Why can't I connect to my Amazon EC2 Windows instance with RDP using Fleet Manager?

Short description

You might have these connection issues with RDP due to the following reasons:

• Insufficient permissions for the AWS Identity and Access Management (IAM) user or role
• Connection request timed out
• Incorrect username or password
• Account disabled
• The default RDP port (3389) changed on operating system level
• Local or domain account password expired
• Connection terminated
• Connection disconnected after 60 minutes
• Target not connected
• Single sign-on (SSO) login error

Resolution

Be sure that the following prerequisites are met:

• Before using Remote Desktop, verify that the instance meets the requirements for the environment.
• Make sure that the instance is listed in the Systems Manager console. It must be listed in the Fleet Manager section under Managed nodes. Also, make sure that the AWS Systems Manager Agent (SSM Agent) ping status is Online.

To troubleshoot managed instances, see Why is my EC2 instance not displaying as a managed node or showing a "Connection lost" status in Systems Manager?

Insufficient permissions

This indicates that the IAM user or role that you use to access the Systems Manager console doesn't have permissions to do the following actions:

• ssm-guiconnect:CancelConnection
• ssm-guiconnect:GetConnection
• ssm-guiconnect:StartConnection

An Error occurred while calling the StartConnection API operation. AccessDeniedException: User: arn:aws:iam::46xxxxxxxxxxx59:user/ssmtest
is not authorized to perform: ssm-guiconnect:StartConnection resource: arn:aws:ec2:us-west-2:46xxxxxxxxx59:instance/*'

To fix this issue, configure the required permissions. Then, retry the operation.

Connection request timed out

You get this error when SSM Agent is running on an earlier version:

An error occurred while establishing the Remote Desktop session. The remote desktop connection request Timed out.

To use Remote Desktop using Fleet Manager, verify that the nodes are running SSM Agent version 3.0.222.0 or later. To check the version number of SSM Agent that's installed on a managed node, see Checking the SSM Agent version number. To install or update SSM Agent, see Working with SSM Agent.

Incorrect username or password, account disabled, or default RDP Port changed on operating system level

The Fleet Manager Remote Desktop window might get stuck with the following error message:

Its taking longer than expected to render the Remote Desktop connection. Please try again.

• You might get this error because the IAM user is using the wrong username or password. Check and make sure that the credentials are entered correctly.
• Verify that the user account isn't disabled in your Active Directory, local user, and group management.
• Make sure that the RDP port is set to 3389 using the PowerShell command. If not, set it to the default value of 3389.

PS> (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber").PortNumber
PS>  Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value 3389
PS>  Restart-Service TermService -force

Local or domain account password expired

You get the following error when the password for a local user or domain user expired:

An error occurred: Generic error

To resolve this error, connect the instance using RDP with a different account. Reset the password for the local account using the lusrmgr.msc tool. If the password for your domain account expired, reach out to the domain admin or respective system admin to reset the password.

Connection terminated

You get the following error when the RDP connection disconnects after it was idle for more than 10 minutes:

The connection has been terminated. The connection has been marked as idle.

This occurs because of the condition that was applied during the active Remote Desktop connections where the connection disconnects after it was idle for 10 minutes.

You get this error only when Remote Desktop Services is stopped or restarted at the OS level on an existing active RDP session:

The connection has been terminated. Generic Error.

Connection disconnected after 60 minutes

The connection has been Terminated. No Error

This is not an error. This happens because of the condition that was applied during the active Remote Desktop connections—by default, a Remote Desktop connection is disconnected after 60 minutes. To prevent the connection from being disconnected, choose Renew session before the connection is disconnected. This resets the duration timer. The connection might also terminate because the Amazon EC2 instance is shutdown or rebooted from the existing active RDP session.

Target not connected

You get the following error when the EC2 Windows instance isn't online or recently entered the booting state:

An error occurred while calling the StartConnection API operation. ValidationException: The StartSession API operation didn't succceed: An error occurred (TargetNotConnected)

To prevent this error, make sure that the EC2 instance is in the running state after passing both of its status checks.

SSO login error

You get the following error when SSO isn't configured or supported from where the authorization is requested:

An error occurred while establishing the Remote Desktop Connection Error. The system cannot create an operating system for the SSO Login. The SSO functionality is not supported on the Domain controllers. You can only connect with username/password method.

To resolve this error, use the username and password to connect to the instance. Or, contact the domain admin of your organization.

Related information

AWS Systems Manager Fleet Manager