Hey guys, just wondering if any of you have seen this behavior or managed to be able to correct it because I can't seem to find a fix. The client computer is running the latest version of Windows and the RDS Servers are at latest patch of Server 2016. The client opens up a remote app and then minimizes it and the remote app disappears from their taskbar.
Any ideas?
Cheers!
Brian Baldock | MCSE | MCSA | MS | MCP Please note: This post is provided as is with no guarantee. Test, then test again
We're currently having issues setting up our Terminal Server for our remote users.
Everything is on place: RD Web Access, RD Gateway, RD Connection Broker (Some confusion) and RD Session Host.
We are able to connect to the interface locally and remotely to servername/rdweb/webclient/index.html, we can use the Remote Apps locally but when we try to use the Remote Apps from a remote computer it gives us this error:
Oops, we couldn't connect to "Remote Desktop Connection"
The connection to the remote PC was lost. This might be because of a network problem. If this keeps happening, ask your admin or tech support for help.
Does anyone have any idea what were doing wrong? It would be really helpful.
I am having trouble with 2016 Server configuring IP Virtualisation, running as vm on a Hyper-V host
If I use a DHCP Server I get the following error
"Remote Desktop IP Virtualization could not acquire an IP address for session ID 2. Error code: 0x800714CA"
(If I time it correct on a Cisco 500 switch I can see the IP address being allocated before it aborted)
If I try and use static iP configured in registry I get the following errors in the log,
Remote Desktop IP Virtualization could not load C:\WINDOWS\system32\TSVIPool.dll. Error code: 0x80070002
An error occurred when the computer tried to start Remote Desktop IP Virtualization: 0x80070002.
I followed the following guides (links removed)
Deploying Remote Desktop IP Virtualization Step-by-Step Guide
Using Static IP Addresses for Remote Desktop IP Virtualization
I have found this which may describe my issue for the static IP.
https://support.microsoft.com/en-gb/help/2402260/possible-delays-while-assigning-virtual-ip-addresses-in-remote-desktop
However what does it mean when it advises “Workaround:ConfigureRDS Session Initial Program (Startup program) to run with a startup script (logon script) and introduce a 1-3 second delay into the execution of any process“
What do I have to do to implement the workaround? or is there any other suggestions
Hello,
We have a Windows Server 2016 box that is being used for users to remote in to their computers by way of RDWeb. Every time someone goes to the website to login we we get the following Warning logged in events:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 10/26/2018 10:49:47 AM
Event time (UTC): 10/26/2018 2:49:47 PM
Event ID: 00f90daa62f94580925cf71413f5874d
Event sequence: 5
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/RDWeb/Pages-6-131850389869549350
Trust level: Full
Application Virtual Path: /RDWeb/Pages
Application Path: C:\WINDOWS\Web\RDWeb\Pages\
Machine name: XXXXXX
Process information:
Process ID: 5096
Process name: w3wp.exe
Account name: IIS APPPOOL\RDWebAccess
Exception information:
Exception type: NullReferenceException
Exception message: Object reference not set to an instance of an object.
at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormAuthTicketInfo..ctor(HttpContext objHttpContext)
at ASP.en_us_default_aspx.<GetAppsAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.UI.PageAsyncTaskManager.<ExecuteTasksAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.UI.Page.<ProcessRequestAsync>d__554.MoveNext()
Request information:
Request URL: https://XXXXXXXXX:443/RDWeb/Pages/en-US/Default.aspx
Request path: /RDWeb/Pages/en-US/Default.aspx
User host address: XXXXXXXX
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\RDWebAccess
Thread information:
Thread ID: 115
Thread account name: IIS APPPOOL\RDWebAccess
Is impersonating: False
Stack trace: at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSFormAuthTicketInfo..ctor(HttpContext objHttpContext)
at ASP.en_us_default_aspx.<GetAppsAsync>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Web.UI.PageAsyncTaskManager.<ExecuteTasksAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.UI.Page.<ProcessRequestAsync>d__554.MoveNext()
Custom event details: Hi,
I have special circumstances where I need to connect (RDP using MSTSC) to a Windows server that enforces RDP over TLS, but without NLA (enablecredsspsupport:i:0 in the RDP file, the server allow this).
On some clients (I saw this only with Windows Server 2012 R2 clients) I'm getting the following error: "The connection cannot proceed because authentication is not enabled . . .".
The only thing I found online was to change the authentication level, which didn't help.
I analyzed the traffic using Wireshark and I believe the problem is with the RDP negotiation, where the client sends a list of it's supported security protocols. If I connect from the same client with NLA (enablecredsspsupport:i:1) I get this:
requestedProtocols:
.... .... .... .... .... .... .... ...1 = TLS security supported: True
.... .... .... .... .... .... .... ..1. = CredSSP supported: True
.... .... .... .... .... .... .... 1... = Early User Authorization Result PDU supported: True
But if I connect with enablecredsspsupport:i:0 I get this:
requestedProtocols:
.... .... .... .... .... .... .... ...0 = TLS security supported: False
.... .... .... .... .... .... .... ..0. = CredSSP supported: False
.... .... .... .... .... .... .... 0... = Early User Authorization Result PDU supported: False
Where I would expect this (I do get this with some clients):
requestedProtocols:
.... .... .... .... .... .... .... ...1 = TLS security supported: True
.... .... .... .... .... .... .... ..0. = CredSSP supported: False
.... .... .... .... .... .... .... 0... = Early User Authorization Result PDU supported: False
It seems like for some reason disabling CredSSP on the client also disables TLS.
I would appreciate if someone could help me figure out what's happening.
Thanks,
Gabriel
Hi,
I have a Windows Server 2012 R2 there i have installed:
RD Web Access
RD Connection Broker
RD Session Host
But RD Connection Broker service will not starta I get this 3 errors:
Event ID: 833 Source: TerminalServices-SessionBroker
The VMResource plugin failed to load. Error: VMResource is not a valid Win32 application.
Event ID: 833 Source: TerminalServices-SessionBroker
The MS Default Provisioning Plugin plugin failed to load. Error: The group or resource is not in the correct state to perform the requested operation.
Event ID: 898 Source: TerminalServices-SessionBroker
RD Connection Broker service failed to start. HRESULT = 0x8007139F.
I have checked VMResource in register in it´s look fine.
Regards Pierre
We have a single forest, single domain AD environment. A password policy has been set through 'Default Domain Policy'.
We would like to implement second password policy with different complexity requirements. As per the official Microsoft document thus can be achieved through Fine Grain Password policy.
Please confirm that there is no such system limitations and another password policy can be configured for application administrator's.
Kindly respond at your earliest.
Can't figure out why login through RDS Gateway is so slow...
I've setup a 2019 RDS environment.
It's all VM's
Server: Connection Broker and License Server
Server: Session Host (Server 2019)
Server: Gateway (in DMZ)
Using FSLogix.
MFA plugin through Azure.
When logging in from inside network it's fast. (Not asking for MFA)
When logging in from outside through gateway, it takes 1:40 minutes before desktop is ready. (Asking for MFA)
Using a RDP file.
MFA challenge comes ~11 seconds after password is entered.
After that: "Configuring remote session" in a long time.
Occasionally the login is way faster.
(after I wrote this, the MFA challenge took 4 seconds and was 100% logged in in about 10 seconds through gateway)
I can't see where to begin troubleshooting...
Sometimes the connection is lost, asking the MFA challenge again.
Tried using "Negotiate" and "RDP Security Layer"
Tried looking Event Viewer on several servers with no luck
Sorry for the jumping in text.
Side note. this all works fine using the legacy reweb and rds client.
When trying to connect using the web client, we get the usual "Oops, we couldnt connect".
When i look in the dev view, I see websocket connection to the gateway failed, 404:
WebSocket connection to 'wss://gateway.testcloud.co.uk/remoteDesktopGateway?CorId=%7B334da63a-1571-428b-903f-b23d4a860000%7D&ConId=%7B32369577-63bd-4dee-a4bc-dd8f08495d4e%7D&ClGen=HTML%3D1&ClBld=Type%3DRdClient%3B%20Build%3Dprivate&AuthS=SSPI_NTLM' failed: Error during WebSocket handshake: Unexpected response code: 404
Any ideas?
Dear all,
Enviorment:
2 DCs: Windows Server 2012R2
1 Terminalserver Session Broker: Windows Server 2016 (Session Broker and License Server)
3 Terminalserver Host: Windows Server 2016 (RDS Host)
If I deploy a new GPO on the DCs to the OU of the terminalservers the deployment works fine for all users. If I deactivate the GPO on the DCs and force the gpupdate on the terminalservers the GPO will stay activated to the users. After a bit of research it seems like the ntuser.dat from the user stored in the user profile disk won't be updated. If I delete the ntuser.dat manually and login again to the terminalservers I will get the right activated GPOs.
Folder permissons for the folder where the UPD are stored: Everyone (Read and Execute, Read Folder), System (Full Access), Every Terminalserver (Full Access), Domain-Admins (Full Access), Local Users (Read and Execute, Read Folder) Local Admins (Full Access)
File permissions for UPD vhd-files: Everyone (Read and Execute), System (Full Access), AD User himself (Full Access), Every Terminalserver (Full Access), Admin (Full Access), Domain-Admins (Full Access), Local Users (Read and Execute, Read Folder) Local Admins (Full Access)
For me it seems like the ntuser.dat do not work fine. Has anyone an idea?
Thanks!
Hi all,
We have made a RDS Farm to deploy a Virtual App. After configuring the roles, we have this structure:
server 1 and 2 are in DMZ VLAN, and server 3, 4 and 5 in midd VLAN. To publish our public DNS, we use a pool into VIP F5 that balance the connections with Round Robin mode and assign a static public IP to this DNS.
All roles are in HA: RD bróker have a DNS RR register with the server 1 and 2 IP, RDGateway is duplicated on both servers, RD Web Access and IIS is installed on both servers and the RDSH role is blanacing via RDBokrer service.
The question is: Is possible to check the health status of every role (RD Gateway, RD Bróker and RD Web Access) to remove of the F5 pool the machine when some role is out of service in a server1 or 2 ?
Thanks!
Gerardo,
Hi
We have a problem with logon times on our RDP 2012R2 servers. It must be related to the roaming profile.
The problem:
The users logon on via RDP. The profile gets loaded, applying group policy settings and so on, and then the "black screen" starts. I can take up to 15 minutes before the users desktop is visible and ready to work.
While there are black screen I can press CTRL+ALT+DEL and go to the task manager. The only process that is working is explorer.exe.
If we create a new profile the users are logged in less than a minute, but the logon process and the time for the black screen increases over time. It happens for all our users on our 30 RDS servers.
Any suggestions?
I remote desktop to my Window 10 Surface laptop via LAN (to use Outlook from the laptop) allowing me to create send/emails on the Surface laptop via remote desktop from my desktop PC. This has been working fine for 2+ years. Recently the Surface 10 has started ending the remote desktop session randomly perhaps 2 or 3 times per day. The worst parts is that it also terminates all running applications so when I can finally remote desktop back in my Outlook sessions have been lost. This is frustrating as I have lost a lot of drafted emails.
(I’ve setup Outlook to save every 1 minute but even so sometimes I lose the active email I'm working on in Outlook or recently received emails - I've lost lots of work because of this - it is driving me crazy.)
If I try to immediately log back in via RDP I sometimes get:
The number of connections to this computer is limited and all connections are in use right now. Try connecting later or contact your system administrator
I wait and try again and I can log back in but all my applications have been terminated. Perhaps the user session is being logged out and back in – I can’t tell.
Why on earth would all apps be terminated - it's as if the Surface computer user session is logged out and terminates all running apps for absolutely no reason.
There are no failed attempts in System Event Log Security, only forced log off. I noticed over 100 Audit Success security events at same time:
Credential Manager credentials were read.
Subject:
Security ID: DOMAIN\My Name
Account Name: My Name
Account Domain: DOMAIN
Logon ID: 0x1A293A3D8
Read Operation: Enumerate Credentials
This event occurs when a user performs a read operation on stored credentials in Credential Manager.This is then followed with:
An account was logged off.
Logon Type: 3
This event is generated when a logon session is destroyed.
It may be positively correlated with a logon event using the Logon ID value.
Logon IDs are only unique between reboots on the same computer.
Windows System Events at arounds this time shows a number of Errors:
The server {AAC1009F-AB33-48F9-9A21-7F5B88426A2E} did not register with DCOM within the required timeout.
The system is exiting connected standby
Reason: Input Keyboard.
A timeout was reached (30000 milliseconds) while waiting for the Sync Host_1a14de225 service to connect.
A timeout was reached (30000 milliseconds) while waiting for the Windows Push
Notifications User Service_1a14de225 service to connect.
The Clipboard User Service_1a14de225 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
A timeout was reached (30000 milliseconds) while waiting for the Clipboard User Service_1a14de225 service to connect.
The Connected Devices Platform User Service_1a14de225 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
A timeout was reached (30000 milliseconds) while waiting for the Connected Devices Platform User Service_1a14de225 service to connect.
The Clipboard User Service_1a14de225 service terminated unexpectedly.
It has done this 1 time(s).
The following corrective action will be taken in 3000 milliseconds:
Restart the service.
The Sync Host_1a14de225 service terminated unexpectedly.
It has done this 1 time(s).
The following corrective action will be taken in 10000 milliseconds:
Restart the service.
The Windows Push Notifications User Service_1a14de225 service terminated unexpectedly.
It has done this 1 time(s).
The following corrective action will be taken in 10000 milliseconds:
Restart the service.Note, I posted this at https://superuser.com/questions/1484818/windows-10-remote-desktop-session-randomly-unexpectedly-terminates
But no-one could help there. This is really driving me crazy as I am losing emails on a daily basis
Hi
I have set up RDS on Win 2019 server, but when trying to connect to the I keep getting that the Gateway in unavailable.
I can connect to there server with RDP fine, but not RDWeb. Could someone point me in the right direction.
I am using Azure
Hi,
I'm sure this has been asked many times before, and I'm probably just missing something simple but we've built a new RDS 2016 system consisting of 2 Connection Brokers and a few RDS Hosts which will be used for plain Remote Desktops.
Clients are getting certificate warnings when connecting as the DNS name for the farm (RDSFARM.domain.com) is different to the host name on the self-signed certificate which is presented. We have a wildcard cert which we could use, in place of a SAN certificate, but I'm unsure where we configure this.
In the RDS Server Manager, you can configure the RD Conncection Broker for SSO, Publishing, Web Access and RD Gateway but these aren't related to what I'am talking about are they?
I've also tried putting this wildcard cert into the RDS system certificate store and removing the self signed cert, but no luck doing that. So what is the right way to configure this?
Thanks in advance,
Dave
Hi,
We've been rolling out FSlogix and so far have been loving it. We came from roaming profiles.
When we migrated I left the 'Profile Path' field set on the AD object as there are app servers and various others that users may logon to without FSlogix - so keeping roaming for these seemed ideal.
For two users, whenever they login to the RDS Farm with FSLogix, the roaming folder in their VHDX gets overwritten (*profile*\appdata\roaming) Weirdly the local folder is unaffected. If I restore the VHDX and remove the Profile Path field this stops happening.
Only happens for these users and I cannot find any documentation related to this.
Anyone have any ideas?
Thanks,
Andrew
Hi everyone
We have recently renewed our SSL wildcard (GoDaddy) certificate and have successfully installed it. However we now have a problem where some users are unable to connect and I suspect its an issue with SSL and possibly something I've not done correctly.
Below is a brief overview of the RDS deployment
7 Servers - 1xGateway/web access, 1xConnection broker/licensing, 4xdesktop hosts and 1xapplication host.
SSL Wildcard purchased from GoDaddy and assigned to each server. CN *.abcd.co.uk
Server FQDN (as seen from connection broker) is server.ad.domain.com (I think this has changed since adding the new SSL from server.abcd.co.uk but can't be certain).
Forward looking DNS A record abcd.co.uk set to private IP for gateway and connection broker servers.
We have a mixture of W7 & W10 Pro clients, a large number of HP thin clients and a few Apple Mac's.
Connecting internal seems to work for Windows user and some thin clients but the Apple users and some of the HP clients cannot get on. If we change the Gateway settings from defined to automatically detect on on the connection broker, the Apple clients
work but not some of the thin clients.
I am convinced the root cause is the way we have configured our Wildcard SSL which has effected the gateway and other settings.
Unfortunately, I cannot find any literature which gives in depth instructions on how to configure and assign SSL certificates from start to finish for an RDS deployment.
Prior to us renewing the certificates, everything was working fine.
If there is anyone who can advise, then I would be grateful.
Regards
Thackers
Hello,
I am currently evaluating RemoteApp to deliver applications to our roaming users. It is working well.
However, whenever user reconnects, it creates a new session rather than hooking up to a disconnected session. My requirement is that till the time a disconnected session does not end, user must reconnect to their corresponding disconnected sessions only.
I have tried configuring following Group Policy Settings on the Session Host Server, but could not achieve the objective:
Request if someone can guide me about some missing configuration to achieve the objective.
Thanks,
Amit Jogi
Using Group Policy Editor, I have added Administrators into Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network. This is to make sure that file sharing users cannot bypass the NTFS rights. However, I want members of the Administrators group to be able to login interactively using Remote Desktop. It works from Windows PCs, but not from Microsoft RD Client for Android, where I get the following error message:
I can connect from Android only if I remove that policy.
Any ideas?
I have the following:
RDS Gateway = Windows 2016
TS server = Windows 2008 R2
TS Server2 = Windows 2016
I get into the RD webpage without issue, there lies 2 RDP published apps pointing to 2 different servers.
When the icons are launched and authentication box appears, domain credentials are put in, and the error stated below comes up.
End users can access the gateway without issue, when they select the TS Server RDP icons they get the following error:
RemoteApp Disconnected - Your computer can't connect to the Remote Desktop Gateway server. Contact your network administrator for assistance.
The TS connection is set to maximum, everything else is set correctly to. I have read all the articles I can find and it has not resolved the issue, is there something I am missing?