Terminal Server License Registry

Posted on |



Encrypted Keys, Terminal Servers (RDS) and VDI

Note: Windows XP Professional workstations do not have built-in CALs with respect to Windows 2003 Terminal Server License Servers. When there is insufficient permissions to the following registry key, connection failures occur. Investigate the Microsoft Terminal Services License manager to see if the workstation is enumerated. For the Terminal Server Licensing Server Has No Permanent Licenses For Product events, use the Terminal Server Licensing administrative tool to register more licenses. For A License Could Not Be Issued To Because It Is Not A Member Of The Terminal Server Computers Group events, check the status of the License Server Security Group. Activating the RDS License Server on Windows Server. In order to issue licenses to RDP clients, your RDS License Server must be activated. To do it, open the Remote Desktop Licensing Manager, right-click the name of your server and select Activate Server. The RDS licensing server activation wizard will start. Going back to the RDS host I found the Licensing popup that informed me that the 128 day trial license had expired. Since this was a test I didn’t want to go using keys to activate or setup a licensing server (purely a PoC for us in IT at this stage). To reset the grace period there is a registry key that we need to delete.

License keys are encrypted using a machine-specific seed when they are applied. These seeds are used in a hash to dynamically decrypt the keys when PDF-XChange products attempt to validate their license status. Load-balancing RDS farms often run PDF-XChange products on different hardware from that used to apply the key, which results in the seed used to encrypt the key being unavailable at run time, the hash failing and the license reverting to 'trial mode.' A similar issue occurs when deploying VDI or imaged desktops - the seed used to encrypt the key when the master image was made is not available to the deployed instance, which results in the hash failing and the software reverting to 'trial mode'.

The XCVault.exe utility can be used to resolve these issues, as it decrypts the keys on the master instance and before being used to deploy to other hardware. This should be performed on all hosts in the case of existing server farms, and on the master image (prior to deployment) in the case of VDI and Sysprep OS images.

Registry

Note

Existing keys can be decrypted using XCVault.exe /OpenKeys

New keys can be added without encryption using XCVault.exe /AddKeys /R. (Details on the usage of the XCVault.exe utility are available here.)

Registry Terminal Server License Server

Decrypting an Existing Key

Decrypting a key requires administrative rights, regardless of whether the key is in HKLM or HKCU. Attempting to decrypt a user key without administrative rights will result in an error:

Figure 1. Error Message Displayed When Attempting to Decrypt a User Key without Administrative Privileges

The key will remain encrypted in the user section of the registry:

Server

Figure 2. Registry Editor, Encrypted Key

Running the command 'C:Program FilesTracker SoftwareVaultXCVault.exe' /OpenKeys from an elevated command prompt will succeed without any error messages:

License

Figure 3. Elevated Command Prompt, /OpenKeys Command Line

Terminal server license costTerminal server license mode registry

All keys in both HKCU and HKLM will be decrypted:

Figure 4. Registry Editor, Decrypted Key

This installation can now be used as a master image for deployment to other hardware.

Adding New Keys without Encryption

Reset Terminal Server License Registry

As well as decrypting existing keys, xcvault.exe can also be used to apply license keys to unlicensed machines, either encrypted (default) or not encrypted. Use the /S switch with /AddKeys for this to install keys without encryption.

/AddKeys

This command installs all license keys from .xcvault files.

Syntax

xcvault.exe [/AddKeys] [/M|/S|/R] <xcvault_file>

/M – specifies that new keys are added in the HKEY_LOCAL_MACHINE registry section and administrative rights are required.

Change Terminal Server License Server

/R – specifies that new keys will be unencrypted when added. Please note that this does not affect existing keys.

/S – specifies that the command is not permitted to show error/information messages.

Example

xcvault.exe /AddKeys /S 'c:Personal.xcvault'