Help Center/ Elastic Cloud Server/ FAQs/ Remote Login FAQ/ Remote Logins/ Why Can't I Log In to My Windows ECS?
Updated on 2024-10-16 GMT+08:00

Why Can't I Log In to My Windows ECS?

Symptom

A Windows ECS cannot be logged in to due to some reasons. For example, the network is abnormal, the firewall does not allow access to the local port for accessing the remote desktop, or the ECS vCPUs are overloaded.

This section describes how to troubleshoot login failures on a Windows ECS.

If you cannot log in to your Windows ECS, follow the instructions provided in Checking the VNC Login. Then, locate the login fault by referring to Fault Locating.

Checking the VNC Login

Check whether you can log in to the ECS using VNC on the management console.

See What Are the Login Requirements for ECSs? to learn the requirements for logging in to an ECS.

  1. Log in to the management console.
  2. Under Compute, choose Elastic Cloud Server.
  3. In the Operation column of the target ECS, click Remote Login.
    Figure 1 Remote Login
  4. (Optional) When the system displays "Press Ctrl+Alt+Delete to unlock", click Ctrl+Alt+Del in the upper part of the remote login page to log in to the ECS.
    Figure 2 Ctrl+Alt+Del

For details about common VNC login issues, see VNC Login.

If the VNC login still fails, record the resource details and fault occurred time. Then, choose Service Tickets > Create Service Ticket in the upper right corner of the management console to submit a ticket.

Self-Service Troubleshooting

ECS provides self-service tools to help you diagnose and troubleshoot your ECSs. If you cannot log in to your ECS, you can use self-service tools to check the host, security group, memory, and disk status of the ECS for troubleshooting.

For details, see Can I Troubleshoot ECSs By Myself?

If the fault persists, record the abnormal items in the diagnosis report and submit a service ticket (in the upper right corner of the management console) for technical support.

Fault Locating

If you can log in to the ECS using VNC but cannot log in to the ECS using a remote desktop connection, locate the fault as follows.

The following fault causes are sequenced based on their occurrence probability.

If the fault persists after you have ruled out a cause, check other causes.

Table 1 Possible causes and solutions

Possible Cause

Solution

The ECS is frozen or stopped.

Make sure that the ECS is in the Running state. For details, see Checking the ECS Status.

The entered username or password is incorrect.

The default username for Windows ECSs is Administrator. If the password is incorrect, reset the password on the management console. For details, see Checking the Login Mode.

The ECS is overloaded.

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur. For details, see Checking Whether the ECS Is Overloaded.

The ECS has no EIP bound.

To log in to an ECS using RDP or MSTSC, ensure that the ECS has an EIP bound. For details, see Checking Whether an ECS Has an EIP Bound.

The access is blocked by the Internet service provider (ISP).

Check whether you can access the ECS using another hotspot or network. For details, see Checking Whether the Network Is Normal.

The access is blocked by the firewall.

Disable the firewall and try again. For details, see Checking Whether the Firewall Is Correctly Configured.

The remote login port has been disabled in the security group or on the ECS.

Check whether the security group and the ECS allow traffic on the remote login port. For details, see Checking Whether the Remote Access Port Is Correctly Configured.

An IP address whitelist for SSH logins has been configured.

Check whether an SSH login IP address whitelist is configured after HSS is enabled. For details, see Checking the IP Address Whitelist for SSH Logins (with HSS Enabled).

The remote desktop protocol has been disabled on the ECS.

Make sure that the remote desktop protocol has been enabled on the ECS (only required for RDP and MSTSC logins). For details, see Checking the Remote Desktop Protocol on the ECS.

The access is blocked by third-party antivirus software.

Disable or uninstall the third-party antivirus software and try again. For details, see Checking Whether the Access Is Blocked by Antivirus Software.

The cause is displayed in the error message.

If an error message is displayed during remote login, check the operation guide based on the error information. For details, see Checking Whether an Error Occurred During a Remote Login.

Checking the ECS Status

Check whether the ECS is in the Running state on the management console. If the ECS is stopped, start it and try to log in to the ECS again.

Figure 3 Checking the ECS status

Checking the Login Mode

Check the login mode you set when you created the ECS.

Figure 4 Login Mode
  • Password: Check whether the login password is correct. If you forgot your password, reset the password. After you reset the password, restart the ECS for the new password to take effect.
  • Key pair: If your ECS is authenticated using a key pair, parse the private key file to obtain a password.
    1. Locate the target ECS.
    2. In the Operation column, click More and select Get Password.
    3. Copy the content of the private key file and paste it into the text box. Click Get Password to obtain a new random password.
  • Set password later: If you did not set a login mode when you create an ECS, you can reset the password on the ECS console by choosing More > Reset Password in the Operation column of the target ECS. After you reset the password, restart the ECS for the new password to take effect.

Checking Whether the ECS Is Overloaded

If the bandwidth or CPU usage of the ECS is excessively high, login failures may occur.

If you have created an alarm rule in Cloud Eye, the system automatically sends an alarm notification to you when the bandwidth or CPU usage reaches the threshold specified in the rule.

To resolve this issue, perform the operations described in Why Is My Windows ECS Running Slowly?

  • If the login failure is caused by high CPU usage, perform the following operations to reduce the CPU usage:
    • Stop certain processes that are not used temporarily and try again.
    • Verify that the Windows Update process is not running on the backend.
    • Restart the ECS.
    • Reinstall the ECS OS. Back up important data before the reinstallation.
    • If the ECS OS cannot be reinstalled due to important data, replace the disk attached to the ECS. To do so, back up data on the original disk, detach the disk from the ECS, attach the new disk to the ECS, and copy data to the new disk.

    You can also upgrade the vCPUs and memory by modifying ECS specifications.

  • If the login fails because the bandwidth exceeds the limit, perform the following operations:

    Check whether the bandwidth exceeds the configured bandwidth size. For details, see How Do I Know If My EIP Bandwidth Limit Has Been Exceeded?

    If the bandwidth exceeds the limit, increase the bandwidth. For details, see Changing an EIP Bandwidth.

    If network jitter or packet loss occurs frequently, dynamic BGP may be used in cross-border access. In this case, you are advised to use premium BGP.

    For details, see Why Is There Network Jitter or Packet Loss During Cross-Border Communications?

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether an ECS Has an EIP Bound

An ECS can access the Internet only after it has an EIP bound.

Before logging in to an ECS using RDP or MSTSC, make sure that an EIP has been bound to the ECS. For details, see Assigning an EIP.

If you log in to an ECS over an intranet, for example, using VPN or Direct Connect, you do not need to bind an EIP to the ECS.

Checking Whether the Network Is Normal

Use a local PC in another network or use another hotspot to access the ECS. Check whether the fault occurs on the local network. If so, contact the carrier to resolve this issue.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Firewall Is Correctly Configured

Check whether the firewall is enabled.

  1. Log in to the Windows ECS.
  2. Click the Windows icon in the lower left corner of the desktop and choose Control Panel > System and Security > Windows Firewall.
    Figure 5 Windows Firewall
  3. Click Check firewall status and select Turn on Windows Firewall or Turn off Windows Firewall.

    View and set the firewall status.

    Figure 6 Turn off Windows Firewall

Ensure that the remote access port on the local end is allowed on the firewall. The default port is TCP 3389.

If the port configured in the inbound rule of the firewall is different from that configured on the remote server, the remote login will fail. If this occurs, add the port configured on the remote server in the inbound rule of the firewall.

For details, see How Do I Disable a Windows ECS Firewall and Add a Port Exception on a Windows ECS Firewall?

The default port is 3389. If you use another port, add that port in the inbound rule of the firewall.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking Whether the Remote Access Port Is Correctly Configured

  1. Check whether port 3389 (used by default) on the ECS is accessible.

    Ensure that port 3389 has been added in the inbound rule.

    On the ECS details page, click the Security Groups tab and check port 3389 in the inbound rule of the security group.

    Figure 7 Checking remote access ports

    If you need to modify security group rules, see Modifying a Security Group Rule.

  2. Check whether the remote connection port is changed.
    1. Choose Start > Run, enter cmd, and press Enter. In the CLI, enter regedit to open Registry Editor.
    2. In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP Tcp\PortNumber, check whether the port is the default port 3389. If not, change the port to port 3389.

  3. Check whether the number of connections is limited.

    Check the internal remote desktop configuration of the ECS.

    1. Choose Start > Run, enter cmd, and press Enter. In the CLI, enter gpedit.msc to open Local Group Policy Editor.
    2. Choose Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections. Then, in the Limit number of connections dialog box, check whether the number of connections is limited.

      If Limit number of connections is set to Enabled, a remote connection to the Windows ECS may fail when the number of connections exceeds the limit. In such a case, disable Limit number of connections or set a larger limit for connections.

After you perform the preceding operations, try to remotely log in to the ECS again.

Checking the IP Address Whitelist for SSH Logins (with HSS Enabled)

After HSS is enabled, you can configure an IP address whitelist for SSH logins as required. The IP address whitelist controls SSH access to ECSs, effectively preventing account cracking.

After you configure the allowlist, SSH logins will be allowed only from IP addresses in the allowlist.

  1. On the Events page, check whether a local host IP address is intercepted due to brute force cracking.
  2. Check whether the IP address whitelist for SSH logins has been enabled. If it has been enabled, ensure that the IP address of the local host has been added to the IP address whitelist.
    • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the allowlist. Otherwise, you cannot remotely log in to your ECS through SSH.
    • Exercise caution when adding a local IP address to the allowlist. This will make HSS no longer restrict access from this IP address to your ECSs.

    For more details, see Configuring Server Login Protection.

Checking the Remote Desktop Protocol on the ECS

Make sure that the remote desktop protocol has been enabled on the ECS (only required for RDP and MSTSC logins).

Log in to the ECS using VNC and enable the remote desktop protocol.

For details, see Enabling RDP.

Checking Whether the Access Is Blocked by Antivirus Software

Third-party antivirus software may lead to a failure in accessing the ECS.

If third-party antivirus software is running, check whether the remote connection is blocked by the software. If the remote connection is blocked, add the EIP bound to the ECS to the whitelist of the antivirus software and try to access the ECS again.

You can also disable or uninstall the third-party antivirus software and try to remotely log in to the ECS again.

Checking Whether an Error Occurred During a Remote Login

If an error message is displayed during remote login, check the operation guide based on the error information.

For details, see Remote Login Errors on Windows.

If the fault persists, record the resource details and fault occurred time, and contact technical support for assistance

If the fault persists after the preceding operations are performed, record the resource details and fault occurred time. Then, choose Service Tickets > Create Service Ticket in the upper right corner of the management console to submit a ticket.