Just put in a brand new Windows Server 2019 Standard Terminal Server at a client. Some of the partners in the firm are of an advanced age and their eyesight is no good. However other's are in their 20's and can see very well.

I tried searching for and and it seems microsoft had a solution for 2008 R2 and then nothing after.

Any way to get that on Windows Server 2019?

Hello everybody,

A customer runs Windows Server 2019 terminal server farms. From the local network, everything is fine. Users get perfectly connected and load-balanced to the RD servers. However, if the log on to the domain through a VPN (TMG 2010) which does not block any traffic, they can only only sometimes connect to the farm. When they fail, their Windows 10 RDP client just yields an "internal error" without being more specific.

We checked already:

* TMG does not block anything coming from the VPN to the inner servers or vice-versa. We also tried temporary firewall rules allowing any traffic in both directions.

* DNS resolution and contact to the domain controllers is fine from the LAN and through the VPN. There are DNS A records for each RD server, and for each RD server there is a DNS A record with the farm name, pointing to each of the RD servers, for DNS round-robin.

* The RD broker (a separate server) load-balances the users just fine.

* The clients get a DHCP address for their VPN connection from VPN, also just fine.

* The clients CAN connect every time to the old 2008 R2 server farm which did not load balance. When they try to connect to a 2019 farm (with each farm consisting of 4 RD servers and its own broker and licensing server), the only connect sometimes, the other time failing with the "internal error".

* The clients connect (locally and through VPN) using the same .rdp file pointing to the farm name. The do not use RDWeb currently, nor a RD gateway.

We have the suspicion (although not proved 100% yet) that the users can connect when a RD redirection is not needed/requested by the RD server that they initially contact via DNS round-robin.

Is such a symptom known? Does anyone have a clue what is happening here?

Best Regards, Stefan Falk

This is the scenario:

I have a 3rd party application that brings up a listening TCP port for communications purposes. 

This applications has a preconfigured listening port, lets say 49000, but the fact is the port is not available. 

Testing this issue with iperf has brougth some info to light: Windows somehow redirects the listening port to a random TCP port, starting at 20000 and assigning it "randomly". Here are some pictures:

iperf acting as server (netstat shows the port 42500 is not listening):

Client failing to connect:

processexplorer to check the listening port:

Succesful connection with the redirected port:

Nestat with redirected port:

This behaviour seems reasonable, otherwise only the first user to turn on the applicacion would be able to actually use it but I haven't been able to find some information that explains how this process work and why does it do.

I can't find any information about it and I would like to know if I am right or there is another cause for this beaviour as well as know if there is a workaround for this app to run. 

Jordi.

Hi all,

We are deploying two apps in terminal server Windows Server 2019 (app1 and app2). Both apps are in the same farm and collection.

The users from the collection use a user group, the same user group that the app1. Nevertheless, the app2 use another user group to limit who can use it.

the problem is that the app2 need to use Excel, only in this app. We want to use excel but we just want to pay only the app2 user group license (5 or 6 users), not the user group used in collection (more than 100 users). Is possible to pay only for the app2 group or need to pay to all connection group?

thanks and regards,

Gerardo,

Hi,

I have a 2012 R2 RDS and Acrobat 2017 is installed on it. When a user clicks a link in IE to a pdf it always opens in IE. I want every pdf on this server to open in Acrobat. I have already disabled the Acrobat reader add on in IE. I have checked this setting this on several user profiles. The add on shows as disabled but pdfs still open in IE when in a webpage. 

Thanks for any help on this.

My company is using a software package which is installed on RDS. All users access this program via Remote Desktop. The program is a business application which directly executes CRUD operations on a Pervasive database (no middle tier!). Our RDS server and database server reside in the same room (actually on the same vm host). Some of our users are remote over a VPN tunnel. These were the main reasons I wanted to install on RDS, because software updates and stability would be a nightmare if the application was installed on individual PCs, most notably with some running remotely. This setup would promote more stable execution because the servers are local to each other.

On occasion, the software produces database errors.

Certain errors are reoccurring, and the software company blames the issue on dropped packets. They claim desktops using a wireless connection can cause issues. They claim that this corrupts cache files and causes the database corruption.

I'm under the impression that RDP should generally negate any network issues because the application is executing on the server, not the PC. If a connection is interrupted, the application should continue to gracefully execute in the background until the session is reestablished.

On a setup like this, is it at all possible (or even heard of) to introduce database errors via RDP? Any thoughts?

Thank You.

Hello,

Pulling my hair out a little bit at this one.

For a few of our user accounts they are unable to connect to any of the published apps.

It has worked previously for these users but then it just suddenly stops.

The user can successfully log in to the RD Web site but the apps won't accept the users password; however it is being entered correctly as it works for RD Web and standard RDP.

The deployment is two RD GWs, two RD CBs and 5 Session hosts with 3 different collections.
All the servers are Server 2016.

It doesn't appear to matter which GW, CB or Host the session uses/attempts to use none of them are accepted.

Audit logs for the GW are turned on and for the session that fails their are logs present on the GW to say that the client has met the authorization policy, authorized to connect to the DNS name we are using for the Connection Broker and then displays the event for when a session disconnects. In effect it seems the user seems to have a 0 second connection:

The user "USERNAME", on client computer "IPADDRESS", disconnected from the following network resource: "CB DNS NAME". Before the user disconnected, the client transferred 229 bytes and received 156 bytes. The client session duration was 0 seconds. Connection protocol used: "HTTP".

The connection seems to hit the Connection Broker too but disconnect immediately. For example working connections create two event logs in the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operationalevent log one that reads Listener RDP-Tcp received a connection and then there is supposed be another to say that User Authentication was successful. The users that don't get authenticated don't create this entry of course.

Why would the password not get accepted?

Where else can I look to try and troubleshoot this issue?

Hi,

Somebody's can help us what is causing of this error in Remote Desktop Connection. ? We Still have Window 7 pooled collection and everything is fine and working. And now we are provisioning the Windows 10 Virtual Desktop in the VDI infrastructure. After installation of windows 10  pooled collection in RDCB and have it created/Add  a 30 virtual Desktop we got this error during the connecting of our Wyse Thin client Device. 

Is there any steps need to check on this. ? 

Current Infra:

2 RDCB

2 RD Virtualization Host

1 RD gateway server (w/ DMZ switch )

1 RD web Page server (w/ DMZ switch )

1 RD Licensing Server Role

1 File Server

2 SQL Database Server Node

Checked and Verified the following : 

1. Windows 10 Master Image have been sysprep properly in the Session Host.

2. Created a Windows 10 Virtual Desktop properly.

3. Path to the correct cluster storage volume, parent disk and user profile disk. 

4. Ensure that Windows 7 profile disk, CSV and parent disk folder is separate to windows 10 pooled collection. 

5. Windows Server 2016 Version.

6. 2 times to recreate all VM's and collection in the RDCB.

Thanks

Homer Sibayan

We're running an old but still important business app that is built on Silverlight. Yes, it was really stupid to build it on Silverlight, but hindsight is 20-20; there are steps in play to replace it. But for now we must run it.

We also use RDS for the majority of our workers, and on RDS 2016 it has become quite unstable, especially from Windows 10 clients but possibly also older thin clients that still run an Embedded OS.

The only browser remaining that runs the Silverlight plugin is "good" old Internet Explorer, and it has generally worked, but lately especially after some of the newer patches (I presume) users have begun experiencing screen flicker, UI elements just appearing to move around and after a while just a straight-up logoff off the system. This is massively disrupting of course.

Running the same things on a Windows 10 local client (without RDP) works the way it has until now.

Grateful for any ideas on what may be causing this and how I could mitigate it.

hello

i try to enable user disk profile on my collection (rds 2016)

i create a share folder with the permission they need on file server windows 2012 r2

i put the location that is acseesible from the session host and the i get the error message:

could not create the template VHD,error message: unable to connect to WMI on server xxxxxx (file server 2012) ,error no such interface supported

what could be the problem?

thanks!

Hi,

my machine is win 7 professional which support 8.0 rdp protocol.

my jump server is win 2012 r2

on the server end , I have enabled smart card redirection for a  remoteapp on iIis 8 thru Remote Desktop services - remote apps - session collection - client settings - configure client settings - ticked smart cars option.

on my machine I have allowed USB access for the specific device guid on sep(Symantec end point)

however, when I remotapp into the jump server I am unable to see the smart card but when I allowed the plug and play or printer, I can see them though.

the jump server has an web based app that will need to read the smart card info on my client and I will have to enter the password to login.

i have also tried with a win 10 pc but still the same results.

appreciate any advise

maxz77

Hi,

Software restriction policy in place : Everything disallowed except the obvious (c:\Windows, c:\program files, etc..).

Now adding a Certificat rule exception for Microsoft Teams installer. (Microsoft certificat). This is allowing a "per-user" installation of Microsoft Teams (and probably other Microsoft products. Gasp.)

A regular user w/o admin rights can install and run MS Teams. So far so good.

Now trying to uninstall it.

No way...

Any hint ?

I have setup a RDS 2019 environment with the following roles.

- RDS Gateway and Web Access on one server

- Connection Broker

- 2 Remote Desktop session host servers

- RD licensing server on DC

Within the deployment properties i have configured a wildcard certificate on all roles and they are trusted and OK.

Within DNS in the remote zone i have created records for the RDSH , RCB , Gateway and Round Robin for the RDSH farm.

In the firewall i have opened port 443 tcp and 3389 udp to the gateway server.

In the rdp configuration on the client i connect to farmname.domain.nl and the gateway remote.domain.nl

When i connect through rdp to the farm name i get the message "Certificate can't be verified" because the name in the certificate from the remote pc is *.domain.local.

When i connect to the Connection Broker i don't get this messages because the wildcard certificate is configured in the deployment properties for the connection broker.

What should i do to stop receiving the certificate notification ? How do i ensure that the RDSH servers use the wildcard certificate ?

This issue has been a thorn in my side for the past several months. While investigating I've read every post/article I could find on the topic and wanted to share my findings, as well as include instructions how to recreate the issue which I haven't seen elsewhere. 

Symptom:

In Server 2012r2 and Server 2016 RDS environments, while in published RemoteApp applications, the Caps lock/Numlock keys become inverted from the local computer. For example, the keyboard indicator shows Caps Lock is off, but capitalizes all characters in the RemoteApp application.

Cause:

The Caps Lock/Num Lock keys are inverted when the application opens a new window, a text field is selected, and the “Caps Lock” or "Num Lock" keys are the first input. It appears that when new Windows are generated from the published application they don't get keyboard sync information until text is input. For instance, if you launch a published instance of File Explorer, click the search bar, and hit the "Caps Lock" key, the issue doesn't happen. However, if you right click a folder, select"open in new window", click the search bar in the new window, then hit the caps lock key, it will. Again, only if the Caps Lock/Numlock keys are the first input.

You can recreate the problem easily by doing the following:

1. Publish "Notepad" in your RemoteApp environment
2. Launch "Notepad
3. Go to File -> Open
4. Select the "File name:" field
5. Press the "Caps Lock" or "Num Lock" key before pressing anything else
6. The caps lock/num lock key will now be out of sync

I have tested this in several applications including: Adobe, WordPad, Word, Excel, PowerPoint. This also works in clean installations on both Server 2012r2 and 2016.

Solution:

Currently none. We placed a paid ticket with Microsoft Support where we explained the issue and provided instructions on how to recreate. The ticket was escalated, and we were eventually informed that this is a known issue that hasn't been documented. We were then provided a refund and informed that they would let us know when a fix is in place.

Workaround: 

Clicking anywhere outside of the RemoteApp applications will correct the inversion. We typically recommend clicking the task bar. Another option is minimizing and maximizing the application manually or by pressing Win+D twice. Many of our users use the caps lock key in place of the shift key. I'm not sure how effective it has been but we are instructing users to use the shift key, especially when entering credentials. 

Even though there isn't currently a solution I hope that this is at least informative and someone finds it helpful.

Hello colleagues

When we are doing such config (enable multiple sessions per user):

Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Connections

Restrict Remote Desktop Services users to a single Remote Desktop Services session     Disabled

We are not able to reconnect to any disconnected session that was running previously.

It seems that it was mentioned here for Inside build, but we have same...

https://techcommunity.microsoft.com/t5/Windows-Server-Insiders/Bug-no-reconnect-to-disconnected-session-with/m-p/282056/highlight/false#M829

Any solutions for this problem?

Regards,

Sergii V

This is to raise issue with Microsoft for “DPAPI”.

DPAPI stands for “Data Protection Application Programming Interface”, a built in component in windows 200x servers and used by developers for encryption/decryption of text/string like passwords.

We need to know if there is any specification for “DPAPI” when it is used by any application in Windows Terminal Server (Farm Environment) which has both Roaming profile functionality and Folder Redirection configured.

We are asking this because our customer is facing issues in using client app for above mentioned configuration of windows server and has escalated this. Currently we see it to be a configuration issue of their windows server.

 Issue Details:

Our client app use DPAPI to encrypt and then decrypt specific user settings which are to be saved in file in the roaming folder location, something like this  à  C:\Users\<user-name>\AppData\Roaming\XYZ.

DPAPI works in Roaming profile and we use protection scope in DPAPI based on current user (and not local machine) in our client app

Read more details here.. https://support.microsoft.com/en-us/help/309408/how-to-troubleshoot-the-data-protection-api-dpapi#bookmark-1

In a windows terminal server farm, we will have multiple terminal server for load balancing. In this environment, it is not fixed the user will always get logged in to the same terminal server

When user gets logged in to a terminal server other than previous one then issue occurs in client app. When it is launched it shows error. To fix this user needs help of admin.

The reason for this issue is that the encrypted “settings” file of client for that user (in the roaming folder) is not getting decrypted (DPAPI) at this different terminal server where is user is logged in now and thus client show auth failure.

 The DPAPI used in the client for decryption throw following exception

 [0 2019-04-18 09:35:42.497]<E/Application> 1st chance exception (type=CryptographicException): sender(Name:XYZ.exeThere are no context policies.), exception=Key not valid for use in specified state.

It appear the DPAPI at this terminal server is not at the correct state to decrypt the user file. However as per Microsoft, if we are using “Roaming profile” then DPAPI should be in the correct state and work seamlessly irrespective user is in which computer but connected to the same AD domain. 

 Now, why customer is getting this issue if Roaming profile functionality is enabled.

1. Is it a configuration issue at customer end.
2. Is it something not supported on windows terminal server environment or due to “Folder Redirection”

I hope this information is enough. Let me know if you need more information related to this.

Hello,

We are planning to deploy OneIdentity SPS for session monitoring. We want to deploy it as a Remote Desktop Gateway in front of a windows server (Session Host).

I want to know how will the license be managed in this case. Note: We have RDS Device CAL license model.

Knowing that all traffic will go through the SPS, is this considered as one device?

For more on SPS as RD gateway:  https://support.oneidentity.com/technical-documents/doc1300463

Hi,

We have 3 Rdgateway servers ( server 2012 R2 en 2008 R2) in our domain and each has its own URL for accessing the internal servers from internet.

Yesterday I wan checking the netlogon logs and find out that each time we connect to RDgateway to access an internal server these events get logged. nts72 is Rdgateway server and nts80 is the internal server that we access. We dont see any issue with login, but I would like to know why netlogon says " The specified account not exist"

Shahin