Why can't I use Fleet Manager Remote Desktop to connect to my Amazon EC2 Windows instance?

Resolution

Prerequisites: Verify that you meet the following conditions:

• The instance meets the requirements for the environment. You must do this before you use Remote Desktop.
• Your instance is listed in the Systems Manager console. Your instance must be listed in the Fleet Manager section under Managed nodes.
• The ping status of AWS Systems Manager Agent (SSM Agent) is Online. If your instance doesn't appear as managed in Systems Manager or if the ping status is Connection Lost, then troubleshoot an offline SSM Agent.

Troubleshoot your connection based on the error that you receive when you connect to your instance.

Troubleshoot "AccessDeniedException" errors

The AWS Identity and Access Management (IAM) user or role that you use to access the Systems Manager console must have the permissions to perform the following actions:

• ssm-guiconnect:CancelConnection
• ssm-guiconnect:GetConnection
• ssm-guiconnect:StartConnection

The following error indicates that you didn't configure the required permissions:

"AccessDeniedException: User: arn:aws:iam::123456789:user/ssmtest is not authorized to perform: ssm-guiconnect:StartConnection on resource: arn:aws:ec2:us-west-2:123456789:instance/*"

To resolve this error, configure the required permissions.

Troubleshoot "Unable to establish Remote Desktop connection" errors

The Fleet Manager Remote Desktop window can display the following error message:

"Unable to establish Remote Desktop connection. Verify that valid credentials were provided, and that the user you specified has been granted permission to log in through Remote Desktop."

This error indicates one of the following issues:

• Your username or password is incorrect.
• Your AWS account is deactivated.
• You changed the default RDP port (3389).
• Your local or domain account password expired.
• Network Level Authentication (NLA) causes authentication errors.
• Remote Desktop Services restarted or stopped.

To resolve this error, take the following actions:

• Check and make sure that you entered your credentials correctly.

• Verify that the user account is active in your Active Directory, local user, and group management.

• Run the following PowerShell command to check that the RDP port is set to 3389:

  PS> (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber").PortNumber

  If the port isn't set to 3389, then run the following PowerShell command to configure the correct default port:

  PS> Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value 3389  
  PS> Restart-Service TermService -force

• Use an RDP client to connect to the instance from a different account. If the password for your local account expired, then use the lusrmgr.msc tool to reset the password. If the password for your domain account expired, then contact the administrator for the domain or system to reset the password.

• Complete the resolution steps in the NLA is turned on for the server section of How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?

• Run the following PowerShell commands to restart Remote Desktop Services:

  PS> Get-Service TermService  
  PS> Start-Service TermService

Troubleshoot "The remote desktop connection request timed out" errors

The following error message indicates that you must update SSM Agent to a newer version. Other issues that cause this error message include high CPU usage, exhausted memory and low disk space:

"The remote desktop connection request timed out. Please try again."

To resolve this error, take the following actions:

1. Verify that the nodes run SSM Agent version 3.0.222.0 or later. To check the version number of SSM Agent that's installed on a managed node, see Checking the SSM Agent version number. To install or update SSM Agent, see Working with SSM Agent.
2. Check your Amazon CloudWatch metrics for high CPU usage. If your usage is close to 100% then use the RDP client to identify and troubleshoot the process that uses too many CPU resources. If you can't log in, then reboot the instance. After you successfully reboot your instance, troubleshoot your high CPU usage.
3. Check for high memory usage at the OS level. If your memory is exhausted, then reboot the instance.
4. If you continue to receive the error after you reboot your instance, then check that you have enough disk space in the root volume.

Troubleshoot "The connection has been terminated due to inactivity" errors

"The connection has been terminated due to inactivity" errors indicate that your RDP connection disconnected after it was idle for more than 10 minutes. Verify that the condition that you applied during your disconnected Remote Desktop connection doesn't cause RDP to disconnect.

Troubleshoot connections that disconnect after 60 minutes

Fleet Manager sessions disconnect after 60 minutes by default. To check if your session disconnected because it reached the duration time limit, view the information about your connection history. Look for a Time Limit Exceeded status that corresponds with the connection ID for your instance.

To keep your session connected, open the Actions menu, and choose Renew session from the dropdown list before Remote Desktop disconnects. Then, enter your username and password, and choose the Renew session button. When you renew your connection, the duration timer resets.

Your RDP session connection might also end because Amazon EC2 shuts down or reboots from the existing active RDP session.

Troubleshoot "TargetNotConnected" errors

The following error indicates that your instance is offline or enters the booting state when you connect:

"400: The StartSession API operation didn't succeed: An error occurred (TargetNotConnected) when calling the StartSession operation: example_instance_id is not connected."

Verify that your instance is in the running state after it passes both status checks, and its ping status in Fleet Manager is Online.

Troubleshoot Single sign-on (SSO) login errors

The following error indicates that SSO isn't configured or supported where you request authorization:

"An error occurred while establishing the Remote Desktop Connection. The system cannot create an operating system for the SSO Login. The SSO functionality is not supported on the Domain controllers. You can only connect with username/password method."

To resolve this error, use the username and password to connect to the instance, or contact your organization's domain administrator.

Related information

AWS Systems Manager Fleet Manager