Quantcast
Channel: Remote Desktop Services (Terminal Services) forum
Viewing all 25525 articles
Browse latest View live

SSO on 2012R2 RDS

February 25, 2015, 1:28 pm
$
0
0

Hi there,

I have set up a test environment with the following:

1 RD Gateway

1 RD Web

1 RD Broker

2 RD Session Hosts

All servers are running Windows Server 2012 R2.

The domain is: exampledomain.local

The ssl cert is a wildcard for *.exampledomain.net

For local domain PC's I've created a GPO and set the SHA1 thubprint and also credential delegation settings.

1) For domain joined PCs, if I open up a web page and browse to the RDWEB website, I still have to enter the login details once. The solution for this seems to be to edit the RDweb page to use Windows authentication (http://anandthearchitect.com/2014/01/20/rds-2012-r2single-sign-on-using-windows-authentication-for-rdweb-page/). One possible consequence of doing this seems to be that you have to specify that you're accessing the site from a private connection. This would pose a security risk when accessing from a public computer. Is there any way around this or any other way of doing this?

2) For external PCs connecting through the gateway, I get a certificate prompt stating that the cert was issued to *.exampledomain.net but the server it is connecting to is broker.exampledomain.local. One possible solution I've found on the web(https://msfreaks.wordpress.com/2013/12/23/windows-2012-r2-remote-desktop-services-part-2/) is to create a high availability RDS broker farm, give that the name broker.exampledomain.net, and create a DNS entry for it (same as the Broker). However, I've just come across this script: https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 that seems to indicate it would do the same. If this is the case, what would happen in the case of multiple brokers (high availability)? Would I need to set the farm name and then run the script on each broker or is just setting the farm name enough?

3) Firewall ports: on the external firewall, do I need to open port 3389 UDP to the RD Gateway server or is just 443 enough?

Thanks,

HA

 

Search

How to change domain of Remote Desktop Licensing and Host Server

February 24, 2015, 7:52 am
$
0
0

So I have a Windows 2008 R2 server running as a RDS Licensing Server and a RDS Host Server.

It is currently joined to DomainABC.com domain.

There is a 5CAL license installed, and the scope is Domain scope .... and everything works fine.

I need to change domains of the RDS Licensing and Host server.

I need to join it to resource domain named DomainXYZ.com.

How do I join it to the new domain and make it so that users from the old domain and new domain can still login?

Ive searched online, but havent seen a clear and concise answer on how to do this yet.

RDP Gateway : Custom Authentication plugin & Default CAP

March 2, 2015, 9:30 am
$
0
0

We have developed a custom authentication plugin for the RDP gateway according to Microsoft provided sample. 

https://code.msdn.microsoft.com/windowsdesktop/Remote-Desktop-Gateway-517d6273

When installing our plugin on a fresh installation of RDP gateway we get an error during the connection (see below).

If we remove the default CAP configuration setup by the RDP installation Wizard and manually configuration a new one then connection succeeds.

How to fix that issue ?

thanks

------------

Details of the error are below:

The user "domain\user", on client computer "x.x.x.x", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "Cookie" and connection protocol used: "HTTP".The following error occurred: "23003". (event ID 201)

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

- <System>

  <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" />

  <EventID>201</EventID>

  <Version>0</Version>

  <Level>2</Level>

  <Task>2</Task>

  <Opcode>30</Opcode>

  <Keywords>0x4010000001000000</Keywords>

  <TimeCreated SystemTime="2015-03-02T14:40:45.403913800Z" />

  <EventRecordID>27</EventRecordID>

  <Correlation ActivityID="{BEA53EF1-7BBF-4973-BA10-445A99070000}" />

  <Execution ProcessID="3912" ThreadID="3028" />

  <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>

  <Computer>SAMU.corp.hamilton.com</Computer>

  <Security UserID="S-1-5-20" />

  </System>

- <UserData>

- <EventInfo xmlns="aag">

  <Username>hamilton\fko1</Username>

  <IpAddress>x.x.x.x</IpAddress>

  <AuthType>Cookie</AuthType>

  <Resource />

  <ConnectionProtocol>HTTP</ConnectionProtocol>

  <ErrorCode>23003</ErrorCode>

  </EventInfo>

  </UserData>

  </Event>

Feg HID

Create RDP file with saved usr/psw

November 5, 2014, 8:25 am
$
0
0

Hi, I hope someone can help me.

I am creating .rdp files from my Win Server 2008. I copy those shorcuts into Motorola wireless scanners, so that they connect to my server and use the apps, etc, etc.

The problem is that everytime I open the file, it does not save my password but only the domain and user. I would like to know if it is possible to create the rdp file with the credentials saved.

RDS - Remove Unknown Publisher warning?

March 2, 2015, 10:45 am
$
0
0

I found an article that shows how to remove the Unknown Publisher warning.  See Here.

The suggested GPO setting is below.  But so far, I cannot get an instance to not show the publisher warning.  Any suggestions? 

Computer Configuration/Administrative Templates/Windows Components/Terminal Server/Remote Desktop Connection Client

Enabled "Specify SHA1 thumbprints of certificates representing trusted .rdp publishers" policy and entered SHA1 thumbprint from the certificate >for example, that is " bb e6 3e a6 7f 9c 46 9f 5a d4 e8 1d d4 44 e1 84 02 86 51 e0"

    (opened Certificate mmc > double clicked on the customer's certificate "xxx.xxx.com" > clicked on the "detail" tab > searched for thumbprint as " bb e6 3e a6 7f 9c 46 9f 5a d4 e8 1d d4 44 e1 84 02 86 51 e0" > copied it and saved on a notepad.)


2012 R2 RDS Temporary Profile issue

December 30, 2013, 12:40 pm
$
0
0

I have set up a standard 3 node 2012 R2 RDS for testing. All virtualized on VMware ESXi 5.0. I have a connection Broker, session host, and web access server. I have published several applications and I can access them without a problem. Here is my issue:

When I try to log on to my session host server either locally or thru RDP, I am always logged in with a Temporary profile. It does not mater what user account I use. Even logging on locally as the administrator I get a temporary profile.

All windows updates are installed and current.

I have removed the server from the domain, deleted the account, and rejoined it to the domain.

I have deleted all .bak registry entries from here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is a hotfix here for a similar issue on 2012 but it does not apply to 2012 R2

The only event viewer errors are:

1515 (Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.)

1511 (Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.)

Any suggestions to resolve would be greatly appreciated.

Russ

GPO setting "Server Authentication Certificate Template" causes duplicate certificate requests!

September 9, 2011, 5:10 am
$
0
0

Hi,

I have recently investigated a problem with a GPO setting related to Remote Desktop (Session Hosts). This problem appears to occur on every environment I have tested on.

Feature:
When you go to your Remote Desktop Session Host settings you can configure a certificate for RDP connections. This way your RDP connection is secured by a certificate (Server Authentication). This is very handy. You can also configure this on a wider scale by using a GPO. This GPO setting is called "Server Authentication Certificate Template". What is does, it will look for an already existing certificate by this template, if not present it will request a certificate based on the certificate template.

Problem:
Great feature. But... when you enable this feature you wind up with multiple/duplicate certificate in your certificate store! This GPO setting supposed to use an already existing certificates. But apparently it keep on requesting the same certificate over and over. This causes multiple/duplicate certificates in your certificate store and on the issuing CA, which creates a mess.

Microsoft, can you please have a look into this problem?

This feature is quit handy. But it gives us an unwanted behavior. The following information is related to the GPO setting...

The full path of this node in the Group Policy Management Console is:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security.

GPO policy seting:
Server Authentication Certificate Template

GPO policy explenation:
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server.

A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communication between a client and an RD Session Host server during RDP connections.

If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.

If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected.

If you disable or do not configure this policy setting, a self-signed certificate will be used by default to authenticate the RD Session Host server. You can select a specific certificate to be used to authenticate the RD Session Host server on theGeneral tab of the Remote Desktop Session Host Configuration tool.

Boudewijn Plomp, BPMi Infrastructure & Security

Brother printer with multiple trays installed directly on the terminal server 2008 r2

March 2, 2015, 1:43 pm
$
0
0
Hello, in my scenario, I have the same mfc installed TCP-IP (same ip but different port, IP address and address IP_2) directly on the TS to differentiate printing on the drawers. Then top with mfc mfc set Tray 1 and Tray 2 set lower with the first problem arises when they access the users as are found in both set to "automatic selection" and not the settings defined with account administrator. The second problem is to logoff / logon, because even if the user specifies the drawers as described above, loses the settings. In TS you can specify the default setting the same for everyone? And 'normal to have a reframing every time the settings for profile profile? Thanks
Search

Server 2012 R2 Corrupt User Profile Disks after RDSH reboot

March 2, 2015, 2:58 pm
$
0
0

Hi,

We have a serious problem when using User Profile Disks, we have a pretty simple setup with a single RDGW & RDCB and the 2x RDSH with a folder share for redirected folders and another for User Profile Disks. Now if any server suffers a re-boot when users are connected to it then their profiles gets corrupted and are issued with a temporary profile (we have a GPO to deny use of temp profiles) and so cannot log on.

I have searched the forums and found the following hotfix http://support.microsoft.com/kb/2896328 but this ONLY applies to Windows Server 2012.

Is there any published hotfix for Server 2012 R2, else we will need to look at another way of managing profiles ?

Thanks,

Donal

Remote WebApp single sign-on not working on Win2012

January 21, 2014, 6:38 am
$
0
0

I've found a lot of articles on this problem with Windows 2008 remote desktop servers, but nothing I can find pertains to Windows 2012 RDS.  According to the documentation it's supposed to work more easily with 2012, but it is not working in my environment.  The environment is simple: I have a single Windows 2012 server with all of the roles installed on it - RD Gateway, RD Licensing, RD Web Access, RD Session Host and RD Connection Broker.  The internal and external server names are the same, and I have a GoDaddy UCC certificate that is set up as Trusted for the RD Connection broker for single sign-on and publishing, as well as for RD Web Access and Gateway services.  I'm stumped as to where to go from here to get this to work.  I've tried a few of the suggestions from the Windows 2008 server articles, including editing the renderscripts.js file, but the symptom remains the same.

What happens is that the initial sign-on to the web site is fine, but when a user tries to open an app, they get the logon dialog box shown at the end of this post. This happens whether connecting internally or externally. Typing in the password allows the user to run the apps, and after that they aren't prompted to log in again for other apps. There are no event log errors that I can find either on the server or client.  Depending on the operating system, some of the error dialogs look slightly different, showing that the logon that fails is to "server.domain.com."  I can't figure out how to fix this, so any help would be appreciated.

Deb



RDS can only connect to 1 collection

February 27, 2015, 2:00 am
$
0
0

Hi,

I have setup a RDS farm:

RDP01 -> Web Access, Gateway, Connection Broker, (For testing : Session host)
RDS01 -> Session host, Licence Manager
Test01 -> Session host

When i want to connect to RDS01 trough the Web access portal, the session is stuck at:
Initiating remote connection.

It just keeps in this state. No error and no connection...
The same story for Test01

But when i try to connect to RDP01 (testing), i am able to login just fine.

The only error i find in the event viewer is:

Remote Desktop Services has taken too long to load the user configuration from server\\FQDN for user xxxx

Did i oversee any configuration?

Cannot publish app via GUI but can via Powershell

March 3, 2015, 8:24 am
$
0
0

Hi

I'm currently looking at an environment whereby applications can be published as a RemoteAPP via the New-RDRemoteApp command but when using the gui i'm confronted with the following:

And within the RdmsUI-trace.log


No firewalls between the servers, WMI running.

Any suggestions or pointers would be great.

Thanks

RemoteFX USB Redirection - RDC App

March 3, 2015, 8:55 am
$
0
0

I'm looking to get USB redirection working in our environment.  We have a personal desktop deployment (Server 2012 R2 w/ Hyper-V Clustered) with a mix of Win 7 and Win 8 all running RDP version 8.  I'm connecting through our connection broker.

I've enabled the local policy for RemoteFX USB Redirection, but I'm unable to see the "Device" icon at the top of the RDP session.  I'm using the Microsoft Remote Desktop client from the App store on my tablet to connect.  Please advise.

RemoteApp - Your Computer Cant connect to the remote computer.....

March 3, 2015, 2:36 am
$
0
0

Hi Guys

I have setup an RDS2012 environment with:

Server1: Connection Broker (Using this as central management)

Server2: Gateway and Web in DMZ

Servers3-8: Session Hosts

Certificates: 1xWildcard with *localdomain.co.uk installed for all internal servers (Connection Broker SSO and Connection Broker Publishing). 1xSAN Cert with Web Access URL remote.externaldomain.co.uk and Alternate name for external gateway address gw.externaldomain.co.uk.

With this configuration last week internally I was able to log into Web Access and fire up a RemoteApp no problem. Over the past few day I have been tinkering with Firewall Ports and NPS/Gateway to allow access remotely and since making some changes I now cant access RemoteApps externally or internally. I get the error:

"Your Computer cant connect to the remote computer because the Remote Desktop Gateway server is temporarily unavailable."

The RemoteApp trusted publisher box has:

Publisher:  *localdomain.co.uk (Wildcard cert)

Remote computer: Connection Broker FQDN

Gateway Server:  gw.externaldomain.co.uk (covered by SAN cert)

Its not firewall related as I have temporarily allowed all traffic through WAN-DMZ and DMZ-LAN. I used this guide here to configure the Gateway with a central NPS server I have in my network. I have tried turning the RD CAP Store on the gateway back to local server running NPS but this doesn't fix it. The user is a member of an AD group defined in the RAP that has access to the network Resource Group which contains all RDS servers.

If I try and access via the internal FQDN of Web Access (I assume it doesn't need to go via gateway then) I get the same problem.

Would anyone have any suggestions on how I can trouble shoot this?

Thanks

RDS Cal issue

March 3, 2015, 9:38 am
$
0
0
Looking for some advise on how to resolve a cal issue with Server 2012 R2 RDS licensing 

i have activated the 5 Device RDS cals and when i look at the licensing server it says 5 licenses are installed but there are 0 available and 0 issued

anyone have any idea why the cals aren't available?

i have spoken to the activation team at microsoft and they say that the cals have been successfully activated.

i have checked and the RDS gateway is set for per device

any help greatly appreciated  

Chris 


Search

RemoteApp Signing with Public CA Cert, but I still need to install the certificate on each client??

March 3, 2015, 9:42 am
$
0
0

Title says it all. I setup RemoteApp signing, I log into WebAccess, I launch a program and I am prompted for credentials again.

I install the cert on the local client and then SSO works.

is it possible to get SSO without installing the cert on each client?

UPHClean for windows server 2012 r2

March 3, 2015, 8:03 am
$
0
0

Hi There,

I am facing issues during profile unloading. Some handles are not released and in use of some process or services. Mainly i see svchost.exe is in use while logging off.

And result of this is that user profile is not deleting cleanly at log off. from the next logon onwards user is not getting proper profiles,however getting the profile as username.domainname, username.domainname001.

I understand this issue can be fixed by uphclean atleast till windows server 2008, can someone suggest if it works fine for windows 2012 R2.

I understand last uphclean version was 2.0 (beta), does it work fine with windows 2012 r2? if not any other utility which helps fixing this issue?

Regards,

Abhishek

Small business server 8

March 3, 2015, 10:47 am
$
0
0
I am not a professional, but interface with our support people.  they tell me we need to buy more RDP licenses to support more users for one of our server based applications.  how does that process work.  i couldn't easily find anything about in on the MS site.

Using RDS on the client side

March 3, 2015, 8:47 am
$
0
0

I'm looking into implementing a thin client solution in our small office but I'm still trying to wrap my head around it a little.

If I have a server with Windows 2012-R2 or 2008-R2, with the Remote Desktop Services role installed, and I have a computer, what do I install on the computer in order to turn it into essentially a dumb terminal and just run everything (including the desktop) on the server?

Would I use Windows embedded for this?

RDS Pooled Desktops Certificate Prompt

March 3, 2015, 11:12 am
$
0
0

I have set up Win2012R2 RDS and I have a pooled read only desktop collection.   When I launch a desktop I get the following prompt:

The name on the certificate is the FQDN of the desktop and the issuer is the same:   desktopname.mydomain.com

I am using a wildcard cert for the deployment and it is set up as shown below.  

If I launch a RemoteApp from my session host collection I do not see the certificate prompt.  

Any ideas how to eliminate the RDP certificate prompt on the virtual desktops?

Viewing all 25525 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>