Troubleshooting Remote Desktop issues
Copy/paste doesn't work
Symptom: You can't copy and paste text or files over RDP
This behavior can be caused by an invalid configuration or group policies.
Verify your connection settings in IAP Desktop
IAP Desktop lets you enable or disable clipboard sharing for individual VMs, entire zones, or projects. To verify that clipboard sharing is enabled for the affected VM, do the following:
- In the Project Explorer window, right-click the affected VM and select Connection settings.
- In the Connection settings window, under Remote Desktop Resources verify that Redirect clipboard is set to enabled.
Verify rdpclip is running
Clipboard sharing requires that rdpclip.exe is running in your remote session. To verify that this
process is running, do the following:
- On the remote VM, right-click the Start button and select Windows PowerShell.
-
Run the following PowerShell command:
Get-Process | ? {$_.SessionId -eq (Get-Process -PID $PID).SessionId} | ? {$_.ProcessName -eq "rdpclip"}You should see output similar to the following:
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName ------- ------ ----- ----- ------ -- -- ----------- 345 14 3564 8164 4.44 3156 2 rdpclipIf the output doesn't indicate a running
rdpclipprocess, restartrdpclipor try signing out and signing in again.
Check local policies
If your local computer is managed by an organization, it's possible that your organization has applied a policy that disables copy/paste for RDP . To check if this is the case, do the following:
- On your local computer, right-click the Start button and select Windows PowerShell.
-
Run the following PowerShell command:
"HKLM:\SOFTWARE\Microsoft\Terminal Server Client", "HKCU:\SOFTWARE\Microsoft\Terminal Server Client", "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Terminal Server Client", "HKCU:\SOFTWARE\WOW6432Node\Microsoft\Terminal Server Client" | % {Get-ItemProperty -Path $_ -Name "DisableClipboardRedirection" -ErrorAction SilentlyContinue } | ? {$_.DisableClipboardRedirection -eq 1}If you see output similar to the following, then there is a policy that disallows copy and paste:
DisableClipboardRedirection : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft PSChildName : Terminal Server Client PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\RegistryIf the output is empty, then your local computer allows copy/paste, but it's possible that the remote VM doesn't allow it.
Check remote policies
If the remote VM is managed by an organization, it's possible that your organization has applied a policy that disables copy/paste for RDP . To check if this is the case, do the following:
- On the remote VM, right-click the Start button and select Windows PowerShell.
-
Run the following PowerShell command:
"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services", "HKCU:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" | % {Get-ItemProperty -Path $_ -Name "fDisableClip" -ErrorAction SilentlyContinue } | ? {$_.fDisableClip -eq 1}If you see output similar to the following, then there is a policy that disallows copy and paste:
fDisableClip : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\RegistryIf the output is empty, then the VM allows copy/paste.
Type clipboard text
In situations where copy/paste is disallowed by policy, you can copy text from your local computer to a VM by using the Type clipboard text command:
- On your local computer, copy a piece of text to the clipboard.
- In IAP Desktop, select Session > Type clipboard text.
The Type clipboard text command simulates keyboard input and only supports characters supported
by your current keyboard layout. Unsupported characters are replaced with ?.
"Your credentials did not work", on first attempt only
Symptom: You've configured valid credentials, but each time you try to connect to a VM, the following error appears:
Your credentials did not work
After re-entering the same credentials again, the connection succeeds.
This issue can be the intentional effect of the Always prompt for password upon connection group policy setting. This policy is configured by default on CIS hardened images .
To mitigate this issue, disable automatic logons in the VM's connection settings
"Your credentials did not work", permanently
Symptom: You've configured valid credentials, but each time you try to connect to a VM, the following error appears:
Your credentials did not work
Re-entering the credentials does not solve the issue.
This behavior can occur if the LAN Manager authentication level of your local workstation and the VM are incompatible.
IAP Desktop tunnels RDP connections over IAP-TCP forwarding, which is incompatible with Kerberos. IAP Desktop therefore uses NTLM to perform network-level authentication (NLA) to the remote Windows VM.
Depending on the LAN Manager authentication level configured on both machines, authentication will either use NTLM or NTLMv2.
If you've configured the VM to demand NTLMv2 (authentication level 5), but your local workstation uses level 1, 2, or 3, protocol
negotiation fails and your credentials are rejected.
To solve this issue, make sure that the LAN Manager authentication level on both machines is compatible.
"An authentication error has occurred"
Symptom: You've entered valid credentials, but connecting to a VM fails with an error message similar to the following:
An authentication error has occurred. The function requested is not supported.
The most likely reason for this error is that your Active Directory domain restricts the use of NTLM authentication.
IAP Desktop tunnels RDP connections over IAP-TCP forwarding, which is incompatible with Kerberos. IAP Desktop therefore uses NTLM to perform network-level authentication (NLA) to the remote Windows VM.
To mitigate this issue, review the group policy settings configured under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
-
If Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Deny all, you can mitigate the issue by setting Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication to
localhost,127.0.0.1.Configure this exception in a group policy that applies to the workstation (not the VM).
-
If Network Security: Restrict NTLM: NTLM authentication in this domain is set to any Deny value, then you can't use RDP over IAP-TCP forwarding.
If you've set up Cloud VPN or Interconnect, you might be able to connect directly by changing your connection settings to Connect via: VPN/Interconnect.
Other errors
If you encounter other error messages, try manually establishing a IAP TCP forwarding tunnel:
- If you have not installed the Cloud SDK yet, download and install it first .
- Open a command prompt window (
cmd.exe). -
Run the following command:
gcloud compute start-iap-tunnel INSTANCE 3389 --project=PROJECT --zone=ZONE --local-host-port=localhost:13389Replace
INSTANCEby the name of an instance andPROJECTandZONEby the project and zone the instance is located in. -
Wait for the output
Listening on port [13389].to appear. - Launch
mstsc.exeand try to connect tolocalhost:13389.
If establishing the tunnel does not work, check if a local firewall is blocking gcloud
from binding to a local port or blocking communication with Cloud IAP.