we are trying to connect.
> As to the address forwarding, the router has the addresses forwarded. I gave the new 7 computers their own address. ie... 65.64.20.130. That address was working with XP. I realize that 7's access is another ball game. I have tried to open the door where possible. There is no ports blocked.
> ...


You are saying that the NLR site has a static IP but you haven't described how that network is set up. Do all the workstations have a local 192.168.x.x static address? Also, does each one have a different inboundport for remote desktop connections? A network diagram goes a long way toward solving these kinds of problems.



sjpiv44 said:


> Again the hosts are going to be class 'C', 192.168.1.**. [Searcy] The servers has the static IPs. [NLR]. There will only be one person in Searcy connecting to NLR. She may go to a different address if busy.


In your original post you described NLR as the hosts (hense the need for static IP) and SEARCY as the clients


----------



## btop (Jun 10, 2011)

I'd like to back up a bit, because I don't understand your response. In message #15, mucker2010 asked if you type 65.64.20.--- in the RDP connection. Meaning, do you type that address into the Remote Desktop client interface, which looks like this: http://blog.tmcnet.com/blog/tom-keating/images/remote-desktop-connection.gif

In response, you said in message #16, "We do not get a login prompt."

What do you mean by that? Or did you misunderstand the question? If so, what do you type in that Remote Desktop Connection app in the "Computer" field?


----------



## mucker2010 (May 24, 2011)

btop said:


> I'd like to back up a bit, because I don't understand your response. In message #15, mucker2010 asked if you type 65.64.20.--- in the RDP connection. Meaning, do you type that address into the Remote Desktop client interface, which looks like this: http://blog.tmcnet.com/blog/tom-keating/images/remote-desktop-connection.gif
> 
> In response, you said in message #16, "We do not get a login prompt."
> 
> What do you mean by that? Or did you misunderstand the question? If so, what do you type in that Remote Desktop Connection app in the "Computer" field?


What he means is that he gets the access denied error before getting a prompt. This suggests the problem is with the networking side. That probably wasn't the full error (which is important when troubleshooting). It prob said "Access denied or can't connect to machine" or something like that.
@SJP, Is the remote site behind a router at all or connected directly to a modem. This IP information everyone is trying to find out, if u are unsure just do an IPconfig on the machine and tell us what it says. We will be able to work it out from that.
@Btop, why does it matter if they are on different subnets on the LAN?


----------



## btop (Jun 10, 2011)

mucker2010 said:


> What he means is that he gets the access denied error before getting a prompt. This suggests the problem is with the networking side.


How can you be denied _before_ getting a login prompt, or be denied without ever getting one in the first place? I never receive a login prompt _after_ attempting a connection with Remote Desktop, whether I am denied access or not. So I would like sjpiv44 to explain what s/he means.



mucker2010 said:


> @Btop, why does it matter if they are on different subnets on the LAN?


 Because if s/he is and if sufficient DNS servers don't exist, RDP won't work if connecting by name.


----------



## mucker2010 (May 24, 2011)

> How can you be denied _before_ getting a login prompt, or be denied without ever getting one in the first place? I never receive a login prompt _after_ attempting a connection with Remote Desktop, whether I am denied access or not. So I would like sjpiv44 to explain what s/he means.


A lot of programs when they can't connect say "access denied or can't connect", along the lines of that. Cant remember if RDP does or not. And as is typical of people reporting errors they don't usually give the FULL error. So most people just say "access denied" when in fact it could be a connetion issue. By confirming he at least got a login prompt and THEN access denied it would have been a true access denied message. In other words this would rule out any networking, routing, port forwarding issues.



> Because if s/he is and if sufficient DNS servers don't exist, RDP won't work if connecting by name.


 Your logic is flawed as I have said in another post. You really need to read up on how name resolution works. Why are you even talking about DNS when he is connecting on the IP address? DNS isn't even used here. Although DNS does work across the subnets (but you think it doesn't) it would even matter here anyway as he is connecting to an IP address not a DNS name...


----------



## btop (Jun 10, 2011)

mucker2010 said:


> A lot of programs when they can't connect say "access denied or can't connect", along the lines of that. Cant remember if RDP does or not. And as is typical of people reporting errors they don't usually give the FULL error. So most people just say "access denied" when in fact it could be a connetion issue. By confirming he at least got a login prompt and THEN access denied it would have been a true access denied message. In other words this would rule out any networking, routing, port forwarding issues.


How can any program deny access _before_ being told to access. A login prompt provides information for the login attempt. So it is impossible to be denied before an attempt is made. Right? RDP does provide the exact (or nearly exact) error that was given; it does say access is denied. But this only happens _after_ supplying the information on the login prompt. I asked -- as did you! -- what was provided in that login prompt.



mucker2010 said:


> Your logic is flawed as I have said in another post. You really need to read up on how name resolution works. Why are you even talking about DNS when he is connecting on the IP address? DNS isn't even used here. Although DNS does work across the subnets (but you think it doesn't) it would even matter here anyway as he is connecting to an IP address not a DNS name...


So you believe RDP _will_ work by name here without sufficient DNS servers? Please explain how that is possible.


----------



## mucker2010 (May 24, 2011)

> How can any program deny access _before_ being told to access. A login prompt provides information for the login attempt. So it is impossible to be denied before an attempt is made. Right? RDP does provide the exact (or nearly exact) error that was given; it does say access is denied. But this only happens _after_ supplying the information on the login prompt. I asked -- as did you! -- what was provided in that login prompt.


OK its easier to explain with an example. Have you ever tried to access a network share but you accidently spell it wrong? Of course the share doens't exist but the error says "access denied or can't connect to server" or something like that. So that error could mean a genuine access denied or problems with the network. Other programs also behave the same way. I know how RDP works though and this is why I was asking him to double check and tells us word for word what the error says. The truth is yes it is impossible to get an access denied before authenticating but errors are sometimes generic (ie it could be access denied or a network problem). Also although every program has to authenticate not all of them prompt, some automatically do it in the background like when you connect to a windows share.


> So you believe RDP _will_ work by name without sufficient DNS servers?


Dont put words in my mouth, I never said that. But if he connects on the IP (not a DNS name) which he is doing here, yes 100% it will work without DNS configured. DNS won't work without DNS servers being configured though. If you put in a public DNS IP address though as in a DNS server half way around the world then your PC is sending DNS queries across multiple subnets (the internet is thousands of networks!). According to you though in two posts I have read this isn't possible. I have answered you and I won't avoid your questions so please don't avoid mine. Why do you even think this issue has anything to do with DNS when he is connecting on the IP address?


----------



## btop (Jun 10, 2011)

mucker2010 said:


> OK its easier to explain with an example. Have you ever tried to access a network share but you accidently spell it wrong? Of course the share doens't exist but the error says "access denied or can't connect to server" or something like that. So that error could mean a genuine access denied or problems with the network. Other programs also behave the same way. I know how RDP works though and this is why I was asking him to double check and tells us word for word what the error says. The truth is yes it is impossible to get an access denied before authenticating but errors are sometimes generic (ie it could be access denied or a network problem). Also although every program has to authenticate not all of them prompt, some automatically do it in the background like when you connect to a windows share.


No it doesn't mean that. Just as you said that I "really need to read up on how name resolution works", you really need to learn up on how RDP works.



mucker2010 said:


> Dont put words in my mouth, I never said that.


 You _strongly_ implied that. So rather than insult you, as you have done me numerous times! -- I asked a question for clarification. I said, "if sufficient DNS servers don't exist, RDP won't work if connecting by name." You replied by saying, "Your logic is flawed as I have said in another post" -- actually another thread where I mentioned DNS and NetBIOS.

I am not going to continue an argument with you, let alone argue here about comments made in another thread. I am here to help sjpiv44 with a RDP issue, not to get into a battle of wits.


----------



## mucker2010 (May 24, 2011)

btop like you said I am not going to argue either with you. I just like putting the correct information down.


> Yes you did. I said, "if sufficient DNS servers don't exist, RDP won't work if connecting by name." You replied by saying, "Your logic is flawed as I have said in another post."


I take it back, I didn't spot you said _by name. _Maybe because this ENTIRE post has nothing AT ALL to do with DNS I was wondering why you would make a statement like that. The OP has been connecting this entire time on an IP address, not on a DNS name and for several posts you asked whether they were on different subnets because DNS doesn't work across subnets. DNS HAS NOTHING AT ALL TO DO WITH THIS ISSUE so why do you keep saying it matters and why do you keep saying it doesn't work across subnets??? That is what I was questioning. And WHY CAN'T YOU ANSWER MY QUESTIONS? It is because if you did they would contradict what you said earlier. I don't particularly like arguing with people but when I know I am right about something or someone is giving advice out that is wrong I won't back down.

Do you still think DNS can't traverse subnets?
Here are some facts for you:
DNS IS THE name resolution protocol on the internet.
NetBIOS names are blocked by default by all internet firewalls.
The internet is a collection of thousands of networks (subnets).

If DNS really couldn't traverse subnets then the people that decided to settle on DNS as the name resolution protocol for the internet would have been pretty stupid considering the internet is thousands of subnets don't you think?
Never mind them being stupid, if DNS can't traverse the internet then how do you ever see websites? Because www.microsoft.com is a DNS name, www.google.com is a DNS. How do I get to see these websites IF DNS CAN'T TRAVERSE SUBNETS AS YOU CLAIM?? ANSWER ME PLS?

Anybody who isn't sure of this here's a test to prove that DNS can traverse subnets. In your TCP/IP settings go and set your DNS server IP adderss to be 8.8.8.8 (a public DNS server) and now try to ping www.microsoft.com. Notice it resolves the DNS name to IP address, this means the DNS quesry was successful. Now to do this you PC has to send a DNS query to 8.8.8.8 and get the results back (which it obviously did). Now is 8.8.8.8 on your local subnet? No it isn't! It is another subnet, in fact it probably about 5 subnets away from your own. Therefore you have just seen for yourself that DNS CAN TRAVERSE SUBNETS!!

If you are going to get an attitude over it so will I but you will end up looking stupid when I keep bringing facts up and answering every one of your questions with good answers why you fail to answer any of mine and don't show a shred of evidence to support your claim. Really you should just let this go and accept the DNS does traverse subnets.

Go and read this http://en.wikipedia.org/wiki/Domain_Name_System. Notice how he keeps saying DNS is used on the internet?? Notice how it says it is the name resolution protocol for the internet?

Anyway I doubt you will come back with anything now but if you do I'm not going to bother answering you as I have proven my point and it is going off topic now. DNS has nothing to do with this issue here. And you statements about DNS not being able to traverse the internet is wrong as I have proven with FACTS.


----------



## valis (Sep 24, 2004)

how about everyone knock off correcting everyone else, and see if we can solve the OP's question? 




thanks, 

v


----------



## mucker2010 (May 24, 2011)

You're right Valis. As i said in my last post that is the last of it.
Not asking you to take a side here or say who is right or wrong but woulnd't you agree that false information should be corrected though? You don't want to give users members the wrong advice.

I can get a bit irrate sometimes but it is an issue I am working on


----------



## valis (Sep 24, 2004)

good.......continue working on it....


----------



## sjpiv44 (Aug 16, 2010)

OK, now client, [Searcy} get invalid cardentials. I used the account names and passwords that if set up on each one. Remember, NLR has new OS, 7.


----------



## sjpiv44 (Aug 16, 2010)

I have been trying to use the UserId and password. And I went to control Panel, Credential manager and set windows credentials and generic credentials the same as the login ID and password and it is still fussing 'invalid cardentials', I seem to be getting in. I am working from my computer, which is 192.168.104 with a gateway 192.168.1.1. Trying to go to 64.65.20.116.


----------



## sjpiv44 (Aug 16, 2010)

I can now connect to the remote site, 65.64.20.xx, from 192.168.1.xxx. Using the user ID and password, I get 'invalid credentials. On the server that I am trying to access, I have used Credential Manager and added it to windows credentials and generic credentials.


----------



## TerryNet (Mar 23, 2005)

I've merged your threads here. Please do not start multiple threads on the same topic. I don't know why you marked this one Solved, but you can now mark it Unsolved using the button at the upper left of a page.


----------



## sjpiv44 (Aug 16, 2010)

Thanks TerryNet for the correction. Sense the connecting problem was resolved, I was thinking that the invalid credentials was a new topic.


----------



## sjpiv44 (Aug 16, 2010)

I am still having Credential problems with RDC with 7 Pro. Server site in North Little Rock, Arkansas with static IP address, and the client is 60 miles away, Searcy Arkansas with dynamic address.


----------



## Rockn (Jul 29, 2001)

Try using the remote domain name/username in the RDP username box. If the remote domain is say work you would put WORK/username


----------



## mucker2010 (May 24, 2011)

backslash \ you mean ;-)


----------



## Rockn (Jul 29, 2001)

yes


----------



## sjpiv44 (Aug 16, 2010)

I do not have any domains setup. This was working with XP Pro. I am going to be testing with changing the computer name and see what happens. 
Any information on what is happening has been great and I still need more.
Some links on permissions and policies would be appreciated.


----------



## mucker2010 (May 24, 2011)

Tell you what, why don't you post a screenshot if what you are doing and the error?

It shouldn't be behaving as it is so there may be something we will notice in the pic.


----------



## sjpiv44 (Aug 16, 2010)

I have been able to connect to one of the three stations from my PC. I need to go to site and see why I can not. I had them logout of stations. If they did not get loged out of the the 2 in question, that answer why. I need to make sure of logins.


----------



## sjpiv44 (Aug 16, 2010)

I have accomplished connection and logging into one of the 3 stations. The thing is, I do not see where the ID is from. I log into cec1. That stations name is frontstation. Its login is cec1. I guess I need to go back to site and make sure the other stations have the proper login. So we need to make sure that the login account is proper???
I am having a problem with understanding the difference in permissions from XP to Vista/7.


----------



## sjpiv44 (Aug 16, 2010)

Thanks guys. I now connect to all 3. It seemed that I had a user name and a computer name problem. It is working. Thanks for your time and wisdom.


----------



## sjpiv44 (Aug 16, 2010)

I don't seem to see that a Vista Business can not do and RDC to a 7 Pro. Do we have to upgrade the Vista computer to 7 Pro???


----------

