RDP, RDS, and RemoteApp Connection or Redirection Failures — TermService, Firewall, and Role Misconfiguration
Remote Desktop Protocol (RDP), Remote Desktop Services (RDS), and RemoteApp sessions fail to connect or redirect correctly due to the TermService not running, TCP 3389 being blocked by firewall or network policy, RDS role misconfiguration (Connection Broker, Session Host, Gateway), or certificate/authentication failures during the RDP handshake. Diagnosis begins with confirming the TermService state and port availability, then progresses to event log review and RDS role topology validation. Resolution involves ensuring TermService is running and set to Automatic start, opening the firewall for TCP 3389 where appropriate, and correcting RDS role and RemoteApp publication settings via Server Manager or PowerShell RDS cmdlets.
Indicators
- Users unable to establish RDP sessions — connection times out or is refused at TCP 3389
- RemoteApp programs fail to launch from RD Web Access or .rdp files, with redirection errors
- RD Connection Broker reports session redirection failures or session host assignment errors
- Event ID 21 (successful logon) absent from TerminalServices-LocalSessionManager; connection failure events present instead
- TermService (Remote Desktop Services) found stopped or in a non-running state on the target host
Likely causes
- TermService (Remote Desktop Services) is stopped or set to Manual/Disabled startup, preventing the RDP listener from accepting connections
- Windows Firewall or network perimeter firewall blocking inbound TCP 3389 to the session host
- RD Connection Broker misconfiguration causing incorrect session host assignment or redirection failure
- RemoteApp programs not published or incorrectly scoped to the wrong session collection
- Certificate or NLA (Network Level Authentication) mismatch preventing RDP handshake completion
- Group Policy overriding local RDP settings, disabling RDP access, or enforcing conflicting NLA/certificate requirements
Diagnostic steps
-
Check whether TermService is running: run 'Get-Service TermService' in PowerShell or open Services.msc and locate 'Remote Desktop Services'. Confirm status is 'Running' and startup type is 'Automatic'.Determines whether the RDP listener service is active. A stopped or disabled TermService will refuse all inbound RDP connections before any firewall or network check is relevant.
-
Verify TCP 3389 is open and listening on the target host: run 'netstat -ano | findstr :3389' locally on the host, and from the client run 'Test-NetConnection -ComputerName <hostname> -Port 3389' to confirm reachability.Confirms the RDP port is bound locally and that no firewall (Windows Firewall, network ACL, or perimeter) is blocking the connection between client and host.
-
Review Windows Event Viewer on the affected host: navigate to Applications and Services Logs > Microsoft > Windows > TerminalServices-LocalSessionManager and TerminalServices-RemoteConnectionManager. Look for connection failure events and absence of Event ID 21 (successful logon).Identifies specific RDP session establishment errors, authentication failures, or redirection problems with timestamps and session context to pinpoint the failure layer.
-
For full RDS deployments, validate RDS role configuration via Server Manager > Remote Desktop Services, or run 'Get-RDSessionCollection' and 'Get-RDRemoteApp' in PowerShell to confirm session collections are healthy and RemoteApp programs are published and assigned to valid session hosts.Confirms the RDS topology is correctly configured — session host assignments, collection membership, and RemoteApp publication state all affect whether sessions connect and redirect correctly.
-
Check for conflicting Group Policy settings: run 'gpresult /h c:\gpo-report.html' on the affected host and review the output for policies under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services that may disable RDP, enforce NLA, or override firewall rules.GPO settings frequently override local configuration and can silently block RDP access or force authentication requirements that the client or certificate cannot meet.
Resolution path
- Ensure TermService is running and set to Automatic: 'Set-Service TermService -StartupType Automatic; Start-Service TermService'
- Open Windows Firewall for inbound RDP if blocked: 'Enable-NetFirewallRule -DisplayGroup "Remote Desktop"'. If a network perimeter firewall is blocking TCP 3389, update ACLs or NAT rules to permit traffic from authorised source ranges only.
- For full RDS deployments, use Server Manager or PowerShell RDS cmdlets ('Get-RDSessionCollection', 'Get-RDRemoteApp') to verify session host assignments, collection health, and RemoteApp publication. Re-publish or reassign session hosts as required to correct redirection failures.
- If NLA or certificate mismatch is the cause, verify the RDP certificate assigned to the session host is valid, trusted by clients, and matches the hostname used to connect. Assign a correct certificate via WMI (see KB rdp-custom-ssl-cert-wmi-remote-admin-mode) or correct the NLA policy in GPO.
- If Group Policy is overriding RDP settings, identify the conflicting GPO from 'gpresult /h' output and either correct the policy setting or enforce the correct configuration through a higher-precedence GPO.
Prevention
- Implement monitoring alerts on TermService availability and on failure events in the TerminalServices-LocalSessionManager and TerminalServices-RemoteConnectionManager event channels so issues are caught before users are impacted.
- Enforce consistent Group Policy settings for RDP access across all session hosts — covering NLA requirements, approved certificate assignments, and firewall rules — to prevent configuration drift between hosts in the same collection.
- Document the RDS deployment topology (Connection Broker, Session Hosts, Gateway, Web Access) and maintain a tested runbook for re-registering session hosts and re-publishing RemoteApp programs after infrastructure changes.
Tools
- mstsc.exe (Remote Desktop Connection client — test RDP connectivity from client side)
- Get-Service / Set-Service (PowerShell — inspect and manage TermService state and startup type)
- netstat (verify TCP 3389 is listening on the host)
- Test-NetConnection (PowerShell — test port reachability from client to host)
- Event Viewer / TerminalServices-LocalSessionManager log (review RDP session events including Event ID 21)
- Server Manager / Remote Desktop Services console (manage RDS roles, collections, and RemoteApp)
- Enable-NetFirewallRule / Disable-NetFirewallRule (PowerShell — manage Windows Firewall RDP rules)
- Get-RDSessionCollection / Get-RDRemoteApp (PowerShell RDS cmdlets — validate RDS deployment topology)
- gpresult (diagnose GPO settings affecting RDP configuration)
References
- RDP, RDS and RemoteApp connection or redirection problems — The Triage Manual