Application will not run in a RDP Terminal Session but does as a local login, in the Terminal Services forum on BrianMadden.com
Brian Madden Logo
Your independent source for desktop virtualization, consumerization, and enterprise mobility management.

Application will not run in a RDP Terminal Session but does as a local login, in the Terminal Services forum on BrianMadden.com

rated by 0 users
This post has 13 Replies | 1 Follower

Guest Posted: Thu, May 31 2007 2:33 PM
I have a fresh clean install of Windows 2003 R2 Enterprise with Terminal Services.

I have installed Business Objects 6.5 using the install mode.

I can log on locally as a standard user and BO runs fine. If I login using the same user account from a RDP session then BO starts but errors out with a very unhelpful message of "Internal Error".

If I make the user a member of the local Administrators group it then works. Making them a Power User does not. I don't think it is a file system issue or it would not work logging locally.

I have tried runnng Filemon and I cannot track down any permissions problems anyway.

Does anyone know what being a member of the local Administrators group would change as far as Terminal Services in concerned?

Just to add one more twist. If I have a locally logged standard user run BO and leave it running then any standard user can run BO from a terminal session.

Thanks to anyone who can shed some light as I am pulling my hair out. This same application works fine on Win2K terminal server.
  • | Post Points: 35
Top 75 Contributor
Points 1,836
You could try (at least) two more things:
1. Download Process Monitor (former FileMon and RegMon combined).
Maybe it's a permission problem on a registry key.

2. Right-click the BO executable - Properties - Compatibility and change the Compatibility mode to "Windows 2000".
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
  • | Post Points: 20
Top 100 Contributor
Points 2,154
Take a look at the permissions on HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server (and its sub-folders.) A non-rdp login would likely use registry settings from the standard locations, but during an rdp session, MS will redirect many user registry settings to this location. I hate to ask, but did you install BO in install mode (change user /install)??

Kevin
  • | Post Points: 5
Guest replied on Fri, Jun 1 2007 10:34 AM
I did use change user /install before installing BO. Using Process Monitor did not seem to turn up anything really useful. It only showed access denied to a debug file /windows/debug/usermode/chkacc.log. Even if I give the user rights there it does not help. The file is empty. Doing a quick google did not turn up anything really interesting on the chkacc.log file either.

I have tried just giving a user full rights to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server just to see if that makes any difference and nothing changed.

Setting compatibility mode for the app did not change the behavoir either. I know it has to relate to security with Terminal Services somehow since it runs locally on the server as a standard user I just am running out of ideas where to look.

The two big oddities are still:

It will run from terminal services if the user has local admin rights

and

It will run from terminal services for a user IF ANY user is currently running the app from a local login.

I know that is a clue to where the problem is but I just can't chase it down.
  • | Post Points: 20
Top 100 Contributor
Points 2,154
This is just a shot in the dark, but can you take a snapshot of the system with and without the app running locally and compare? Maybe a local user has rights to create a file or key that is necessary to allow the program to run (and its just not showing up in filemon/regmon). INCTRL5 is a great product for taking system snapshots.

Kevin
  • | Post Points: 5
Guest replied on Mon, Jun 4 2007 9:59 AM
Well I have found what was preventing the application from running in Terminal Services. The Policy Object "Create Global Objects". By default only Administrators and system users have this right. If I grant this to a user they can then run the application as normal.

According to Microsoft:


Create global objects
Description
This user right is required for a user account to create global objects during Terminal Services sessions. Users can still create session-specific objects without being assigned this user right.

Caution

• Assigning this user right can be a security risk. Assign this user right only to trusted users.


Default:

• Administrators

• Local System

• Services


So does anyone know what the real risks are to this? I think I am between a rock and a hard spot since I have to allow uesrs to run this program and I see know way around givig those users this ability.
  • | Post Points: 20
Top 25 Contributor
Points 7,687
Hi,

You've obviously hit Microsoft Technote 821546.

This same issue applies to AutoCAD 2006 and a few other applications, not to mention some new privilege issues with .Net applications. In future try using the Standard user anayzer (Microsoft Application compatibility kit v5). See http://www.msterminalservices.org/articles/Microsoft-Application-Compatibility-Tools-Part1.html for instructions ;-)

Giving users that privilege is an acceptable security risk and won't compromise your systems.

regards,

Rick

Ulrich Mack
Quest Software
Provision Networks Division

  • | Post Points: 35
Guest replied on Tue, Jun 19 2007 3:56 AM

asflkasl;kfda
sdfa;skjfd;las
dfaslkdf
  • | Post Points: 5
Not Ranked
Points 40
erika replied on Mon, Oct 6 2008 3:24 AM
Hi rick, I've the same problem on run Business object in terminal services..
I'm searching Application verifier version 2.5 but i only found 3.4 version.
Can you tell me where can I find vesion 2.5?

Tank you!!!Erika
  • | Post Points: 20
Top 25 Contributor
Points 7,687
Hi Erika,

The standard user analyser works with version 3.4 of the application verifier.

regards,

Rick

Ulrich Mack
Quest Software
Provision Networks Division

  • | Post Points: 20
Not Ranked
Points 40
erika replied on Tue, Oct 7 2008 9:25 AM
Hi rick...I can't use Application verifier 'cause standard users haven't always this problem...
Only sometimes, for example in the evening when they connect to office from home..
But next morning, when they arrive in office...all run correctly.
So, i can't run application verifier because I'm not able to recreate the situation.
I think of monitoring what happen when users launch Business object, can I make this with standard user analyzer?

Thanks an regards,
Erika
  • | Post Points: 20
Top 25 Contributor
Points 7,687
Hi Erika,

You're right, if it doesn't happen all the time life just got more difficult.

If you use the application verifier by itself and add an application to monitor, the app verifier will continue monitoring until you remove the application. But on a production server running multiple instances of the application, the monitoring will severely slow things down and the logs will be so huge that you'll be very lucky indeed to find any useful information.

Somehow or other you've got to find some way to reliably force the error, and when you do I suspect that the dependency walker (http://www.dependencywalker.com/) in profiling mode will provide more useful information than the SUA or application verifier.

There must be something special that happens such as a default printer failing to be connected/defined when they log on remotely from home to cause the problem. Does it affect everyone sometimes or just the same users consistently. What happens if you create a dummy printer queue on your Citrix servers that prints to nul: (create local port)? That will make sure the application always has a printer regardless and may remove one variable from the equation.

regards,

Rick


Ulrich Mack
Quest Software
Provision Networks Division

  • | Post Points: 5
Not Ranked
Points 5
First try,first share.
If you are Mac users,try http://www.macdvdcreator.com you will enjoy the convenience and high-speed.
http://www.topsevenreviews.com/ is an another wonderful software when you need rip DVD.
Have a try you will like it.
  • | Post Points: 5
Not Ranked
Points 5
JWFG replied on Thu, Mar 17 2011 6:31 AM

Sorry to drag up an old post but this is exactly the same issue and dilemma i have.

An application which uses Oracle as the db is unable to correctly use one of the system dsns.

The suggested fix is to give permissions to 'Create Global Objects' but MS warn as a possible risk.

Ricks comments above suggest it is an acceptable security risk but i was just wondering what are the real implications of doing such a change; will it be possible to completely fubar the system if these permissions are granted?

Any comments are welcomed.

J

  • | Post Points: 5
Page 1 of 1 (14 items) | RSS