Quantcast
Channel: Remote Desktop Services (Terminal Services) forum
Viewing all 25525 articles
Browse latest View live

VDI or Session based RDP on Windows server 2019 with user cal

April 13, 2020, 11:00 pm
$
0
0

Hello,


FYI, I am using windows server 2019 Eval version. we want to work out the setup before acquiring licenses from MS.

All windows machines(servers, windows-10) described below are deployed as VM's on Dell server with VMware esxi.

We have a lab where in we need to log on to Jump-Server (WINDOWS-SERVER-2019) using RDP.

from this Jump-Server, I need to log on to 

  1. Windows-Server using RDP client on Jump-Server.
  2. Windows-10 machine using RDP client on Jump-Server

I understand we must install RDP services in the Jump-Server & Windows server. 

--------

what I have at the moment is:

Jump-Server has services:

  1. Domain Controller
  2. RD Gateway
  3. RD Web Access
  4. RD Connection Broker
  5. RD Session HOST

Windows-Server has services:

> RD Licensing
> RD Session HOST.

After configuring the Session based RDP, I'm able to get into Jump-Server.

But when I try RDP client (inside Jump-Server) to connect to Windows-Server. I get error message "An internal error has occurred"

Query-1: how to configure Session based RDS host on Jump-Server & Windows-Server, so that with same user could login to Windows-Server after getting into Jump-Server?

---------

Configure RDP for Windows-10 VM's:

Theoritically I understand, I should:
Add windows-10 vm into same domain
add this vm into RD Session Host. 

Query-2: is this correct or do we need extra device cal AND/OR USER cal to connect via RDP client from Jump-server above?

Thanks in Advance,

Search

Remote Desktop Services Best Practices

April 13, 2020, 2:39 pm
$
0
0

Hey Guys, first post so I apologize if this is hidden somewhere in another forum.  Our company is looking to create standards for user sessions using RDG.  I've been doing some research but can't identify anything solid as to what the best practices would be for user sessions.  Particularly looking to identify the policies below.  If anyone has examples on how you've set this up for your company, any feedback is welcome.  I understand each has their own belief on what is correct for best practices but I'm looking to get a starting point.

Set time limit for disconnected sessions Set time limit for active but idle Remote Desktop Services sessions Set time limit for active Remote Desktop Services sessions Time before screen lock

User gets Access Denied launching remote app after working without a problem previously

April 13, 2020, 2:03 am
$
0
0

Looking for some assistance in starting to debug an issue which is causing a lot of user frustration. We have a small scale Remote Desktop Services. Single management server and singe session host server.

Users can login to the RD Web Access and launch a remote app without an issue and work as normal. All of a sudden at some point in the day or on another day after disconnecting and reconnecting they now get a Access Denied message when launching the remote app and logging in. 

The only way to resolve this issue is by rebooting the session host server. We have now resorted to rebooting the session host server every evening but still get the issue appearing at some point later in the day around 17:00.

We cannot see anything obvious in the event logs.

Many thanks in advance for any assistance or guidance.



Printer Manager Role - Active Directory

April 9, 2020, 7:28 pm
$
0
0

I have 5 server 2012 vm's

One vm is purposed as a print server. One vm is a domain controller. The other vm's are for terminal services.

My goal is to manage printer rights based on user groups.  Using Group policy.

Should I install the Printer Management role on the domain controller, or the print server?

Thanks in advance

RDS Per User Cals - Downgrade 2019 -> 2012

April 15, 2020, 6:32 am
$
0
0

Hi All,

I'm attempting to apply additional Per User Cals to several managed service clients' RDS Servers.

Their RDS Servers are a mix of 2016 and 2012R2.

The Per User Cals procured are 2019 so we need to perform a downgrade.

These were procured via the clients Volume Licencing. 

From initial reading it seems that the CALs should auto downgrade on application, however we are receiving the following upon entering the Agreement and Licencing numbers we recieve:

"The licensing agreement data provided to Microsoft is not valid. Check all the information you provided, make any necessary corrections, and then resubmit your request. If the problem persists, try using a different connection method."

This occurs on completely separate environments. 

On calling VLSC support was advised that, to allow the downgrade to take place , the RDS server would need to be taken out of production and I should have a support agent on a call at the time.

This feels a little excessive. Would value any thoughts or experiences of others performing the above.

Many thanks
Kev

Policy Module for company Microsoft Corporation product C50 has denied new license request

April 14, 2020, 12:13 am
$
0
0

Hello.

We get this alert from SCOM, I've been trying to find out what product C50 is but I can't find it anywhere.

"Event ID: 42 -- Description: An error occurred in policy module "Policy Module for company Microsoft Corporation product C50 has denied new license request with error code 1104.".

Any ideas?

Server 2019 BSOD - Terminal Server

April 10, 2020, 2:38 am
$
0
0
Hi, we have a terminal server based on Server 2019 that consists of 10 RD Hosts.We have 300 users. Some users use remoteapp.

We got a blue screen in some of the hosts. There are no extra drivers etc. on the hosts other than printer drivers. Printer drivers have been previously tested on different servers. Memory Dump is listed below. How can we interpret this output?

*                                                                            *
*                        Bugcheck Analysis                                    *
*                                                                            *
*******************************************************************************

CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: ffff888d8dc2e080, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:
------------------

Page 2001e206a too large to be in the dump file.
Page 2001d3369 too large to be in the dump file.

KEY_VALUES_STRING: 1


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER:  Microsoft Corporation

VIRTUAL_MACHINE:  HyperV

SYSTEM_PRODUCT_NAME:  Virtual Machine

SYSTEM_SKU:  None

SYSTEM_VERSION:  Hyper-V UEFI Release v1.0

BIOS_VENDOR:  Microsoft Corporation

BIOS_VERSION:  Hyper-V UEFI Release v1.0

BIOS_DATE:  11/26/2012

BASEBOARD_MANUFACTURER:  Microsoft Corporation

BASEBOARD_PRODUCT:  Virtual Machine

BASEBOARD_VERSION:  Hyper-V UEFI Release v1.0

DUMP_TYPE:  1

BUGCHECK_P1: ffff888d8dc2e080

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME:  csrss.exe

CRITICAL_PROCESS:  csrss.exe

EXCEPTION_CODE: (HRESULT) 0x8da82080 (2376605824) - <Unable to get error code text>

ERROR_CODE: (NTSTATUS) 0x8da82080 - <Unable to get error code text>

CPU_COUNT: 8

CPU_MHZ: 95a

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 55

CPU_STEPPING: 4

CPU_MICROCODE: 6,55,4,0 (F,M,S,R)  SIG: FFFFFFFF'00000000 (cache) FFFFFFFF'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXPNP: 1 (!blackboxpnp)


DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0xEF

CURRENT_IRQL:  0

ANALYSIS_SESSION_TIME:  04-10-2020 12:32:30.0140

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

EXCEPTION_RECORD:  000000d8d1b3df30 -- (.exr 0xd8d1b3df30)
ExceptionAddress: 00000226f7fab5c0
   ExceptionCode: 00000000
  ExceptionFlags: 00000000
NumberParameters: -776798208
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000022600000000
   Parameter[2]: 0000000000000000
   Parameter[3]: 0000000000000000
   Parameter[4]: 0000022600010000
   Parameter[5]: 00000226fc6f0000
   Parameter[6]: 00000226f7fa0100
   Parameter[7]: 00000226fc06fb18
   Parameter[8]: 000000d8d1b3e040
   Parameter[9]: 000000d8d1b3de10
   Parameter[10]: 00000226f7fab5c0
   Parameter[11]: 0000004400000000
   Parameter[12]: 00000226f7fab5c0
   Parameter[13]: 0000000000000000
   Parameter[14]: 0000000000000000

CONTEXT:  00007ffc74278ca5 -- (.cxr 0x7ffc74278ca5)
rax=441f0f000b720615 rbx=e0814150247c8948 rcx=0fed8548f08b0000
rdx=c38b44000000c284 rsi=cb8b00000090840f rdi=e18108e9c1c3b70f
rip=0b5c6a15ff482024 rsp=ffffffbf007f0000 rbp=00660000f88141ff
 r8=f981c80b00ff0000  r9=8b48217200010000 r10=d1b70f000b5cae05
r11=8b108b4852048d4c r12=4cb60f4610e8c1c1 r13=0f0375c83b440dc2
r14=0b5c82058b48c9b7 r15=548d486a73083b00
iopl=1         ov dn di pl zr na pe cy
cs=4930  ss=5e41  ds=7b8b  es=4938  fs=e38b  gs=5f41             efl=ccc35c41
4930:2024 ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0b5c6a15ff482024

BAD_STACK_POINTER:  ffffffbf007f0000

STACK_TEXT:  
fffff184`02187c78 fffff802`1ec9fc8d : 00000000`000000ef ffff888d`8dc2e080 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffff184`02187c80 fffff802`1ebdcf07 : 00000000`00000000 ffff888d`8dc2e080 00000000`00000000 fffff802`1e5426e4 : nt!PspCatchCriticalBreak+0xfd
fffff184`02187d20 fffff802`1ea9780c : ffff888d`00000000 00000000`00000000 ffff888d`8dc2e080 ffff888d`8dc2e358 : nt!PspTerminateAllThreads+0x146873
fffff184`02187d90 fffff802`1ea99349 : ffffffff`ffffffff fffff184`02187ec0 ffff888d`8dc2e080 000000d8`d1b3d901 : nt!PspTerminateProcess+0xe0
fffff184`02187dd0 fffff802`1e5d8305 : ffff888d`000020ec ffff888d`8da82080 ffff888d`8dc2e080 000000d8`d1b3d940 : nt!NtTerminateProcess+0xa9
fffff184`02187e40 00007ffc`77f5fce4 : 00007ffc`73e983a1 00000226`ffffffff 00000000`00000001 ffffffff`ee1e5d00 : nt!KiSystemServiceCopyEnd+0x25
000000d8`d1b3cfc8 00007ffc`73e983a1 : 00000226`ffffffff 00000000`00000001 ffffffff`ee1e5d00 00000000`0000046c : ntdll!NtTerminateProcess+0x14
000000d8`d1b3cfd0 00007ffc`77f91a68 : 00000226`f7f26640 00007ffc`73e98270 00000226`f7f26658 00007ffc`73cce9dd : CSRSRV!CsrUnhandledExceptionFilter+0x131
000000d8`d1b3d060 00007ffc`77f63400 : 00007ffc`77d17a08 00000000`00000000 00000000`00000000 00007ffc`77ec6a6f : ntdll!LdrpLogFatalUserCallbackException+0x98
000000d8`d1b3d1a0 00007ffc`77f6477f : 00007ffc`7802a000 00007ffc`77ec0000 0000ddc4`001ed000 000000d8`d1b3d750 : ntdll!KiUserCallbackDispatcherHandler+0x20
000000d8`d1b3d1e0 00007ffc`77ec4bef : 000000d8`d1b3d750 00000000`00000000 00007ffc`77d9d0e8 00007ffc`77cf0000 : ntdll!RtlpExecuteHandlerForException+0xf
000000d8`d1b3d210 00007ffc`77f634ee : 000000d8`d1b3df30 00007ffc`74278ca5 00000000`00000000 00007ffc`74263e72 : ntdll!RtlDispatchException+0x40f
000000d8`d1b3d940 00007ffc`77cf7cf6 : ffffffff`00000201 00000226`f7ef1580 0000000c`0000002d 00007ffc`77f06a03 : ntdll!KiUserExceptionDispatch+0x2e
000000d8`d1b3e730 00007ffc`77cf7c76 : 00000000`002e0000 00000000`0000002d 00000000`0000002d 00000001`0000002e : USER32!DefDlgProcWorker+0x66
000000d8`d1b3e7f0 00007ffc`77cfca66 : 00000000`00000000 00000000`00000000 00000000`0000000c 00007ffc`77ed01fe : USER32!DefDlgProcW+0x36
000000d8`d1b3e830 00007ffc`77cfc78c : 00000000`00000008 00007ffc`77f5f4f0 00000000`001301d6 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x266
000000d8`d1b3e9b0 00007ffc`77d17a08 : 000000d8`d1b3eac8 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchClientMessage+0x9c
000000d8`d1b3ea10 00007ffc`77f63494 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!_fnNCDESTROY+0x38
000000d8`d1b3ea70 00007ffc`74c41f24 : 00007ffc`77d015df 00000000`00008002 00000000`00000000 00000000`00000000 : ntdll!KiUserCallbackDispatcherContinue
000000d8`d1b3eaf8 00007ffc`77d015df : 00000000`00008002 00000000`00000000 00000000`00000000 000000d8`d1b3ebc8 : win32u!NtUserCreateWindowEx+0x14
000000d8`d1b3eb00 00007ffc`77cff642 : 00000000`000002fc 000000d8`00000001 00000000`00010101 00000000`00010101 : USER32!VerNtUserCreateWindowEx+0x20f
000000d8`d1b3ee90 00007ffc`77d1f19a : 0000439d`851d0a0e ffffffff`0000004b 00000000`00000000 00000000`00000002 : USER32!InternalCreateDialog+0x612
000000d8`d1b3f070 00007ffc`77d63836 : 00000000`00000000 000000d8`d1b3f1d0 000000d8`d1b3f3f0 00000226`f7fb07a0 : USER32!InternalDialogBox+0x106
000000d8`d1b3f0d0 00007ffc`77d62275 : 00000000`00000000 00000000`00000095 00000000`000002f8 00000000`00000032 : USER32!SoftModalMessageBox+0x7e6
000000d8`d1b3f220 00007ffc`77d62fb2 : 00000000`00000000 00000000`00000010 00000000`0000000e 00000000`00000800 : USER32!MessageBoxWorker+0x319
000000d8`d1b3f3d0 00007ffc`73e39726 : 00000000`00000001 00007ffc`73e4a9e0 00007113`625f8fb2 00000000`00000002 : USER32!MessageBoxTimeoutW+0x192
000000d8`d1b3f4d0 00007ffc`73e39bfd : 00000000`00000000 00007ffc`73e4a9e0 00000000`00000000 00000000`00000000 : winsrvext!HardErrorHandler+0x32a
000000d8`d1b3f690 00007ffc`73e3a0ee : 00000226`f7f98f00 00000000`00000001 00000000`00000000 000000d8`d1b3f900 : winsrvext!ProcessHardErrorRequest+0xe9
000000d8`d1b3f700 00007ffc`73e9872d : 00000226`f7ef7db0 00007ffc`77f33a2e 00000000`00000000 000000d8`d1cc0000 : winsrvext!UserHardErrorEx+0x4be
000000d8`d1b3f7c0 00007ffc`73e97ec5 : 00000226`f7ef79f0 00000000`00000000 00000000`00000000 000000d8`d1cc0000 : CSRSRV!QueueHardError+0x1a5
000000d8`d1b3f800 00007ffc`77f2a27f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x2525
000000d8`d1b3fc90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f


THREAD_SHA1_HASH_MOD_FUNC:  243502d633fd810f3a77e6153eeed955d23a59af

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  2d5957ffba98cb17c4474657af1391290476cdba

THREAD_SHA1_HASH_MOD:  5255f96f63ab75cf0bb2e1adc18592ee682a40d7

FOLLOWUP_IP: 
ntdll!NtTerminateProcess+14
00007ffc`77f5fce4 c3              ret

FAULT_INSTR_CODE:  c32ecdc3

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  ntdll!NtTerminateProcess+14

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ntdll

IMAGE_NAME:  ntdll.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  125ac1e8

IMAGE_VERSION:  10.0.17763.802

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  14

FAILURE_BUCKET_ID:  0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_8da82080_STACKPTR_ERROR_ntdll!NtTerminateProcess

BUCKET_ID:  0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_8da82080_STACKPTR_ERROR_ntdll!NtTerminateProcess

PRIMARY_PROBLEM_CLASS:  0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_8da82080_STACKPTR_ERROR_ntdll!NtTerminateProcess

TARGET_TIME:  2020-04-07T05:14:52.000Z

OSBUILD:  17763

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  131216

PRODUCT_TYPE:  3

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 Server TerminalServer DataCenter

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  1996-08-06 18:11:50

BUILDDATESTAMP_STR:  180914-1434

BUILDLAB_STR:  rs5_release

BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME:  d97

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xef_csrss.exe_bugcheck_critical_process_8da82080_stackptr_error_ntdll!ntterminateprocess

FAILURE_ID_HASH:  {cb1f5d2d-babc-5182-2d49-32f9d8f0ee1e}

Followup:     MachineOwner
---------

0: kd> kL
 # Child-SP          RetAddr           Call Site
00 fffff184`02187c78 fffff802`1ec9fc8d nt!KeBugCheckEx
01 fffff184`02187c80 fffff802`1ebdcf07 nt!PspCatchCriticalBreak+0xfd
02 fffff184`02187d20 fffff802`1ea9780c nt!PspTerminateAllThreads+0x146873
03 fffff184`02187d90 fffff802`1ea99349 nt!PspTerminateProcess+0xe0
04 fffff184`02187dd0 fffff802`1e5d8305 nt!NtTerminateProcess+0xa9
05 fffff184`02187e40 00007ffc`77f5fce4 nt!KiSystemServiceCopyEnd+0x25
06 000000d8`d1b3cfc8 00007ffc`73e983a1 ntdll!NtTerminateProcess+0x14
07 000000d8`d1b3cfd0 00007ffc`77f91a68 CSRSRV!CsrUnhandledExceptionFilter+0x131
08 000000d8`d1b3d060 00007ffc`77f63400 ntdll!LdrpLogFatalUserCallbackException+0x98
09 000000d8`d1b3d1a0 00007ffc`77f6477f ntdll!KiUserCallbackDispatcherHandler+0x20
0a 000000d8`d1b3d1e0 00007ffc`77ec4bef ntdll!RtlpExecuteHandlerForException+0xf
0b 000000d8`d1b3d210 00007ffc`77f634ee ntdll!RtlDispatchException+0x40f
0c 000000d8`d1b3d940 00007ffc`77cf7cf6 ntdll!KiUserExceptionDispatch+0x2e
0d 000000d8`d1b3e730 00007ffc`77cf7c76 USER32!DefDlgProcWorker+0x66
0e 000000d8`d1b3e7f0 00007ffc`77cfca66 USER32!DefDlgProcW+0x36
0f 000000d8`d1b3e830 00007ffc`77cfc78c USER32!UserCallWinProcCheckWow+0x266
10 000000d8`d1b3e9b0 00007ffc`77d17a08 USER32!DispatchClientMessage+0x9c
11 000000d8`d1b3ea10 00007ffc`77f63494 USER32!_fnNCDESTROY+0x38
12 000000d8`d1b3ea70 00007ffc`74c41f24 ntdll!KiUserCallbackDispatcherContinue
13 000000d8`d1b3eaf8 00007ffc`77d015df win32u!NtUserCreateWindowEx+0x14
14 000000d8`d1b3eb00 00007ffc`77cff642 USER32!VerNtUserCreateWindowEx+0x20f
15 000000d8`d1b3ee90 00007ffc`77d1f19a USER32!InternalCreateDialog+0x612
16 000000d8`d1b3f070 00007ffc`77d63836 USER32!InternalDialogBox+0x106
17 000000d8`d1b3f0d0 00007ffc`77d62275 USER32!SoftModalMessageBox+0x7e6
18 000000d8`d1b3f220 00007ffc`77d62fb2 USER32!MessageBoxWorker+0x319
19 000000d8`d1b3f3d0 00007ffc`73e39726 USER32!MessageBoxTimeoutW+0x192
1a 000000d8`d1b3f4d0 00007ffc`73e39bfd winsrvext!HardErrorHandler+0x32a
1b 000000d8`d1b3f690 00007ffc`73e3a0ee winsrvext!ProcessHardErrorRequest+0xe9
1c 000000d8`d1b3f700 00007ffc`73e9872d winsrvext!UserHardErrorEx+0x4be
1d 000000d8`d1b3f7c0 00007ffc`73e97ec5 CSRSRV!QueueHardError+0x1a5
1e 000000d8`d1b3f800 00007ffc`77f2a27f CSRSRV!CsrApiRequestThread+0x2525
1f 000000d8`d1b3fc90 00000000`00000000 ntdll!RtlUserThreadStart+0x2f
0: kd> r
rax=ffff888d8da82080 rbx=ffff888d8dc2e003 rcx=00000000000000ef
rdx=ffff888d8dc2e080 rsi=ffff888d8dc2e080 rdi=ffff888d8dc2e080
rip=fffff8021e5c7050 rsp=fffff18402187c78 rbp=00000000c0000000
 r8=0000000000000000  r9=0000000000000000 r10=7ffffffffffffffc
r11=fffff18402187e38 r12=00007ffc77f63401 r13=00000000c0000005
r14=0000000000000000 r15=00000000c0000005
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
nt!KeBugCheckEx:
fffff802`1e5c7050 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff184`02187c80=00000000000000ef


RD Gateway SSO IWA over NTLM from remote outside the internal network possible out of the box?

April 9, 2020, 2:55 am
$
0
0

hello,

I am struggling at the moment with RD Gateway SSO IWA for RDS 2016/2019 from remote outside the local network and without vpn for the remote apps.

All the GPOs with delegation, trusted sites, RD Gateway authentication method (use locally logged on credentials) are set.

Inside the network or with vpn SSO IWA works fine for both, RD Web Access and remote apps resp. RD Gateway.
Outside only RD Web Access works without credentials prompt, but if a user clicks on a remote app he will be prompted with credentials dialog. (in the rdp client you will see the settings from the GPO with "Your Windows logon credentials will be used", so this is not the problem).

So the first question is if SSO IWA for RDS and RD Gateway is even supported from remote without a third party solution?

To get RD Web Access SSO to work from remote, I must move the windows authentication provider NTLM to the first position before Negotiation. So it seems that the client first tries to logon with Kerberos and don't fall back automatically to NTLM if Kerberos fails of course from outside the network.

I suppose this is also the problem for remote apps and RD Gateway, in fiddler you will see that after clicking on a remote app, the client will connect to the RD Gateway and will get an 401 access denied with the supported authentication providers. In this list the first one is Negotiate before NTLM.

So the client only tries to connect over Kerberos and after failing he will not automatically fall back to NTML and use the locally logged on credentials. Instead he prompted a credential dialog. After enter the credentials the connection is established with NTLM.

I wonder if it is possible that the client automatically fall back to NTLM and use the local logon credentials without prompting for it from remote???

In the GPO "Set RD Gateway authentication method"  you can enforce clients to use NTLM but only in combination with "Ask for Credentials".

Best regards,
Marcus

Search

RD Gateway Server and Cryptographic Protocol

March 19, 2020, 9:24 pm
$
0
0

Hi,

Just get a request from auditor to disable TLS 1.0 and 1.1 for Terminal Server running Windows 2008R2.

May I seek your advice how to disable it ?

Thanks



Remote Desktop Services License Server

April 20, 2020, 11:36 pm
$
0
0

I am looking for best practises when it comes to RDS License Servers in a greenfield environment.

If you build two I assume you put your full license count on both servers and they run as active/active? Or would you have one powered down and power on if required?

IF the RDS License server (configured for Per User licensing) went offline,is there a period where users will continute to log in or they can't until the License Server is back online?

disable ctrl+n on RDP

March 29, 2020, 5:14 am
$
0
0

hello

i want to disable the option of Ctrl+n (new window) in remote desktop (terminal servers)

how do i do it ?

thanks!

Yan

RD Gateway - Local users for RD CAP and RD RAP

April 15, 2020, 12:53 am
$
0
0

Hi,

I'd like to a have a secondary User account (& password) database to allow access through a RD Gateway. (The idea is to make that secondary database dynamic to achieve a Two Factors Authentication).

I tried to use the Local Users group of the RD Gateway itself but I can"t make it work.

I have allowed Local Users group on RD CAP and RD RAP.

On the client, when I unselect "use my RD Gateway credentials for the remote computer, to have a two steps connection, the connection fails and the RD Gateway logs says 

> The user "<local-user>@<RD Gateway>", on client computer "xx.xx.xx.xx:port", has initiated an outbound connection. This connection may not be authenticated yet.


OTOH When I select "use my RD Gateway credentials for the remote computer, connection goes well (because domain users are allowed as well at the moment, to make sure that the RD Gateway is functionnal) and the The RD Gateway log says

>The user "<My Domain>\<domain-user>", on client computer "xx.xx.xx.xx", met connection authorization policy requirements and was therefore authorized

Any hints to use the RD Gateway server Local Users for RD CAP and RD RAP ?










RDS 2019 after rename via Set-RDPPublishedName can't open published apps anymore

April 17, 2020, 7:44 am
$
0
0

Hi,

we are running one RDS2019 server.

internal FQDN:    rds2019.ourdomain.com

external FQDN:   service.ourdomain.com

installed certificate: service.ourdomain.com

Gateway service is installed and connection broker is set to external FQDN.

Login to rdweb works fine. If you start any published app it shows up both servers on the RDP connection. So the connection drops due to the fact that on the certficate only the external name is published.

Now we've changed the internal FQDN via the script. Looks great. On the RDP both servers have the same name - but... Can't sign in anymore during the app start.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server

and

The program lsass.exe, with the assigned process ID 720, could not authenticate locally by using the target name TERMSRV/service.ourdomain.com. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Any suggestions?


RDS with Multifactor Authentication that works with Macs?

April 16, 2020, 4:51 pm
$
0
0

Hi,

My org currently uses RDS 2012 R2 and we use the "Microsoft Remote Desktop" application for a lot of users to be able to access our environment from Apple and android devices. Words come down that Multi-factor authentication is a priority going forward and I am currently configuring a RDS environment built on Server 2019 that uses the Azure Application Proxy for multi-factor pre-authentication...

But it appears to me that using this method the Microsoft Remote Desktop app doesn't work. It gets a "the remote resource feed is invalid" error when connecting, and the instructions I've found for configuring on-premise RDS integration with Azure say that it only supports Windows 7 and 10, unless using passthrough (which as I understand does not support Multi-Factor Authentication).

I did some quick reading on using NPS for MFA for RDS but I'm not finding much that would make me think it would work with the Mac OS/Android Microsoft Remote Desktop app.

Is there another method for Mac users to connect to RDS and get MFA? Do one of the methods above work with the Microsoft Remote Desktop app? What are other people using to get around this (do you just tell people no Macs allowed?)

Thanks!

RDS CALs per user only partially issued

April 6, 2020, 6:40 am
$
0
0

Hello,

We have a new Server 2016 Remote Desktop environment set up (1 broker + 2 TS's).
We installed 50 RDS CALs (per user).

At first none of the CALs were being issued, but the remote desktop connections work fine nonetheless (published apps).
License configuration + License Diagnostics say everything is OK.

So we removed the licenses, reinitialized the database, reinstalled the licenses, reactivated license server.
After that we noticed that about 10% of the connections made had a corresponding CAL issued.
I have no idea why some are issued and most are not. The users for whom the CAL was issued are spread across both TS's.
Eventviewer shows nothing out of the ordinary regarding RDS licensing. License config + diagnostics still say everything is OK.

It also turns out that the grace period is still active when we check through WMI : 110 days left (10 days past since reactivating the licenses).

Any ideas on where to look next ? Thank you.

Search

Remote Desktop - License issue results in 60 minute session time limit

April 16, 2020, 9:58 am
$
0
0

I have 2 machines:

A) Server 2019 Standard

B) Server 2016 Standard

I am not on a domain.

Server-A acts as a licensing server for both Server-A and Server-B

I installed the remote desktop licensing service on Server-A on 18-Mar-2020 and installed per-device CALs for 2012, 2016, and 2019. original install date for the machine running the licensing service is Feb-2019. It is activated and RD Diagnoser "did not identify any problems to report"

I was then able to connect with 10+ clients on either machine simultaneously.

Today, a few weeks later, connecting clients on Server-A (which hosts the licensing server) receive: "there is a problem with your remote desktop license and your session will be disconnected in 60 min"

This error does not appear when connecting to Server-B.

The RD Licensing Manager shows "issued" as 0 for both device and user CALs.

I verified that the local gp on either machine was configured (comp config > admin templates > rds > rd licensing > remote desktop session host > licensing >

1) use specified server is configured on both servers by IP address

2) remote desktop licensing mode is set to device

I rebuilt the licensing database and re-applied the per-device licenses with no effect.

tried deleting a MSLicensing registry key on both server and client with no effect.

there are certificate entries in:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM

...but I have not touched them

users unable to login to RDS (user profile service prohibits..)

April 16, 2020, 5:05 am
$
0
0

Hi,

Sometimes we have issues with users unable to login to the RDS collection. Researching this we came to the conclusion the problem is with corrupt profiles on the local RDS server. Sometimes people login with a temp profile, creating a profile folder with only appdata.

The way to fix this issue is cleaning the local profile from all RDS server in the collection and renaming the roaming profile from the fileservers.

Im looking for a script or tool that correctly cleans profiles from RDS servers and also cleans the registry in Profilelist and Profileguid. For now i only found scripts that does one thing and not everything that is needed to clean corrupt ones.

Thanks!

PublishedApp

April 13, 2020, 10:42 am
$
0
0

Hi there

I am trying to publish an application to my RDS 2019 environment with special settings per user.

I am familiar into how to publish most of the apps but this one comes with a trick.

In the typical RDS desktop environment, each user has their won desktop that when launched, looks at the target command and pulls the property from the registry entry. Something like

users one has on desktop a shortcut that points to "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" in the target but we add /111.

So the shortcut in the Target is something like : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" /111

Each users will have that shortcut differently:

user 2 "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" /112

user 3 "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" /113

Question here, is: 

How can I publish that shortcut to my users that log into the rds web interface.

Thanks

Remote Desktop Connection Issues

April 8, 2020, 6:37 am
$
0
0
Hopefully someone in here can assist with a somewhat weird Remote desktop connection I've been seeing. As of a few weeks ago, all employees are on work from home, however I have been getting emails from users who have been experiencing Remote Desktop Connection kicking them off, then when they try to get back in, they get an error about too many users being logged on. For now, I have been remotely rebooting the workstation they are remoting in to. It should be noted that we do not user the server side, we connect to our SSL VPN which puts us on our network, then open up Remote Desktop Connection to connect to our workstation in the office. Any ideas?

RDS Gateway - disable Default Web in IIS

April 8, 2020, 5:56 am
$
0
0

Hi

on a RDS GW -> can this page/web be disabled? if so, how?

IIS default web

Christian


Viewing all 25525 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>