When granting RDP access to a Windows EC2 instance, it’s tempting to open port 3389
to the world 0.0.0.0/0
. That’s a major security risk. Instead, AWS SSM Fleet Manager lets you connect over a secure channel without exposing RDP to the internet.
Recently, I ran into an issue where Fleet Manager failed with this error:
Unable to establish Remote Desktop connection. Verify that valid credentials were provided, and that the user you specified has been granted permission to log in through Remote Desktop
Root Cause
On the Windows Server 2022 Base AMI, the default Administrator account was present, but its password had already expired. Since RDP connections including those tunneled through SSM Fleet Manager require a valid and active password, the expired credentials caused the login failure.
The Fix
Reset the Administrator password via SSM Run Command:
net user Administrator "xxxxx28xx@xxxx!73"
net localgroup "Remote Desktop Users" Administrator /add
Then log in through Fleet Manager RDP with your username and the new password.
Best Practices
- Never expose RDP
3389
to0.0.0.0/0
- Use SSM Fleet Manager for secure access
- Enforce strong passwords and rotate them regularly
- Ensure EC2 has the IAM role:
AmazonSSMManagedInstanceCore
Takeaway
If Fleet Manager RDP shows Invalid credentials
, it’s usually not an SSM issue but a Windows password problem. Just reset the password through SSM and you’re good to go.
References
Top comments (0)