I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Windows instance with Remote Desktop Protocol (RDP) using AWS Systems Manager Fleet Manager.
Short description
You might have these connection issues with RDP due to the following reasons:
- Insufficient permissions for the AWS Identity and Access Management (IAM) user or role
- Connection request timed out
- Incorrect username or password
- Account disabled
- The default RDP port (3389) changed on operating system level
- Local or domain account password expired
- Connection terminated
- Connection disconnected after 60 minutes
- Target not connected
- Single sign-on (SSO) login error
Resolution
Be sure that the following prerequisites are met:
- Before using Remote Desktop, verify that the instance meets the requirements for the environment.
- Make sure that the instance is listed in the Systems Manager console. It must be listed in the Fleet Manager section under Managed nodes. Also, make sure that the AWS Systems Manager Agent (SSM Agent) ping status is Online.
To troubleshoot managed instances, see Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager?
Insufficient permissions
This indicates that the IAM user or role that you use to access the Systems Manager console doesn't have permissions to do the following actions:
- ssm-guiconnect:CancelConnection
- ssm-guiconnect:GetConnection
- ssm-guiconnect:StartConnection
An Error occurred while calling the StartConnection API operation. AccessDeniedException: User: arn:aws:iam::46xxxxxxxxxxx59:user/ssmtest
is not authorized to perform: ssm-guiconnect:StartConnection resource: arn:aws:ec2:us-west-2:46xxxxxxxxx59:instance/*'
To fix this issue, configure the required permissions. Then, retry the operation.
Connection request timed out
You get this error when SSM Agent is running on an earlier version:
An error occurred while establishing the Remote Desktop session. The remote desktop connection request Timed out.
To use Remote Desktop using Fleet Manager, verify that the nodes are running SSM Agent version 3.0.222.0 or later. To check the version number of SSM Agent that's installed on a managed node, see Checking the SSM Agent version number. To install or update SSM Agent, see Working with SSM Agent.
Incorrect username or password, account disabled, or default RDP Port changed on operating system level
The Fleet Manager Remote Desktop window might get stuck with the following error message:
Its taking longer than expected to render the Remote Desktop connection. Please try again.
- You might get this error because the IAM user is using the wrong username or password. Check and make sure that the credentials are entered correctly.
- Verify that the user account isn't disabled in your Active Directory, local user, and group management.
- Make sure that the RDP port is set to 3389 using the PowerShell command. If not, set it to the default value of 3389.
PS> (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber").PortNumber
PS> Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value 3389
PS> Restart-Service TermService -force
Local or domain account password expired
You get the following error when the password for a local user or domain user expired:
An error occurred: Generic error
To resolve this error, connect the instance using RDP with a different account. Reset the password for the local account using the lusrmgr.msc tool. If the password for your domain account expired, reach out to the domain admin or respective system admin to reset the password.
Connection terminated
You get the following error when the RDP connection disconnects after it was idle for more than 10 minutes:
The connection has been terminated. The connection has been marked as idle.
This occurs because of the condition that was applied during the active Remote Desktop connections where the connection disconnects after it was idle for 10 minutes.
You get this error only when Remote Desktop Services is stopped or restarted at the OS level on an existing active RDP session:
The connection has been terminated. Generic Error.
Connection disconnected after 60 minutes
The connection has been Terminated. No Error
This is not an error. This happens because of the condition that was applied during the active Remote Desktop connections—by default, a Remote Desktop connection is disconnected after 60 minutes. To prevent the connection from being disconnected, choose Renew session before the connection is disconnected. This resets the duration timer. The connection might also terminate because the Amazon EC2 instance is shutdown or rebooted from the existing active RDP session.
Target not connected
You get the following error when the EC2 Windows instance isn't online or recently entered the booting state:
An error occurred while calling the StartConnection API operation. ValidationException: The StartSession API operation didn't succceed: An error occurred (TargetNotConnected)
To prevent this error, make sure that the EC2 instance is in the running state after passing both of its status checks.
SSO login error
You get the following error when SSO isn't configured or supported from where the authorization is requested:
An error occurred while establishing the Remote Desktop Connection Error. The system cannot create an operating system for the SSO Login. The SSO functionality is not supported on the Domain controllers. You can only connect with username/password method.
To resolve this error, use the username and password to connect to the instance. Or, contact the domain admin of your organization.
Related information
AWS Systems Manager Fleet Manager