Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1011 Source: TermService

Source
Level
Description
The terminal services client <client> has been disconnected because its temporary license has expired.
Comments
 
On the Windows 2003 Terminal Server involved, go to Start -> Programs -> Administrative Tools -> Terminal Server Licensing, double click the server name, double click Temporary licenses for Windows Server 2003 - Terminal Server Per Device CAL Token. This will display a list of all the temporary licenses issued to clients and will show the computer name, the issued and expiry dates, and the number of licenses.
As a workaround, if possible, use a client computer that has not been used to access Terminal Services before on this computer or that has a license that has not expired yet. Another workaround, if you want to use a client that has an expired license, is to download and use an old version of MSTSC.EXE that was available with Windows 2000 (it is no longer available from Microsoft). This version provides copy-and-paste using the Windows Clipboard only (it does not provide local drive letter mapping as does the new version). This is the program that the Remote Desktop Connection shortcut points to. Do not replace the existing version. Just run it from some other location. No installation is required. You may have to drop the encryption level on the Terminal Server to 56-Bit Encryption. This should normally be acceptable if the Terminal Server is just being accessed in-house and cannot be accessed over the Internet. To do this, on the Windows 2003 Terminal Server, go to Start -> Programs -> Administrative Tools -> Terminal Services Configuration, click connections, right-click RDP-Tcp, click Properties, and on the General tab change the Encryption level drop down list to Client Compatible. Click Apply and OK.
To download an old version of MSTSC.EXE see the link to "Terminal Services Client program".
The terminal server might not be able to locate the license server. See the link to "Troubleshooting Terminal Server Licensing Problems" to solve this problem.
As per Microsoft: "This problem may occur if the Licensing Mode in Terminal Services is set to Per Device, the Terminal Server Licensing server only has Per User CALS. To correct this problem, change the Licensing Mode in Terminal Services Configuration to Per User". See ME822134 for details on how to do that.
If the terminal server or citrix server user can not connect to the server BUT a new client can and an event id 1011 is logged on the server under system then remove the following key on the CLIENT: HKEY LOCAL MACHINE/SOFTWARE/MICROSOFT/MSLICENSING. When the client reestablishes a terminal server or citrix connection the key will be recreated.
As per Microsoft, this error is logged when a client device presents an expired temporary token to the terminal server. The client will be denied access until additional license tokens are installed on the license server.
However, some users reported that this may occur even when there are valid licenses on the Terminal Server. From a newsgroup post, this appears to be caused by the fact that a client will attempt to use the old tokens (expired) even though new licenses are available. To fix this one should delete the entire registry key: HKEY LOCAL MACHINE/Software/Microsoft/MSLicensing on the client machine (it will be recreated when the first TS connection is established). This step is recommended if the connections from new clients are accepted but not the old ones.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...