Skip to content

Troubleshooting

Johannes Passing edited this page Jul 27, 2023 · 8 revisions

📝 This Wiki page has moved.

For the latest content, see Troubleshoot common issues on the IAP Desktop documentation page.

Remote Desktop

"You need administrative privileges to install IAP Desktop on Windows Server"

On Windows Server, the DisableUserInstalls policy disables per-user installations by default. To install IAP Desktop on Windows Server, use one of the following options:

Install as elevated user:

You can sidestep the DisableUserInstalls policy by launching the installer as an elevated user:

  1. Start an elevated command prompt
  2. Launch the installer: msiexec /i "IapDesktop.msi"

Change the DisableUserInstalls policy:

You can permanently change the DisableUserInstalls policy by editing the local group policy on the server:

  1. In the Group Policy Editor navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Installer

  2. Open the Prohibit User Installs policy and configure the following settings:

    • Status: Enabled
    • User install behavior: Allow user installs

    Click OK.

  3. Open the Turn off Windows Installer policy and configure the following settings:

    • Status: Enabled
    • Disable Windows Installer: Never

    Click OK.

  4. Retry the installation.

Performing an administrative installation:

If you don't have administrative privileges, you can perform an administrative install, which extracts the files of the MSI package to a local folder:

  1. Open a command prompt.
  2. Run the installer msiexec /A "%USERPROFILE%\Downloads\IapDesktop.msi" TARGETDIR="%APPDATA%" /QB!
  • /A instructs msiexec to perform an administrative install
  • TARGETDIR specifies the directory to extract files to
  • /QB! runs the installation silently

The administrative install won't create an entry in the Start menu. To launch IAP Desktop, run %APPDATA%\Google\IAP Desktop\IapDesktop.exe.

"Your credentials did not work" dialogs are shown, despite saved credentials

Symptom: You've configured valid credentials, but each time you try to connect to a VM, the Your credentials did not work dialog appears. After re-entering the same credentials again, the connection succeeds.

This issue can be caused by the Always prompt for password upon connection group policy setting. This policy is configured by default on CIS hardened images.

IAP Desktop cannot distinguish between genuine authentication failures and prompts triggered by this policy.

Credentials are rejected

Symptom: You've configured valid credentials, but each time you try to connect to a VM, the Your credentials did not work dialog appears. Re-entering the credentials does not solve the issue.

This behavior can occur if the LAN Manager authentication level of your local workstation and the VM are incompatible.

Because of the way IAP Desktop tunnels RDP connections, it always uses NTLM for authentication and can't use Kerberos. Depending on the LAN Manager authentication level configured on both machines, authentication will either use NTLM or NTLMv2. If you've configured the VM to demand NTLMv2 (authentication level 5), but your local workstation uses level 1, 2, or 3, protocol negotiation fails and your credentials are rejected.

To solve this issue, make sure that the LAN Manager authentication level on both machines is compatible.

Desktop firewall warnings

Symptom: Your local Desktop firewall shows a warning every time you connect to a VM instance by using IAP Desktop.

For each VM instance you connect to via Cloud IAP, IAP Desktop opens a TCP socket that listens on 127.0.0.1 (using a dynamic port number). This port is necessary to relay the RDP traffic from the Remote Desktop component to Cloud IAP. You can therefore ignore these warnings.

Other errors

If you are seeting other error messages, try manually establishing a Cloud IAP TCP forwarding tunnel:
  1. If you have not installed the Cloud SDK yet, download and install it first.
  2. Open a command prompt window (cmd.exe).
  3. Run the following command: gcloud compute start-iap-tunnel [INSTANCE_NAME] 3389 --project=[PROJECT] --zone=[ZONE] --local-host-port=localhost:13389 Replace [INSTANCE_NAME] by the name of an instance and [PROJECT] and [ZONE] by the project and zone the instance is located in.
  4. Wait for the output Listening on port [13389]. to appear.
  5. Launch mstsc.exe and try to connect to localhost:13389.

If establishing the tunnel does not work, check if a local firewall is blocking gcloud from binding to a local port or blocking communication with Cloud IAP.