We have built a new RDGateway\RDWeb server and initial testing was working successfully.  We then installed our MFA Solution (SMS Passcode) and are now getting getting this error:

The user "userid", on client computer "ipaddress", was not authorized to connect to the RD Gateway server because a tunnel could not be created. The authentication method attempted: "Cookie" and connection protocol "HTTP". The following error occurred: "2147965432".

This is occuring on all browsers we have tested with (Edge-Chromium, Chrome, IE111) but if the user does an Empty cache and hard refresh in their browser, they are able to successfully authenticate and connect.

If we do an iisrest on the RDWeb server, users are able to successfully authenticate and connect for approx. 10 minutes before this starts occurring again.

We have totally rebuilt the server and installed all roles and have consultants double check the RDGateway\RDWeb setup to confirm those are installed correctly.

Has anyone seen this before or may now of a fix?

jkv

Good day,

I need to get licensing to allow multiple users to connect to my local server simultaneously, i have tried contacting Microsoft support i had no luck can anyone assist if you have purchased a RDP license before, how do i go about doing that? Thank you.

Kind regards 

Sibusiso  

I have a Hyper-V cluster running Server 2016 Datacenter version 1607

This cluster is running multiple VMs, including 6 RDS Host servers for users to access both internally and externally through RDGateway. Everything has been running fine since last Summer, but in the last could of days, one of the 6 RDS hosts has started to experience a typing lag. This lag occurs whether you connect via an RDP connection or even if you connect via a console session in Hyper-V Manager (without running an Enhanced session)

The lag only occurs after you log in - i.e. at the username/password field, typing appears instantly, but as soon as the users desktop appears, anything you type (notepad, word, etc, Start Menu-> Run), any typing appears on the screen very lowly, one character every (roughly) 1 second, no matter how fast you typed in. no characters are lost though.

This occurs whether you log on as a domain user or a local administrator.

All 6 RDS hosts are in the same OU and have the same GPOs applied.

No relevant changes have occurred, and no windows updates have been applied in the last month.

All other VMs and the host servers typing is normal. Only this one RDS Host.

Has anyone seen anything similar before?

Anyone got a fix?

Thanks

Ken Z

Hello all!

I am trying to install Remote Desktop Services (Roles: RD Connection, RD Session Host, RD Web Access) on Server 2019 that was previouse installed on the same server, where at the time it was on Server 2008 R2. This is a part of a server upgrade. Before upgrading the server I uninstalled the RDS roles then upgraded it from 2008t2 -> 2012 ->2012r2-> 2019. Up running the RDS deployment I am stuck at what is shown in the screen shot. I don't have a background in RDS so I have just been following guides and blogs but can't see me to find anything on this error. I am guessing there is a specific group policy that I need to create? 

In case you can't see it full, the error reads as follows:

Phil Balderos

Hello
We have a problem connecting users to disconnected sessions.

Test Farm Server 2019 with all lastest updates:

2 x RDGW and Web Access (nlb)

2 x RD Broker (nlb)

3 x RD Session Hosts

1 SQL Server 2008

User profile disks

GP:

Configure keep-alive connection interval 1m

Restrict Remote Desktop Services users to a single Remote Desktop Services session Enable

All internal and external users:

Connect session OK. Close session by cross on rdp client (not logoff)

After disconnecting the user and trying to reconnect, the Broker connects to another RDSH server.

Events:

RD Connection Broker received connection request for user .
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.rds_coll
Initial Application = NULL
Call came from Redirector Server = rdcb02
Redirector is configured as Virtual machine redirector

RD Connection Broker successfully processed the connection request for user . Redirection info:
Target Name = RDSH01
Target IP Address = 172.30.3.10
Target Netbios = RDSH01
Target FQDN = rdsh01
Disconnected Session Found = 0x0

After 5 min

This connection request has timed out. User could not log on to the end point within the alloted time. Remote Desktop Connection Broker will stop monitoring this connection request.

Try to reconnect

RD Connection Broker successfully processed the connection request for user . Redirection info:
Target Name = RDSH02
Target IP Address = 172.30.3.11
Target Netbios = RDSH02
Target FQDN = rdsh02
Disconnected Session Found = 0x0 ??????

Why not Disconnected Session Found = 0x1, RD broker not found session.

All session records in the database

Has anyone ever removed UPD's from a Terminal Services Session Collection (2016) before?

I've tested removing the setting in my dev environment and that new users don't get a UPD and existing users no longer mount theirs at login. Besides the obviously profile data now missing, are there any traps that are not obvious?

I have already enabled folder redirection so all users files and folders will remain (outside of appdata), I'm considering moving to FSLogix, anyone else moved from UPD to FSLogix?

https://docs.microsoft.com/en-us/fslogix/install-ht

Our reason is that our AV and security suite keep locking the UPD's after a user logs out and changing our suite is not possible at this point in time.

Thanks

Craig

What is the point of creating a self signed certificate if you still get the "This site is not secure" error? I can still access the site after clicking the "Go on to the webpage (not recommended)" with or without the certificate.

Is there any way to get rid of the message on an offline local domain?

When attempting to publish an application using server manager on our RDS Broker Server, we are receiving the follow error message "Could not create a published application instance on the server" in event viewer. We have not had this issue in the past, although the last time I published an app on this 2016 standard server is over a year. The existing published applications are running as expected. The default web site on the server has a valid wild card certificate installed. I attempted to publish the notes and wordpad applications, and received the same error. 

I also tried using powershell and received a similar message:

Any assistance would be greatly appreciated.

Hi i need an info, i use windows server 2011 Small business Essentials and i have a problem

when i log off close my program playout wich is playlist software and i,m forced to be loged in 24/7 so other users cannot be loged in when admin is loged so please how to set up to not close my program or exclude.

Hello,

I'm looking for some tips on how to use GP set the background color of the desktop, and/or taskbar (not as important). Server 2016 session host servers providing a full published desktop.

Why?

Some of my sites have low bandwidth so I want to force the background wallpaper to be removed (done), and to change the remaining desktop color to something other than black (not done).

Any tips?

I have:

• I have used GP to remove the desktop wallpaper. Now the background is black, with a black task bar
  GP > Computer Config > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment

This is not the correct setting:

• GP > Computer Config > Admin Templates > Control Panel > Personalization > Force a specific background and accent color
  (this is actually controlling the start menu colors)

I am hoping there is a more efficient way to control this other than setting a background image of one color and XX pixels in size.

Hi,

I have a setup with the following servers running Windows Server 2016

1x RDGW, RDCB, RDWA, RDLicensing.

5x RDSH

Im using UPD on the collection.

I have noticed very long login times, after policys etc are shown on screen it sits at a black screen for between 20sec and sometimes up to 5min.

I have also noticed that the svchost.exe that controls the Windows Firewall is using 25% to 50% when a user logs in and using around 1200Mb memory.

After I found this I checked the Windows Firewall with Advanced Security and found thousands of Cortana, Work or school account, Your account, Contact Support rules. 

I found a script in this thread that could delete the rules https://social.technet.microsoft.com/Forums/windows/en-US/9aad7675-d1ba-4900-9d85-0cd117f5514f/new-firewall-rules-created-for-each-user?forum=win10itprosetup

This made the CPU usage and memory usage go down to normal levels, but after every login a user does it builds up the list of rules again. With many users logging in to the system the rules build up very fast and the login times gets high and every server gets slow.

Example on our RDSH01 server that have been running in production since 2017-04-13 the script found and deleted 66153 rules that it found with "$Rules = Get-NetFirewallRule -All | Where-Object {$profiles.sid -notcontains $_.owner -and $_.owner }"

The script also tryed to get rules with this command "$rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | Where-Object { $profiles.sid -notcontains $_.owner -and $_.owner }" but fails with an "not enough space error"

The script removes the rules from here with the content of $rules "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

and $rules2 was meant to clean up at "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

but doesnt do anything because of the error on the Get-command. If I try to access it with regedit it stops to respond, guessing there are too many items in that container for it to handle.

Anyone know a solution for this problem? 

Regards Fredrik

have a new deployment of server 2019 terminal services.  We are sharing just the applications, not the full vdi, also i have the session host and the gateway/broker as two separate virtual machines using hyper-v.  The session host is using a direct attached graphics card.  The gateway/broker is configured w/ two nics, one internal, and the other in a DMZ.  The session host just has the one internal nic.  

The issues is that when i connect from my internal network, that is when the performance is awful.  The best i can describe it is that it's lagging behind.  For example the calculator app, after i move the mouse over it and click some numbers, over the course of the next 30 seconds i can see just where i moved my mouse all over the app and click the numbers.  Also when i move the app's windows it moves about 30 seconds after i move it.  However if i remote in from the outside world it works perfect.  Hardware performance is not getting taxed at all, it feels very much like a connection thing.  I had meraki verify that all the traffic was staying local on that switch, and the there was no lag coming from the switch, but he did note that he felt there was an excessive amount of udp traffic given the task at hand. 

Any idea's on where else i could even look to trouble shoot this, or better yet a solution>?

many thanks! 

IT guy

Hi

I have administration servers RDS Win2016 Server name serv1 with per user licensing and next RDS Win2016 Server name serv2 with per dev licensing. 

From this RDS servers we connect myself to RDS cluster with per dev licensing. This RDS cluster have 3 Windows 2016 Servers. On license server I see multiple issued RDS CALS for this two RDS servers serv1 and serv2.

I used power shell script OutTSlicense for looking information about issued license for devices from RDS cluster. We have a lot off issued license for administration server serv1 and serv2. For different devices thin client and windows desktopI don't have duplicate license use.

When I connect from serv1 RDS Windows 2016 Server to my RDS cluster should be issued 1 per device RDS CAL license for serv1 but are issued 12 CALS. On  serv1 work only 5 users.

Information from OutTSlicense script issued CALS:

hostname hardwareid

serv1     00024c4c454458100043c0b15680324b354f

serv1     00024c4c454458100043c0b15680324b354f

.........

I have 12 issued RDS DEV CALS for one server with this same hardwareid.

While this consume me multiple CALS?

Regards

Hi

I have administration servers RDS Win2016 Server name serv1 with per user licensing and next RDS Win2016 Server name serv2 with per dev licensing. 

From this RDS servers we connect myself to RDS cluster with per dev licensing. This RDS cluster have 3 Windows 2016 Servers. On license server I see multiple issued RDS CALS for this two RDS servers serv1 and serv2.

I used power shell script OutTSlicense for looking information about issued license for devices from RDS cluster. We have a lot off issued license for administration server serv1 and serv2. For different devices thin client and windows desktop I don't have duplicate license use.

When I connect from serv1 RDS Windows 2016 Server to my RDS cluster should be issued 1 per device RDS CAL license for serv1 but are issued 12 CALS. On  serv1 work only 5 users.

Information from OutTSlicense script issued CALS:

hostname hardwareid

serv1     00024c4c454458100043c0b15680324b354f

serv1     00024c4c454458100043c0b15680324b354f

.........

I have 12 issued RDS DEV CALS for one server with this same hardwareid.

While this consume me multiple CALS?

Regards

Hi!

I need help with a RDS-deployment where our users primarily experience delays in open PDF files.
If a user opens a PDF-file in Acrobat Reader DC from the Desktop it takes approx 20-30 seconds to open it. But only the first time. If the user close the file and open a different PDF-file, it starts within a few seconds.

We first believed that it had something to do with the application itself. But we have tried "all" setting configurations in Adobe, without any progress.

We also experience delays when opening for an example Windows Powershell as administrator, DNS Manager, Active Directory Users and Computers on the domain controller. Approx 20-30 seconds as well.

We don't see anything strange, warnings or errors, in the event log.

For the RDS-deployment we use user profile disks on another server, 20 GB maximum.

We have temporarily disabled the firewall, antivirus, verified power plan "high performance" etc.

After a lot of troubleshooting, I tried to create a new admin user with exactly the same access and created in the same OU as another admin user that experience the delays. The new user is working totally normal. All problems described above can't be reproduced. Can someone explain why?

The environment contains of one domain controller, one file server (user profile disks) and the RDS server. Windows Server 2016 Standard. The RDS server has 8 GB RAM, 4 CPU. Approx 10 users uses the remote desktop simultaneously. CPU and RAM utilization is ok. All RDS roles is installed on the RDS server.

It's VMware in the background, we don't find anything strange regarding disk latency either. We use paravirtual disks.

Thanks in advance!

Hello,

We have a new Server 2016 Remote Desktop environment set up (1 broker + 2 TS's).
We installed 50 RDS CALs (per user).

At first none of the CALs were being issued, but the remote desktop connections work fine nonetheless (published apps).
License configuration + License Diagnostics say everything is OK.

So we removed the licenses, reinitialized the database, reinstalled the licenses, reactivated license server.
After that we noticed that about 10% of the connections made had a corresponding CAL issued.
I have no idea why some are issued and most are not. The users for whom the CAL was issued are spread across both TS's.
Eventviewer shows nothing out of the ordinary regarding RDS licensing. License config + diagnostics still say everything is OK.

It also turns out that the grace period is still active when we check through WMI : 110 days left (10 days past since reactivating the licenses).

Any ideas on where to look next ? Thank you.

Hi everyone,

i configured RDSH/ RDP licensing server

I change mode RDP to per user, after i change again to per devices.

But i can't install again my CAL key.

Always total available client number : 0

What can i do for this issues?

Hi,

we're facing the following issue while trying to add new Remote Desktop Session Hosts into
a session host collection  : "Unable to retrieve the session collection properties".

The server can be added into the deployment but can't be added into the session host collection and the message above
is returned. This error never happened before and is ennoying as we need to deploy more Servers/Collections.

A collegue noticed that adding a couple of servers at once (from the GUI) succeeded ...
I can't find anything related on EventViewer (Brokers / DataBase server)

Is this a known bug ? I can't find anything related on Microsoft support.microsoft.com
Any help would be much appreciated, Thanks.

MCTS Windows Server Virtualization, Configuration

Well I just wrote a multi-page post here referencing my entire architecture, troubleshooting attempts made, guides read and then got an internal server error when I tried to post it so I'm not going to go through that again, I'll just simplify my question-

Has anyone gotten Azure AD Proxy in pre-authentication mode to work with RDS 2019 in an environment where you alter the published name to prevent certificate warnings due to split domains?

I have everything setup exactly as is described here- https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-integrate-with-remote-desktop-services

Internal address points to an internal DNS record that points to my connection broker/rd gateway server.

This all works fine for the RD Web Access Portal, I can login to the external address, get prompted by azure for login, get to the internal portal without errors, login there and can see my session host collection. When I click that collection though I get"logon attempt failed"

This is using Internet Explorer, with the MsRdpClientShell Class addin enabled.

The gateway works perfectly inside of my network, using the DNS address or the server FQDN (though this way will give cert warnings).

I've tried disabling HTTP redirection on the IIS server on the connection broker. I've set the RAP to allow connections to all resources and when that did not work I specifically added the DNS name to the resource list.

Mostly I just need to know if this is even possible or if Azure AD proxy will not work with the RD Gateway using a changed published address like this.

Thanks!

---

Edit- Also I cannot find any failed connections in the logs, so it doesn't appear as if the connection attempt is actually hitting the broker or gateway