Good Time. We have Remote Destop Services farm.
All servers are in the RDS farm locate in DomainA.Com
DomainA.Com
#############################################################################
DC1 192.168.0.11/24
DC2 192.168.0.12/24
DC3 192.168.0.13/24
#############################################################################
DomainB.Com
#############################################################################
DC1 192.168.2.11/24
DC2 192.168.2.12/24
ClientB 192.168.2.20/24
#############################################################################
Also there is access to ports TCP 443,80,3389
192.168.2.0/24 -> 192.168.1.21
192.168.2.0/24 -> 192.168.1.22
We have two records in DNS:
rds.DomainC.com 192.168.1.21
rds.DomainC.com 192.168.1.22
Web Access is available at rds.DomainC.com
#############################################################################
ClientB 192.168.2.20/24
OS: Windows XP SP3
CredSSP enabled
#############################################################################
Server roles:
#############################################################################
s-rds-sh-01
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Session Host)
The functions in the RDS:
Session Host
-------------------------------------------------- ---
s-rds-gw-01
OS: Windows Server 2012 St
Windows Server Roles:
Network Policy and Access Services (Netwok Policy Server)
Remote Desktop Services (Remote Desktop Gateway, Remote Desktop Web Access)
Web Server IIS
The functions in the RDS:
Gateway + Web Access
-------------------------------------------------- ---
s-rds-gw-02
OS: Windows Server 2012 St
Windows Server Roles:
Network Policy and Access Services (Netwok Policy Server)
Remote Desktop Services (Remote Desktop Gateway, Remote Desktop Web Access)
Web Server IIS
The functions in the RDS:
Gateway + Web Access
-------------------------------------------------- ---
s-rds-cb-01
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Connection Broker, Remote Desktop Licensing)
The functions in the RDS:
Connection Broker + Licensing
-------------------------------------------------- ---
s-rds-cb-02
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Connection Broker, Remote Desktop Licensing)
The functions in the RDS:
Connection Broker + Licensing
#############################################################################
Ip Settings
#############################################################################
s-rds-cb-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-cb-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-DD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.43(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
-----------------------------------------------------
s-rds-cb-02
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-cb-02
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-DB
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.44(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
s-rds-gw-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-gw-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-8F-3C-D0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.41(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{AB680AB5-AFB9-4605-8553-B02B5F359B1E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:c18e:38aa::c18e:38aa(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
s-rds-gw-02
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-gw-02
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-8F-3C-CF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-E1
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.42(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{5EF971FC-F635-4421-B5A4-2FCD5F00392A}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:c18e:38b0::c18e:38b0(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
s-rds-sh-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-sh-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
thernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-D8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
unnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
#############################################################################
When trying to connect to the RemoteApp on Web Access through Gateway Server, a client from DomainB.com the following problem: a window "connect to the application" "hangs" 38 seconds.
The analysis of the situation shows that there are two timeouts. Gateway server is trying to "talk" to the domain controllers of DomainB.com, which contains the ClientB.
In Wareshark dump we see, that we have CLADP query from gateway server to domain controllers of DomainB.com
Filter: (&(&(&(DnsDomain=DomainB.com)(Host=S-RDS-GW-01))(NtVer=0x20000016))(DnsHostName=s-rds-gw-01.DomainA.Com))
Such a request, but only to the domain controllers DomainA.com trying to make a client of DomainB.com
Filter: (&(&(&(DnsDomain=DomainA.com)(Host=clientB))(NtVer=0x20000006))(DnsHostName=clientB.DomainB.Com))
If we opened access from Gateway server to the domain controllers in DomainB.com, it is an attempt to obtain a Kerberos TGS
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
At that receives a response from the domain controller
MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_POLICY (12)
Also, if we opened access from gateway to domain controllers DomainB.com, "dialogue" between gateway and domain controllers appeared in a few seconds, and after that the application is opened.
There are a number of questions:
1) why Gateway of DomainA.com server try to access the domain controller of DomainB.com
2) Why ClientB.DomainB.com refers to a domain controller of DomainA.com
3) How can we change this behavior?
ClientB.DomainB.com needs to communicate with servers in a farm just through the RDS gateway on port 443.
P.S. - If the client is in a workgroup, then is no problem.
P.S.S - We have this problem with any application.
All servers are in the RDS farm locate in DomainA.Com
DomainA.Com
#############################################################################
DC1 192.168.0.11/24
DC2 192.168.0.12/24
DC3 192.168.0.13/24
#############################################################################
DomainB.Com
#############################################################################
DC1 192.168.2.11/24
DC2 192.168.2.12/24
ClientB 192.168.2.20/24
#############################################################################
Also there is access to ports TCP 443,80,3389
192.168.2.0/24 -> 192.168.1.21
192.168.2.0/24 -> 192.168.1.22
We have two records in DNS:
rds.DomainC.com 192.168.1.21
rds.DomainC.com 192.168.1.22
Web Access is available at rds.DomainC.com
#############################################################################
ClientB 192.168.2.20/24
OS: Windows XP SP3
CredSSP enabled
#############################################################################
Server roles:
#############################################################################
s-rds-sh-01
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Session Host)
The functions in the RDS:
Session Host
-------------------------------------------------- ---
s-rds-gw-01
OS: Windows Server 2012 St
Windows Server Roles:
Network Policy and Access Services (Netwok Policy Server)
Remote Desktop Services (Remote Desktop Gateway, Remote Desktop Web Access)
Web Server IIS
The functions in the RDS:
Gateway + Web Access
-------------------------------------------------- ---
s-rds-gw-02
OS: Windows Server 2012 St
Windows Server Roles:
Network Policy and Access Services (Netwok Policy Server)
Remote Desktop Services (Remote Desktop Gateway, Remote Desktop Web Access)
Web Server IIS
The functions in the RDS:
Gateway + Web Access
-------------------------------------------------- ---
s-rds-cb-01
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Connection Broker, Remote Desktop Licensing)
The functions in the RDS:
Connection Broker + Licensing
-------------------------------------------------- ---
s-rds-cb-02
OS: Windows Server 2012 St
Windows Server Roles:
Remote Desktop Services (Remote Desktop Connection Broker, Remote Desktop Licensing)
The functions in the RDS:
Connection Broker + Licensing
#############################################################################
Ip Settings
#############################################################################
s-rds-cb-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-cb-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-DD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.43(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
-----------------------------------------------------
s-rds-cb-02
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-cb-02
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-DB
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.44(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
s-rds-gw-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-gw-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-8F-3C-D0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.41(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{AB680AB5-AFB9-4605-8553-B02B5F359B1E}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:c18e:38aa::c18e:38aa(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
s-rds-gw-02
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-gw-02
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
Ethernet adapter Internet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-8F-3C-CF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.22(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-E1
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.42(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{5EF971FC-F635-4421-B5A4-2FCD5F00392A}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter 6TO4 Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2002:c18e:38b0::c18e:38b0(Preferred)
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
s-rds-sh-01
-----------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : s-rds-sh-01
Primary Dns Suffix . . . . . . . : DomainA.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : DomainA.com
thernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-8F-7B-D8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.46(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.11
192.168.0.12
192.168.0.13
NetBIOS over Tcpip. . . . . . . . : Enabled
unnel adapter isatap.{82628FA0-2067-409C-94DA-38B6A26E9E07}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
#############################################################################
When trying to connect to the RemoteApp on Web Access through Gateway Server, a client from DomainB.com the following problem: a window "connect to the application" "hangs" 38 seconds.
The analysis of the situation shows that there are two timeouts. Gateway server is trying to "talk" to the domain controllers of DomainB.com, which contains the ClientB.
In Wareshark dump we see, that we have CLADP query from gateway server to domain controllers of DomainB.com
Filter: (&(&(&(DnsDomain=DomainB.com)(Host=S-RDS-GW-01))(NtVer=0x20000016))(DnsHostName=s-rds-gw-01.DomainA.Com))
Such a request, but only to the domain controllers DomainA.com trying to make a client of DomainB.com
Filter: (&(&(&(DnsDomain=DomainA.com)(Host=clientB))(NtVer=0x20000006))(DnsHostName=clientB.DomainB.Com))
If we opened access from Gateway server to the domain controllers in DomainB.com, it is an attempt to obtain a Kerberos TGS
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
At that receives a response from the domain controller
MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_POLICY (12)
Also, if we opened access from gateway to domain controllers DomainB.com, "dialogue" between gateway and domain controllers appeared in a few seconds, and after that the application is opened.
There are a number of questions:
1) why Gateway of DomainA.com server try to access the domain controller of DomainB.com
2) Why ClientB.DomainB.com refers to a domain controller of DomainA.com
3) How can we change this behavior?
ClientB.DomainB.com needs to communicate with servers in a farm just through the RDS gateway on port 443.
P.S. - If the client is in a workgroup, then is no problem.
P.S.S - We have this problem with any application.
В конце концов причина причин оказалась в начале начал...