The terminal server security layer detected an error in the protocol stream and has disconnected the client. This error produces in the event log whenever some clients try to use RemoteApp or RemoteDesktop in Windows Server 2008 Terminal Server. Can you please help to fix this issue?

karanthan,

This happens sometimes when the connection has been dropped due to bad network conditions.

Here is some interesting reading: http://blogs.technet.com/b/askperf/archive/2010/03/25/the-curious-case-of-event-id-56-with-source-termdd.aspx 

Some other things to look at:

• Are you running virus protection and have you disabled it to see if its involved? ( I have had AV get in the way and produce this error before)
• Have you tried updating your NIC drivers (I personally have not  had this help, but some folks out there have solved their issues with error with an updated NIC driver)
• Also could try setting the NIC speed to auto and see if that helps.
• Have you tried to not use NLA, or lower the security on the RDP-tcp properties to see if it is involved in the error? I doubt it is, but worth a quick test.
• Have you upgraded the RDP client to RDC 7 and tried with this verssion?

oh, and look at this thread - person had luck turning off chimney offloading:

http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/b0d180df-5c81-4c6e-9559-cbf8769e7d2c

Info on Chimney Offload: http://support.microsoft.com/kb/951037

Hi Kristin,

It is a Windows 7 PC client. I didn't check the AV but I reinstalled RemoteApp package and did the NIC update. It didn't help to fix it.

I restarted the terminal server over night and monitored, looks like ok but I will have to keep on eye for few days that how is going?

I didn't try all other option. I can try your list of suggestions if the problem repeated.

Thanks for your help.

Karan Than

The link of the curious case of event id 56 helped me to understand how to read the dword.

My event on Windows server 2008 R2 is:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: x.x.x.x

Binary data:

In Words

0000: 00040000 002C0002 00000000 C00A0038
0008: 00000000 C00A0038 00000000 00000000
0010: 00000000 00000000 D00000B5

In Bytes

0000: 00 00 04 00 02 00 2C 00 ......,.
0008: 00 00 00 00 38 00 0A C0 ....8..
0010: 00 00 00 00 38 00 0A C0 ....8..
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: B5 00 00 D0 ..

So the code to look for in err.exe is B50000D0. I had other event with error code like 72 00 00 C0 and 0D 02 00 D0, but all indicate DRIVER_CORRUPTED_MMPOOL.

From err.exe:

C:\Users\Administrator\Downloads\Err>err B50000D0
# as an HRESULT: Severity: FAILURE (1), Facility: 0x1500, Code 0xd0
# for hex 0xd0 / decimal 208 :
  DRIVER_CORRUPTED_MMPOOL                                       bugcodes.h
  SQL_208_severity_16                                           sql_err
# Invalid object name '%.*ls'.
  ERROR_META_EXPANSION_TOO_LONG                                 winerror.h
# The global filename characters, * or ?, are entered
# incorrectly or too many global filename characters are
# specified.
# 3 matches found for "B50000D0"

So, how did I solve it? I don't know. The only thing I know if that I just disconnected the cables on the server and router, updated the server from windows update and today is working.

Little background on this problem.

Yesterday, after I installed veeam backup & replication 7.0, my wife called me and said she could not RDP my virtual server, the 2008 R2, that she and other uses remotely.

I had version 6 of Veeam backup that I did remove before, but version 7 installed a couple more things, like a transport something, my guess is networking, and other program, that did not exist on version 6.

I have to mention Veeam backup here, but I really don't if it was this program. It was really wierd that the problem started after I installed, but...

Anyway, I did a couple of backups of 2 virtual machines running and no problems so far. I did made a backup of the problematic 2008R2.

After my wife told me she could not access my virtual 2008R2, everthing was wierd. I could access it from inside the network, but not outside. Simply RDP did not go. Each time I tryed to enter via RDP, it logged me the error on event viewer.

I was using a local connection and a usb dongle GSM that I use outside my house. So it was like I was outside. In 50 attempts to enter RDP, only 1 or 2 worked.

I removed all programs on my hyper-v server, the veeam backup and many others, that could cause the problem, but still no luck via RDP from outside.

After 4 or 5 hours trying to fix this and read ALL DA WEB about this message, I decided to install 2012 R2, that was something I was looking for an oportunity to do. This was it.

I have all my virtual machines in a raid 1 HD, so it is really easy to do this. Made backup of VM's to F: just in case, and after 2012 R2 is installed, I just copy the .VHD of the VM and put it to run on the new hyper-v. Configure the new vm, networking and that's all. Hyper-V is really amazing.

But even after I installed integration services, no luck. The 2008 R2 VM still not allowed RDP connections.

I now have on startup disk 2008 R2 and 2012 R2 and I can boot with each one. My VM's are in M: disk.

I went to bed last night thinking about how I was going to solve this. This morning at 6am I came back to the server and did the windows updates.

I really don't know when it started to work, but I think it was after I restarte the server 2012 R2.

But I did manage to enter 2008R2 via RDP with 3 different users at 7am more or less. What have I done to make it work? I don't know.

Just configured my IPv4 settings on the server and new VM's and not much after it. Did integration services on VM's and don't know what else more.

I have to point that the problem was only with 2008 R2, because I could enter via RDP in another VM with windows 7 x32. So RDP and router settings were ok, or else I could not enter any VM from outside.

Since I could RDP my W7 VM and not 2008 R2, the problem was in 2008 R2. Both were running on my hyper-v box, as they are now, with 2012 R2.

I wish I had a better ideia about the solution, but sorry, I don't.

I am having the same error message appearing suddenly. 

Here is the error message: 

Log Name:      System

Source:        TermDD

Date:          1/9/2015 10:16:13 AM

Event ID:      56

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      DPAAIC02.dpanet.dpa.stlouis.gov

Description:

The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 10.10.11.159.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="TermDD" />

    <EventID Qualifiers="49162">56</EventID>

    <Level>2</Level>

    <Task>0</Task>

    <Keywords>0x80000000000000</Keywords>

    <TimeCreated SystemTime="2015-01-09T16:16:13.011879100Z" />

    <EventRecordID>63535</EventRecordID>

    <Channel>System</Channel>

    <Computer>DPAAIC02.dpanet.dpa.stlouis.gov</Computer>

    <Security />

  </System>

  <EventData>

    <Data>\Device\Termdd</Data>

    <Data>10.10.11.159</Data>

    <Binary>0000040002002C000000000038000AC00000000038000AC000000000000000000000000000000000B50000D0</Binary>

  </EventData>

</Event>

I have a number of scientific instruments on an isolated subnet. The controllers for these instruments are running on Windows 2008 R2 VMs running under vSphere 5.5. The controllers use RDP sessions to remote control the instruments.

The NICs are VMware VMXNET3. I am suspecting that it would be wise to disable all, or some, of the offload parameters on the NIC. I suspect it would be better to use the Intel generic NIC instead of VMXNET3, but that is out of my control. The VMXNET3 NICs were mandated.

I may try using Wireshark to capture some data but that seems like looking for a needle in a haystack or worse.

I wish there were better error messages and better tools to troubleshoot RDS problems. 

This error vanished when I disabled the firewall. Can you try that in your case?

HTH!