I'm racking my brain, I've done this before but I'm doing this in another lab environment . Non-Domain computers (Outside) trying to RDP in via the Gateway (Domain-Internal is working).  Certs aren't an issue as they're installed, I've tried it multiple ways, but for now I'm using the self signed generated via the RD Gateway manager.  I can go to https://rdgatewayurl/rpc and authenticate and get a blank page (external and internal).

New Domain, 2k8R2 Functional Level, no real GP customization at all, except not requiring NLA and enabling RDP on the internal "servers" in a specific OU.  My Account has Admin privileges on all the servers in question.

Another stupid question: This should also work with just the RD Gateway role installed, right?  I've tried it both ways with no luck.

RD Gateway is logging Event 4625 in the Security Log.  I feel like this should be obvious but my brain is fried.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		myadminaccount@somedomain.com
	Account Domain:

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	EXTCOMP
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Hi all,

I am trying to setup our RDS Web Access to authenticate via RSA SecureID using the RSA Web agent on the RDS Web Access-server. I do not have a ISA/TMG server and i will not be able to get this. I have been looking alot arround the net for a fix for this, but the only guides and questions out there is when people are using an ISA.

I got RDS Web Access and Gateway on the same server and a RDS farm behind. It works great without the RSA authentication.

I have installed the RSA Web Agent on the server and it intergrates perfect with IIS and on a testpage it has been tested and it works.

But when i enable the "RSA SecureID Web Access Authentication" on the Default Web Site, the /RDWeb just breaks down with Internal Server error 500. When enabling i get an error with "This web site has one or more applications which have custom application pool that is incompatible with the Web Agent" I'd figure that the pool that is incompatible is the RDWebAccess-pool.

The server error 500 gives me the following information (accessed from localhost):

Module SecurIDModule
Notification BeginRequest
Handler StaticFile
Error Code 0x00000000
Requested URL https://localhost:443/RDWeb
Physical Path C:\Windows\Web\RDWeb
Logon Method Not yet determined
Logon User Not yet determined

It happens even borefore i enable the RSA Authentication for the RDWeb application.

Has anyone got RDS Web Access to work directly with the RSA Web agent?

I hope you can help me out here - thanks.

/rGjorret

Hello guys,

I have the situation: currently we have Remote App infrastructure based on Windows Server 2012 R2 Environment. I have connection broker rdcb.mydomain.com, webaccess server rdwa.mydomain.com, gateway server rdgw.mydomain.com, license server rdlic.mydomain.com and two session hosts rdsh1.mydomain.com and rdsh2.mydomain.com.

Everything was fine. But then for the test purposes we decided to install VDI based on the same environment: rdcb, rdwa, rdgw.

I created nev server for virtualization host rdsh1.mydomain.com and successfully installed required roles according to microsoft oficial manual: on rdcb server (where I currently manage  my environment ) I added new server rdvh1, then added new virtualization host and went through the wizard and completed this wizard with no errors.

But after the completion of installation my server manager crashed and now I cannot manage my remoteapp environment  because server manager infinitely collecting data:

And also because of this I cannot manage my RemoteApp environment via GUI and cannot procedd with VDI setup.

performed actions:

1) I have uninstalled virtualisation host via powershell with cmndlet 

Remove-RDServer -Server "RDVH1.mydomain.com"-Role "RDS-VIRTUALIZATION"-ConnectionBroker "RDCB
.mydomain.com"

2) tried to remove file ServerList.xml from %userprofile%\AppData\Roaming\Microsoft\Windows\ServerManager

3)tried to add all servers to server manager from the other server for example rdwa

I still have this issue, remoteapp infrastructure works in fact, but not managable via server manager, and I cannot setup VDI.

How to force Server manager to load  the data?

Thanks in advace for your further assistance!

Regards, Ivan Starunkin

I am unable to connect to a server running Windows Server 2012 (not R2).  I was originally receiving two error messages in the System event log:

Source: Schannel  Event ID: 36870
"A fatal error occurred when attempting to access the SSL server credential private key.  The error code returned from the cryptographic module is 0x8009030D.  The internal error state is 10001."

Source: TerminalServices-RemoteConnectionManager  Event ID: 1058
"The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connections.  The relevant status code was Access is denied."

These two errors were always next to each other.

I resolved the Schannel error, 36870, by giving the Network Service read access to the key in personal store for the machine:

1. I got the Unique container name by running: certutil -store My
2. I then ran icacls c:\programdata\microsoft\crypto\RSA\<Unique container name>

I am still not able to access remote desktop.  I've tried deleting the certificate in the machine store, and restarted the Remote Desktop Configuration Service.  Most articles say to just launch Remote Desktop Services Manager, however that is no longer an option in 2012.

The only other thing I can think of is importing a 3rd party signed certificate, however we don't have a CA on site, and I don't really want to have to spend money to get this to work otherwise.

Just added 2 additional RDP User CALs to a RDP server and it is not allowing more logins. We had 5 to start with, which work fine, but the 2 new licenses do not work. 

Under RD Licensing Manager, it shows the original 5 as "Windows Server 2008 or Windows Server 2008 R2: Installed TS or RDS Per User CALs", Open License, Qty 5, Expires Never. Another line shows the same thing, Qty 2.

When I run licensing diagnosis, it shows number of licenses available for clients as 7, licensing mode per user. 0 warnings, no problems to report. Remote desktop services license server shows credentials: available, connectivity: available.

We reinstalled the licenses yesterday with no luck.

All users use the same login, and under RD Session Host Configuration: Server. the setting for restrict each user to a single session is set to no.

I have no idea what to do to fix this. We can get the first 5 users logged in, but as soon as you try to connect a 6th user, we get a message saying "This computer can't connect to the remote computer". I have tried logging in as another user with the same result.

Any suggestions? Thanks!

HI!

I currently have the following setup:

5 * 2012  AD Domain

1 * 2012 R2 Remote desktop services server (RD Connection Broker, RD Session Host, RD Web Access)

1 * XP SP3 Client

1 * Windows 7 Client

When i try to connect to the weburl , it works fine, i can log on without any issue, however, not a single icon shows up.

I read several forums, and added the server in the RDS groups in Active Directory Users and Computers.

When i look in the eventviewer, i see the following error:

The Remote Desktop Connection Broker server could not enumerate the targets for the provider named NULL from the database.

Pooled virtual desktop collection name: NULL
Error: Logon to the database failed.

I read that you should receive an ActiveX component notification but this doesn't happen on either of the 2 clients.

Does anyone has an idea on how to overcome the issues i'm having?

Thanks in advance,

Kristof

Hi everyone!

I've got Windows server 2012r2 running in VM on Hyper-V 2012r2. 

a few days ago I mentioned that some why it usess ~8Gb Ram for 70 user sessions.

I started looking for problem and found out that svchost -k termsvcs uses 1.5Gb RAM and 5-6%CPU. Also many "wsmprovhost" processes use ~70mb for each user.

svchost usage:

https://www.dropbox.com/s/szvn7ey1lk38a95/ts5.png?dl=0

connected users:

https://www.dropbox.com/s/jnijnlipk7g88be/ts4.png?dl=0

According to task manager:

http://i.shotnes.com/gVb8vSf8

each user uses from 132mb to 56mb RAM, it's 94Mb in the middle. 94Mb* 32 users = 3008Mb

But overall usage is:

http://i.shotnes.com/eQb8vRX1

Why?

Hello,

We have a RD deployment with a gateway server, web access server, connection broker and multiple session hosts.

As it stands, I have several session hosts shown in the web access page as a collection. The collection itself has drive redirection enabled, allowing users on thin clients to see the USB drive attached to the thin client, on the server.

The problem is, it also maps the RAMDrive (z) and the OS partition (c). As the connection to the collection is automatic, the user does not get any option as to what drives are/aren't redirected.

Is there some way I can centrally apply exclusions, so we can prevent a thin client from mapping the C and Z drives? Or perhaps even add in an option before the user is connected, so they can select which drives to map?

Many thanks.

Eds

A single user is receiving a Runtime Error when logging into RD Web Access (Server 2012). I did notice an event pop up in the Application log:

Level: Warning

Source: ASP.NET 4.0.303190

Event ID: 1309

Task Category: Web Event

Event code: 3003
Event message: A validation error has occurred.
Event time: 8/5/2013 9:23:11 AM
Event time (UTC): 8/5/2013 1:23:11 PM
Event ID: db80b8f6c5f54803a050624241698c18
Event sequence: 3302
Event occurrence: 13
Event detail code: 0

Application information:
    Application domain: /LM/W3SVC/1/ROOT/RDWeb/Pages-2-130171705261678145
    Trust level: Full
    Application Virtual Path: /RDWeb/Pages
    Application Path: C:\Windows\Web\RDWeb\Pages\
    Machine name: VDICB12KDC01

Process information:
    Process ID: 1044
    Process name: w3wp.exe
    Account name: IIS APPPOOL\RDWebAccess

Exception information:
    Exception type: HttpRequestValidationException
    Exception message: A potentially dangerous Request.Form value was detected from the client (UserPass="sfjt<KADM").
   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
   at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormsAuthentication.ExtractInfoFromForm(HttpContext objHttpContext)
   at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormsAuthentication.OnAuthenticateRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)



Request information:
    Request URL: https://<server>:443/RDWeb/Pages/en-US/login.aspx
    Request path: /RDWeb/Pages/en-US/login.aspx
    User host address: 10.77.110.77
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: IIS APPPOOL\RDWebAccess

Thread information:
    Thread ID: 14
    Thread account name: IIS APPPOOL\RDWebAccess
    Is impersonating: False
    Stack trace:    at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
   at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormsAuthentication.ExtractInfoFromForm(HttpContext objHttpContext)
   at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormsAuthentication.OnAuthenticateRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

We currently have an RDS Farm, multiple Session Hosts in production, we need to RDP to a specific one for support reasons (such as installing a new program across, or forcing gpudate, etc). Is there a way to accomplish this without taking it out of the collection?

Thoughts?

Hi.

We are monitoring RDS CAL usage with SCOM. This is done by running scheduled RDS CAL reports and looking for the event log message about too many issued licenses. This works fine on a Windows 2008 R2 RD License Server.

Now I wanted to set up the same script on a Windows 2012 RD License Server, but there seems to be something broken in the RDS Powershell.

This is the script:

Import-Module RemoteDesktopServices
cd RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports
New-Item -name scheduled -scope DOM

The problem is the new-item cmdlet, which doesn't seem to work. It fails with error message "new-item : The path 'RDS:\LicenseServer\IssuedLicenses\PerUserLicenseReports\scheduled' does not exist."

Even if I run the command from the "Get-help new-item -examples" I get the same error.

Has anyone done this succcessfully on Windows 2012?

I'm having a few issues with some multiple logon prompts using "Connect to a remote PC" via RD Web Access.

I am able to log onto the RDWeb without a problem.

Essentially once I make a connection to my end-device I first receive a logon prompt, I'm authenticated, then I'm asked again for another logon prompt. Any ideas how to resolve this?

My layout is simple:

1 VM in the DMZ that has the Remote Desktop Gateway and Remote Desktop Web Access roles installed. No connection broker, or session host.

With my deployment I have a wildcard certificate bound to the Remote Desktop Gateway and it is bound properly in IIS. Remote Desktop functionality through the RDGateway works just fine. However, the only nuisance is that I get prompted multiple times for credentials when accessing the end-device regardless if my connection is from a domain-joined machine or a non-domain joined machine.

I've tried using Web Single Sign On via http://anandthearchitect.com/2014/01/20/rds-2012-r2single-sign-on-using-windows-authentication-for-rdweb-page/ and it still does not work.

Any ideas?

Thanks,

Dan

I needed a couple of servers to act as 'jump boxes' to networks with special hosts. So we needed the capability for 5 or 6 people at a time to RDP to a jump box and from there they can connect to the special hosts. As such, it appears that the only role needed is RDS Session Host (2012 R2). I have a license server setup on another server. The perplexing part is the licensing configuration. I don't know what went wrong in development, but wow, what a mess - badly documented situation and no wizard to handle something that should be so simple. So after searching and trolling forums I found a blog post that mentions manual configuration of the RDS licensing mode and server list via Powershell.

I created this small script to help anyone else that runs into this situation, but I'm not entirely sure that this is all that is needed. Can anyone confirm that it is or do I need to do more than this?

<#
Note The following commands must be ran from an Administrative
PowerShell prompt on the RDS Host to be configured.

To configure the license server on RDSH/RDVH:
#>

$Mode = 4 #Value can be 2 - per Device, 4 - Per user
$LicensingServer = "licenseserver.contoso.com" #Name of the license server

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

$obj.SetSpecifiedLicenseServerList($LicensingServer)
$obj.ChangeMode($Mode)

$obj.GetSpecifiedLicenseServerList() #displays the $LicensingServer?
$obj.LicensingType #displays $Mode + 1?

Hi Guys

I have a request. When doing maintenance on a Remote Desktop Session Host farm, we sometimes change the "Allow New Connection" from true to false.

The issue is, that we have experienced that this value is accidential not changed back to true by the technician when maintenance is finished. This is resulting in next morning, alle users are not loggin in to all servers.

I want to run a Powershell script every night, that changes this value to true. Unfortunately, I have not been able to find any cmdlets, that can help me with this. Is that correct? If not, could you help me here?

Best regards,

Mr. Thomas

Hi all,

We do have a RDS farm with 2 session host servers. I have created a collection.
The collection is working fine, however when I want to "shadow" a session I receive an error: The specified session is not connected.

However I am sure it is connected, because I am doing I tried it myself using a test account on a different computer.
Then I couldn't find much in the event viewer or whatsoever. Then I came to realize that all RDS sessions do have session id 0, I can see that from the server manager, as well as when I use the powershell command.

Anyone experienced this problem before?

https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

Do i just need to run this script on the gateway/broker/web server and will this stop the mismatch errors fro the session hosts?

Thanks

Hi all,

I have a Wyse WinTerm WT3125SE set to auto logon to a domain user.

In Server 2003 it works perfectly (no need to retype password)

In Server 2008 it shows me the logon screen (on the left = domain\user , on the right = Other User)

In other words, it does not "auto logon" I need to click on the user and type the password

Need help please...