RDP Direct Connection with NLA Remote Desktop Client Event Logs
Summary
This article is an contains windows events from client machine for the Remote Desktop Protocol connection sequence for a direct connection (not through an RDS Gateway) from client machine to server machine. See parent articles [[articles:Remote Desktop Services RDS Logon Connectivity Overview]] and [[articles:RDP Direct Connection Process with NLA Enabled]] for additional information.
RDP Client Event logs for troubleshooting a connection:
Rdpclient-analytic (Microsoft-Windows-TerminalServices-ClientActiveXCore):
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
1030 |
Information |
RDP Client build winblue_ltsb Jul 10 2015 06:00:00 6.3.9600.17931 |
21:21:05.6 |
1001 |
Verbose |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:21:12.4 |
1002 |
Information |
RDP ClientActiveX has connected to the server |
21:21:22.2 |
1004 |
Information |
Client has logged on to the server (SessionId = 3) |
21:22:15.7 |
1003 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
21:23:06.0 |
1030 |
Information |
RDP Client build winblue_ltsb Jul 10 2015 06:00:00 6.3.9600.17931 |
21:23:06.0 |
1001 |
Verbose |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:23:12.4 |
1002 |
Information |
RDP ClientActiveX has connected to the server |
21:23:16.3 |
1004 |
Information |
Client has logged on to the server (SessionId = 4) |
21:24:23.4 |
1003 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
Rdpclient-operational (Microsoft-Windows-TerminalServices-ClientActiveXCore):
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
1024 |
Information |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:21:05.8 |
1028 |
Information |
Server supports SSL = supported |
21:21:11.7 |
1029 |
Information |
Base64(SHA1(UserName)) is = qI7FwD1v7UWyi06IUQLGTWdwVoE=- |
21:21:12.1 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:21:12.1 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:21:12.3 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:21:12.4 |
1025 |
Information |
RDP ClientActiveX has connected to the server |
21:21:12.7 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:21:22.3 |
1027 |
Information |
Connected to domain (RDS-MS) with session 3. |
21:22:15.7 |
226 |
Warning |
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to 25 (error code 0x8000FFFF). |
21:22:15.7 |
1105 |
Information |
The multi-transport connection has been disconnected. |
21:22:15.7 |
1026 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
21:23:06.0 |
1024 |
Information |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:23:06.1 |
1028 |
Information |
Server supports SSL = supported |
21:23:11.8 |
1029 |
Information |
Base64(SHA1(UserName)) is = qI7FwD1v7UWyi06IUQLGTWdwVoE=- |
21:23:12.3 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:23:12.3 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:23:12.4 |
1025 |
Information |
RDP ClientActiveX has connected to the server |
21:23:12.5 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:23:13.0 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:23:16.4 |
1027 |
Information |
Connected to domain (RDS-MS) with session 4. |
21:24:22.6 |
226 |
Warning |
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to 25 (error code 0x8000FFFF). |
21:24:23.4 |
1105 |
Information |
The multi-transport connection has been disconnected. |
21:24:23.4 |
1026 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
RDP Client Event Logs operational and analytic merge:
LOGON:
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
1030 |
Information |
RDP Client build winblue_ltsb Jul 10 2015 06:00:00 6.3.9600.17931 |
21:21:05.6 |
1001 |
Verbose |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:21:05.6 |
1024 |
Information |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:21:05.8 |
1028 |
Information |
Server supports SSL = supported |
21:21:11.7 |
1029 |
Information |
Base64(SHA1(UserName)) is = qI7FwD1v7UWyi06IUQLGTWdwVoE=- |
21:21:12.1 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:21:12.1 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:21:12.3 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:21:12.4 |
1002 |
Information |
RDP ClientActiveX has connected to the server |
21:21:12.4 |
1025 |
Information |
RDP ClientActiveX has connected to the server |
21:21:12.7 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:21:22.2 |
1004 |
Information |
Client has logged on to the server (SessionId = 3) |
21:21:22.3 |
1027 |
Information |
Connected to domain (RDS-MS) with session 3. |
DISCONNECT:
Time |
Event ID |
Event Level |
Details |
21:22:15.7 |
1003 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
21:22:15.7 |
226 |
Warning |
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to 25 (error code 0x8000FFFF). |
21:22:15.7 |
1105 |
Information |
The multi-transport connection has been disconnected. |
21:22:15.7 |
1026 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
RECONNECT:
Time |
Event ID |
Event Level |
Details |
21:23:06.0 |
1030 |
Information |
RDP Client build winblue_ltsb Jul 10 2015 06:00:00 6.3.9600.17931 |
21:23:06.0 |
1001 |
Verbose |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:23:06.0 |
1024 |
Information |
RDP ClientActiveX is trying to connect to the server (ara-rds-2) |
21:23:06.1 |
1028 |
Information |
Server supports SSL = supported |
21:23:11.8 |
1029 |
Information |
Base64(SHA1(UserName)) is = qI7FwD1v7UWyi06IUQLGTWdwVoE=- |
21:23:12.3 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:23:12.3 |
1102 |
Information |
The client has initiated a multi-transport connection to the server 10.0.0.7. |
21:23:12.4 |
1002 |
Information |
RDP ClientActiveX has connected to the server |
21:23:12.4 |
1025 |
Information |
RDP ClientActiveX has connected to the server |
21:23:12.5 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:23:13.0 |
1103 |
Information |
The client has established a multi-transport connection to the server. |
21:23:16.3 |
1004 |
Information |
Client has logged on to the server (SessionId = 4) |
21:23:16.4 |
1027 |
Information |
Connected to domain (RDS-MS) with session 4. |
LOGOFF:
Time |
Event ID |
Event Level |
Details |
21:24:22.6 |
226 |
Warning |
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to 25 (error code 0x8000FFFF). |
21:24:23.4 |
1003 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |
21:24:23.4 |
1105 |
Information |
The multi-transport connection has been disconnected. |
21:24:23.4 |
1026 |
Information |
RDP ClientActiveX has been disconnected (Reason= 2) |