I need to create a pool of virtual desktops for users who don't know their passwords. Those users can use smart cards only.

I've deployed my test lab which includes Windows Server 2012 host and RD Web Access & Connection Broker virtual machine. Hardware thin client (Windows 7 Embedded) with attached smart card reader is used as a workplace. I can log in to a pooled desktop by opening RD Web Access web page, clicking on pool name and entering smart card PIN. However, in order to access RD Web Access page I must enter user credentials (i.e. login and password). But users DO NOT know their passwords.

Questions:

1) Is it possible to force RD Web Access site to use credentials of logged in user?

2) Is there any way to skip the second prompt for credentials when user clicks on desktop pool on RDWeb page?

3) Is it possible to access pooled desktops by using standalone Terminal Services client only? Let's say, user logs in to a workstation using his smart card, then RDP client starts automatically using predefined RDP file, gets user credentials from the OS and logs in to a virtual desktop without asking anything else.

I have a server 2012 instance on an ESXi server, and i'm intending this server to utilize RDS for incoming connections as a test bed for our software applications. I have all the CAL's and the licensing manager authenticating them, however I cannot seem to get the Gateway Manager to recognize the incoming connections to the server, and I'm hoping this is because i've missed a step somewhere and not because the machine itself is a VM. 

New to the 2008 and 2012 architecture for RDS and looking for a shove in the right direction!

Thanks in advance. 

Hi,

I am currently in the process of rolling out Thin Clients and wondering if there is away to have multiple Redirection Connection brokers.

I currently have a High availability Connection broker configuration using a VDI pool and configured the registry to redirect to the pool Virtualpool1.

HKLM\SYSTEM\CurrentControlSet\Control\TerminalServ  er\ClusterSettings

DefaultTsvUrl  tsv://VMResource.1.Virtualpool1

Is there anyway to configure multiple connection broker farms or redirectors so I can have a address for each VDI pool.

I am aware that you can modify RDP files to launch a VDI pool.

in addition to this, is there an way to load a RDP session /VDI pool from the login screen of a Windows thin PC so that users can have a SSO experience.

Best Regards,

Our organization requires smart card authentication or certificates for logging into any systems within our environment. Since smart cards are required, users have no password that they can use for logon to the Remote Desktop website. The smart card required option is critical to our security model and cannot be changed. When users travel they take a standalone laptop that is not part of our domain. We need users to VPN in and access the website to get a pool machine assignment. All of this works fine until users get to the RDWEB site. They get prompted for a user name and password even though they don't have have a password. We need them to authenticate with their smart card. What can we do to make this work?

Passwords seem like a huge vulnerability to be required for a component that might be placed in a DMZ. If a smart card cannot be used, can we put a certificate on the box instead for authentication? A user typed password will not work for us.

We do not want the laptop users take with them to require the domain for authentication. We are not looking for single sign on. The laptop is not being granted any access through the VPN to any system other than the Remote access Gateway and Web site.

Server is Windows Server 2012 running Remote Desktop Services. Pool is using Windows 7 systems. Clients are Windows 7 as well.

We are having a problem with configuring the Session Host certificate in our 2012 RDS environment in that the external FQDN (rds.test.com) site name does not match the internal domain name (host1.inside.com). 

Using a two server config to start, Gateway/Web roles on the externally facing server and Broker/Session host roles on the internal server separated by another firewall.

If we don't put a Subject Alternate Name on the cert from our internal CA for the Broker/Session host, we get the mismatch errors but we intend to purchase a cert from a 3rd party like thawte. 

Anyone else get around this?

I am setting up a Windows 2012 remote Apps (session based) farm and the I want to limit access to the site by AD user group (easy part) AND also by computer. This is going to be intranet only, so I was thinking this wouldn't be too hard, but I haven't been able to find a working solution. My first thought was trying the Windows Firewall on the 2012 IIS/Web Access servers. The inbound rule for www https traffic has a tab for 'authorized computers', but when I turn that on, it also requires you turn on the 'Secure Settings'. Once turned on, all access is blocked accept from local RDWeb server.

So my question would be how to get this Windows Firewall "Authorized Computers" list to work, or if there is a better way of limiting access to IIS RDWeb site by computer.

thanks!

We have been tasked with a deployment of RDS after a successful pilot of a single machine deployment. The requirements are as follows:

• 24/7 Availability (this goes without saying)
• 100 concurrent users
• Initially, web based applications and possibly server utilities (ADUC, GPMC, etc) published as RemoteApps.
• We will be doing this on Server 2012 R2 most likely, but at least 2012.

From what I have read so far I think we need to plan for at least 2 Connection Brokers for the Active/Active Broker config) and the associated SQL Server, but I am unclear on how many session hosts we might need.

Can anyone point em in the right direction from here? Should I use something like MAP or is there another tool that would be better? The MAP scenarios seem to focus on VDI deployments and not RDS.

Found an odd thing.

Logged into Corp Domain on a Corp PC.

Connecting to VDI POC Domain.

It would sit there waiting to initiate connection after securing and finding VM. Found the problem to be UDP. Once I disabled UDP on the GTW connects fine.

Anyone else seen this problem? or know how to fix

After being a long time Citrix user, I am thinking about moving over the plain RDS on server 2012 R2 but have a couple of questions:-

Q/ To enable better graphics experience, I would like to utilise the Remote FX feature set, but do I need to use Hyper-V or will this work under vSphere? How important is the actual physical card I have on my host server, which is nothing special, just the default one that came with my Dell R720 server.

Q/ I understand to allow for cloning of Desktops/ Hosted servers for my Collections, I will need to use System Center, is that correct?

Q/ What if any are the extra features (e.g. remote task manager, scheduled shutdown options etc.) would I get if I used System Center in terms of better managing my RDS estate?

Q/ Has anyone else moved away from Citrix to native RDS and if so what were the reasons?

Q/ As a side question, has anyone installed a 3rd party replacement for the Start Menu (e.g. Classic Shell) in a RDS/Citrix environment?

Hello

Looking for a bit of help on this one, I have installed a physical server 2012 R2, Installed Hyper-V and Remote Desktop services for VDI, all fully patched.

I created pooled desktops of Windows 8.1 and Windows 7 (Again both fully patched, and installed Windows RDS Client 8.1) on the Windows 7 SP1 desktops

My issue is when I want to shadow a session. On Windows 8.1 Pool this works perfectly I can view and control.

However on Windows 7 SP1 RDS 8.1 I cannot, as soon as I click shadow I am getting an access denied, now on the Win 7 pool I have enabled File and printer sharing as I found that on another post but no matter what I do I am getting access denied. Group policy is set to allow full control of Windows Shadowing on Remote desktop and the policy is attached to the Virtual Desktop OU which is where the Win7 and Win 8 desktops are located.

Has anyone seen this before or have any pointers ?

Thanks in anticipation

Kevin.

We are restricting RD Web applications with User Assignments in the RemoteApp properties.

The Remote App Terminal server is a Windows 2008R2 machine. There aren't any errors that stand out in the logs.

In the Remote App manager we are assigning permissions to that APP. They are domain users.

Our issue is all users can see the app that is assigned to one user.

Hi all,

I would like to know whether I can in place upgrade Windows 2003 R2 Standard edition to Enterprise edition and maintain all the data and configuration especially on the application and Windows Terminal services licensing setup?

Hello,

I'm having a problem with a newly created 2008 R2 RDS Farm. Full desktop logins are fast for remote users (under 10 seconds), but RemoteApps and RDWeb apps take about 30 seconds to load (once loaded, subsequent apps load in 2-3 seconds). The details button is greyed out for about 25 seconds while waiting for the app to load and then when it is finally becomes enabled, the app loads in about 3 seconds.

The RDS setup consists of:

1 Gateway server
1 Connection Broker/License server
2 Session Host/RDWeb servers

I have tried the following:

-Unchecking "Bypass RD Gateway server for local addresses" under the session host settings in RemoteApps manager on both session host servers
-Disabling UAC on all servers (oddly enough this seemed to increase the login time)
-Disabling client device redirection

Nothing has improved the speed. Any other suggestions? Thanks

Hi

I have a RD farm with 4 servers on Windows 2012 R2:

rdweb01 - Web and gw role

rdcbroker - Connection Broker

rdsh01 - Session Host

rdsh02 - Session Host

The problem is when I click Connect on the Remote DEsktop Connection it takes up to 30 Seconds just to be asked for the credentials. "Bypass RD Gateway server for local addresses" is unchecked. I also created a registry key to disable task offload.

I have captured the traffic using netmon and I see that there is a gap of 20 Seconds before the RD Gateway server sends the NeXT packet. See the 2nd and 3rd line of the trace.

I have tested on other similar environments using Windows 2012 R2 and there is no delay between these two packets. The sequence is Equal but With no delay.

192 11:06:06 28.11.2013 6.7883759 mstsc.exe ME RD_Gateway TLS TLS:TLS Rec Layer-1 SSL Application Data; TLS Rec Layer-2 SSL Application Data {TLS:71, SSLVersionSelector:70, TCP:69, IPv4:68}

193 11:06:06 28.11.2013 6.8348456 mstsc.exe RD_Gateway ME TCP TCP:Flags=...A...., SrcPort=HTTPS(443), DstPort=61445, PayloadLen=0, Seq=2706257771, Ack=2387337128, Win=78 (scale factor 0x7) = 9984 {TCP:69, IPv4:68}

533 11:06:27 28.11.2013 27.8464594 mstsc.exe RD_Gateway ME TLS TLS:TLS Rec Layer-1 SSL Application Data; TLS Rec Layer-2 SSL Application Data {TLS:71, SSLVersionSelector:70, TCP:69, IPv4:68}

534 11:06:27 28.11.2013 27.8501002 mstsc.exe ME RD_Gateway TCP TCP: [Bad CheckSum]Flags=......S., SrcPort=61449, DstPort=HTTPS(443), PayloadLen=0, Seq=1792247767, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192 {TCP:194, IPv4:68}

541 11:06:27 28.11.2013 27.8767744 mstsc.exe RD_Gateway ME TCP TCP:Flags=...A..S., SrcPort=HTTPS(443), DstPort=61449, PayloadLen=0, Seq=2732183767, Ack=1792247768, Win=5840 ( Negotiated scale factor 0x7 ) = 747520 {TCP:194, IPv4:68}

542 11:06:27 28.11.2013 27.8771351 mstsc.exe ME RD_Gateway TCP TCP: [Bad CheckSum]Flags=...A...., SrcPort=61449, DstPort=HTTPS(443), PayloadLen=0, Seq=1792247768, Ack=2732183768, Win=256 (scale factor 0x8) = 65536 {TCP:194, IPv4:68}

Could some  SSL guru tell me what's going on at those steps?

The performance is good after the authentication as well as when no using the RD Gateway.









Hi

I am planning to export some RemoteApps so I can publish them through UAG. The option I get from UAG is to do with selecting remoteapps that has .tspub extensions. I can export the files on if my server is 2008, but cannot find the same option on Windows 2012.

Any help is much appriciated

Regards

Saman

Technology Infrastructure Lead EMA (Northern) New Zealand

I have a Windows 2008 Server that I have been connecting to once a month remotely to apply OS updates.  Often, I reboot that server and it uses auto-logon to login and run an application. 

Today, I rebooted the server and when I try to connect with RDP, I get the login prompt and enter my credentials, I see a few expected messages fly by on the host OS (the last one I see is the word Welcome), but then the screen goes black.

The apps on the server are running successfully because our applications can connect to them, we just can't logon to the desktop of the Windows Server 2008.

I made no configuration changes (I NEVER do) other than to apply the latest Windows Server updates.

I would prefer not to drive to the computers location, or try to coordinate a time to have the server hosting company assist me with troubleshooting; but is there anything else I can do?  Any ideas about what might cause this?

Hi All,

i'm going to do some tests for the future infrastructure for SaaS.

Actually i'm going to tests the usage of the User Profile Disks. I'm facing to a strange behaviour with the storage of UPD on DFS. The idea to do that is to offer high availability of the profiles.

When i try to setup the path for the UPD in a Collection, i get an error "The network location is unavailable". But when I test the DFS all is right...

I would know if it's possible to use DFS as storage for UPD. And if yes how to setup that.

Thank you.

I'm racking my brain, I've done this before but I'm doing this in another lab environment . Non-Domain computers (Outside) trying to RDP in via the Gateway (Domain-Internal is working).  Certs aren't an issue as they're installed, I've tried it multiple ways, but for now I'm using the self signed generated via the RD Gateway manager.  I can go to https://rdgatewayurl/rpc and authenticate and get a blank page (external and internal).

New Domain, 2k8R2 Functional Level, no real GP customization at all, except not requiring NLA and enabling RDP on the internal "servers" in a specific OU.  My Account has Admin privileges on all the servers in question.

Another stupid question: This should also work with just the RD Gateway role installed, right?  I've tried it both ways with no luck.

RD Gateway is logging Event 4625 in the Security Log.  I feel like this should be obvious but my brain is fried.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		myadminaccount@somedomain.com
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	EXTCOMP
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Good day,

I have seen a number of similar questions to mine in the Forums and even with many answered I do not see any covering precisely what I need. I suspect that the official answer is simply 'NO' with all the dancing around I see present in the past answers, but I want to be certain I did not miss something so here goes.

What I am looking to do is the following: Allow users to connect to our Windows 2008 and 2008R2 Remote Desktop Servers and redirect their printers constraining them to use only drivers that have been preinstalled into the OS by admins(Including Universal drivers), or immediately fall back to TS EasyPrint without grabbing inbox drivers or permitting any user installation of signed or 'validated' drivers.

With as many stability problems as RDT/TS has had related to spooler issues I am surprised to see that this is not the default behaviour, and even more surprised that this does not seem to be easily implemented. Since many of the packaged INBOX drivers in Windows do not seem to be TS/RDS friendly, it seems reasonable to assume that after nearly a decade of spooler issues in TS/RDS this should have been addressed in a simple fashion. The answers on the forums and blogs give me the impression that it has not. I see a lot of excellent work has gone into process isolation for the spooler, but even that great idea seems like addressing the fault rather than preventing it. 

So for the question: Is there a way to allow users to have printer redirection and also prevent them from installing ANY drivers that are not preloaded in a TS/RDS server by admins ?

Those of you from Microsoft can think of this as a product suggestion, a policy that actually restricts driver installation (but not driver usage if already installed) seems the best solution. The code that handles printer mapping would simply need to look for the policy and skip scanning INBOX drivers for non admin user tokens.. I suppose if one wanted to 'hack' at the windows installation one could use the existing policies combined with the physical removal of the inbox drivers, but kludges like that really should not be necessary (and could cause problems or be obviated by updates or service packs).

Any opinions or suggestions on this are appreciated.

Thanks in advance !

Dave

Hello everyone,

I have installed RD Connection Broker and  RD Session Host roles , users can established the session  its ok untill now but  I can not connect to users session that RD session. How can I connect their session and from where, thanks in advance.