Hello. I've noticed that RDP certificates on all of our production boxes have self-signed certificates located in their respective "Remote Desktop" certificate store. 

I would like all of our servers to use signed, trusted certificates from our internal PKI instead of self-signed certs Windows servers automatically generate. 

I found these two articles that pretty much outline the same process but I get an error when I try to connect:

http://www.petenetlive.com/KB/Article/0000944.htm

http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html

"This computer can't connect to the remote computer. Try connecting again. If the problem continues, contact the owner of the remote computer or your network administrator"

I'm using my Windows 8.1 workstation to RDP into a Windows 2012 R2 box. I created the RDP cert template and GPO in accordance to articles and placed the R2 box in a test OU that has that GPO applied. I'm testing it on a particular R2 box before releasing it production-wide. Also, I can confirm via PortQry and NMAP that the R2 box is listening on port 3389.

Any thoughts????? Thanks!

I have discovered that while working on my desktop, while having a connection open to my server 2012, I keep dropping the connection. What I've discovered is that as long as i work on the primary monitor on my desktop, and then open the remote connection to work on the server, the connection stays alive. When I work on the secondary monitor, for as little as a few minutes, and go back to the primary monitor and expand the server window, the connection has timed out and it reconnects on 1 of 20 try's. 

I am wired into the modem/router, and this does not drop the connection with my other office's connection to the server 2012, but they do not use multiple monitors on their desktop. 

Any suggestions?

Hey there.. weird one here.. I am testing RemoteApps with Server 2012. All is fine except for when I try and grant access to user in another forest where we have a two-way\forest transitive trust. The error is below.. What is interesting is the trust works fine otherwise. For example, if I try and add a user to the local admin group on the server it works great.. I can even authenticate via RDweb portal from a user in the trusted domain.. any ideas? 

Hi!

Windows 8 can not connect RemoteApp (W2K12 RDS), but Windows 7 can connect. Why?

External and internal DNS name is different, the public Cert is mapped to RD Web Access and a RD GateWay Role.
The internal cert (issued by enterprise ca) is mapped to RD Connection Broker roles (SSO and Publishing).
These certifications also be installed on client computers (Personal and Trusted Root Certification Authorities).
The internal CA revocation list is publicated to a website and this web site is accessible from internet. Ports (3389,3391,443) forwarded to RDS server.

On windows 7 everything works fine, but Windows 8 can not connect to Remote Apps. Windows 8 can connect to RDS server via Remote Desktop Connection.

The error:

Thank you for your answers.

Hello All,

I am trying to create a 'quick link' html page for my support team, in which I planned to include internal links as well as an embedded RDP client on the HTML page itself. I used the Microsoft provided code for the facility. However, if I enter the server address and click the connect button, nothing happens.

Would be thankful if someone could provide a fully functional code for this facility. Thanks!

Hi.

When I try to connect from any of our windows7/8/8.1 clients to our 2012 R2 Terminalserver, I get the same problem as described here http://social.technet.microsoft.com/Forums/windows/en-US/fab6f026-86c2-47e0-b485-2ac40623051f/remote-desktop-denies-login?forum=w8itprosecurity   Error: "The system administrator has limited the computers you can log on with"

---

Problem environment:

Server 2012 R2 "with update", also updated.

the account used for rdp logon may NOT logon locally to the workstation he is trying to connect from. So the problem only arises when a user uses a different user account for RDP logon to a 2012 /2012R2 server.

---

This is definitely a bug. Will it ever be fixed? It has been there since server 2012 came out! This is serious as it has various implications. For example we have customers using our terminal server via VPN. We don't even know their computer names, so we cannot possibly grant them logon privileges to those machines' names. Only workaround is to allow those users which they use for connecting to logon to all machines in the domain which is a no-go security wise (although it is the default!).

Is the problem clear to you? I know it is hard to understand.

One RD Broker 2012 R2 and 2 Session Host Servers.

When I connect using rd web using IE I can be logged into the web interface (on broker where role installed) and then able to use the desktop icon to gain access to the desktop session. I check the collection and I can see the login has been moved to one of the two host servers and logged in correctly so the redirection between broker and hosts are working correctly.

But when I try and use the remote desktop connection app, please farm name and connect, I am asked for the username\password, agree to the certificate but I receive the message that 'might not have permissions to log in remotely' it looks to me it's trying to log into the RD Broker and not being redirected.

I look at the logs on the broker and they are

Remote Desktop Connection Broker Client failed to redirect the user. Error Null

Why can the broker redirect the RD web connection but not the RDP connection? No firewalls on and everything configured correctly that I know.

Hi Everyone ! 

I have a 2008 r2 Server on a workgroup , and needed it to be a terminal server and cant add it to a domain for applicaiton reasons, the client computer that have to connect to the terminal are in my domain so as i have installed rds cals per device and as i have read it should work when i connect with local server credentials , but it does'nt . (also have some per user cals for any case) , any ideas ?

Hello,

I have recently setup RemoteApp and a RD Gateway on a 2012 R2 DC server.  I have the 4 roles split out between 6 different servers. So 1 broker, 1 RD Gateway, 1 RD Web Acccess, and 3 Session Hosts.

As of Monday this week, everything worked fine with the Gateway Server.  The Web Access server's site is accessible internally and externally, launch RDP sessions successfully, as well as connect RemoteApps that I have deployed via the web feed.  The only piece missing is when I attempt to click on a RemoteApp Program from the site I get the error "RemoteApp Disconnected - Your computer can't connect to the remote computer because an error occurred on the remote computer that you want to connect to. Contact your Network Administrator for assistance."

No error logs are created on either the server side or client side.  As far as I can tell my setup is correct according to technet articles that I have followed in order to get everything up and running.

One note, the RemoteApp Programs work fine internally if I check the box "Bypass RD Gateway server for local addresses."  With this unchecked the RemoteApps fail to launch internally with the same error.

The only changes that were made since Monday were a fourth Session Host server was added which was a cloned in Vmware from another Session Host in the environment and new RAP and CAP were created on the RD Gateway server. 

All of the VM's were restored using a backup that was taken Monday night before the shenanigans started.  Our client machines are running Windows 7 Enterprise and the RDP client has been updated to 8.0.

I have read through the forums as well as explored the net and have yet to find a solution.  

Thanks,

Erik

I'm racking my brain, I've done this before but I'm doing this in another lab environment . Non-Domain computers (Outside) trying to RDP in via the Gateway (Domain-Internal is working).  Certs aren't an issue as they're installed, I've tried it multiple ways, but for now I'm using the self signed generated via the RD Gateway manager.  I can go to https://rdgatewayurl/rpc and authenticate and get a blank page (external and internal).

New Domain, 2k8R2 Functional Level, no real GP customization at all, except not requiring NLA and enabling RDP on the internal "servers" in a specific OU.  My Account has Admin privileges on all the servers in question.

Another stupid question: This should also work with just the RD Gateway role installed, right?  I've tried it both ways with no luck.

RD Gateway is logging Event 4625 in the Security Log.  I feel like this should be obvious but my brain is fried.

An account failed to log on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		myadminaccount@somedomain.com
	Account Domain:		

Failure Information:
	Failure Reason:		An Error occured during Logon.
	Status:			0xC000035B
	Sub Status:		0x0

Process Information:
	Caller Process ID:	0x0
	Caller Process Name:	-

Network Information:
	Workstation Name:	EXTCOMP
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

I have installed to many RDS user cals on our RD licens manager by accident.

How do I reduce/remove the number of licenses in the RD licensing manager, Win server 2008 R2?

Regards SL

My existing Citrix farm has published desktops on Server 2008 x86 SP1, and the new farm I'm building is based on Server 2008 R2 x64. I can't get the x64 servers to use the same path as the x86 servers, despite having the same GPO's.

Both have the same GPO linked: under Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Session Host/Profiles, the path is set to \\server\share\%username%.

When a user who doesn't have a profile logs in to a Server 2008 x86 server, after they log out their profile is uploaded to the share as \\server\share\username.V2. When a user logs into Server 2008 R2, it doesn't pull their username.V2 profile and instead creates a new one as \\server\share\username\username.domain.V2.

Please help me get the x64 R2 servers to use the existing TS profiles. 

Hi,

We have a Windows 2008 R2 Terminal Server (workgroup) with SQL Server and C# application installed on the same terminal server.

Around 50 users access this terminal server. Since 15 days, everyday between 3PM to 4 PM, all the 50 user sessions gets dicsonnected at the same time and without anything done on the server, users can RDP again and work without any problems.

Verified event logs, terminal server logs, network, firewall, router etc. everything is working fine.

Only thing observed is, when RDP sessions gets disconnected, we see PING time out.

Any help to address this issue is appreciated.

Raghuveer.

Hello All,

On a Windows Server 2008 R2 system running as a Remote Desktop Session Host (with Dell/Quest vWorkspace) I have an issue where somehow people have had the Chinese PRC language automatically selected.  These people are not people that would even have that language installed on their local systems - so the IgnoreRemoteKeyboardLayout registry setting would not be of much use (I have applied it either way).

The system at one time had a need for some people to have the ability to select that language within the language bar; however, now that is no longer the case.  I do not have the keyboard set to launch automatically for individual users.  How can I get rid of that language as one of the keyboards available to them?

Thanks

I have followed this following directions (http://technet.microsoft.com/en-us/library/cc736643%28v=ws.10%29.aspx#BKMK_TSC) :

"Using Terminal Services Configuration

• Open Terminal Services Configuration.
• In the console tree, click Connections.
• In the details pane, right-click the connection for which you want to specify an initial program, and then clickProperties.
• On the Environment tab, under Initial program, selectStart the following program when the user logs on. This option allows you to configure an initial program for the connection.
  
  
  • If you select Do not allow an initial program to be launched. Always show desktop, then Terminal Services cannot start a specified initial program automatically when a client connects to a terminal server. Instead, the user must start programs by using the default desktop that is displayed during the Terminal Services session.
• If you select Run initial program specified by user profile and Remote Desktop Connection or Terminal Services client, then the program that is specified in the default user profile and in Remote Desktop Connection or the Terminal Services client will run when the client connects to the terminal server.

the problem is that now all of the server users get the specific program automatically starts when logged on and i cant undo it because i cant get to the desktop or to the "tscc.msc"

is there a way to fix it?

I have set up a test Server 2012 RDS collection (Single Server for now) and implemented User Profile disks.

I have two problems.

First: My generic test user can connect and does successfully use the user profile disk as expected. However, atlogoff, the system event log contains these errors:

The error (NTFS 137) is: The default transaction resource manager on volume C:\Users\ts3.test encountered a non-retryable error and could not start.  The data contains the error code.

The warning (NTFS 50) that concerns me is:

It appears that the user profile disk is being "disabled" or "disconnected" before the profile data is completely written at logoff. What can I do to troubleshoot this?

Second:

Update: A post from Mike Connor on the following page: -LINK- solved the problem described below. 

My administrative user always logs on now with a temporary profile. At the beginning, the UPD was working and mounting. That stopped working. In attempting to troubleshoot, I logged the admin user off and deleted the UPD disk file from the share. I remember it working again after generating a new UPD disk file in the share. Soon, it quit working again. I deleted the UPD disk file again from the share and ever since, it has never regenerated a new UPD andalways logs on with a temporary profile.

• Two Windows Server 2012 R2 DCs
• Windows Server 2012 R2 server with all RDS roles installed
• Trusted certificate has been deployed on the server
• Windows 8 Embedded
• RDP protocol being used: 8.0
• SSO GPO has been created and linked to the top level of the domain and is enforced
• GPO setting: Computer Configuration -> Policies -> Administrative Templates -> System/Credentials delegation -> Enabled -> TERMSRV/fqdn.domain.com
• RDS web feed GPO has been created and linked to the OU containing the users that need this subscription.
• GPO settings: User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> RemoteApp and Desktop Connections -> Enabled -> https://fqdn.domain.com/rdweb/feed/webfeed.aspx
• GPO Settings User Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote DesktopServices -> Remote Desktop Connection Client -> Specify SHA1 thumbprints of certificates representing trusted RDP publishers has been configured.
• I followed guidance located here to create this GPO setting. <http://morgansimonsen.wordpress.com/2011/03/21/sha1-thumbprints-for-trusted-rdp-publishers/>

What works correctly:

• Users get the remote apps on the Metro Start screen.
• No certificate warnings occur.
• Gpresult /r shows that the GPOs referenced above are getting applied.

Issues:

While users do get the web feed apps, they get prompted for two things when they launch an RDS app:

• "This RemoteApp could harm your computer....".  The users have the option to say "Don't warn me again" and connect, but I'd like this to not occur at all if possible.
• They get prompted for a user name and password. This means SSO is not working.

DuRand Bryant

Hi all,

I have some netapp space available for User profile disks, the netapp does not support SMB 3.0 and when I try and apply the setting i get an RPC error: 

0x800706BA

Similar to this thread here which suggested SMB3 was required.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a4e6fb8-ad10-4ac1-b3ac-55d414b3fb17/got-rpc-server-is-unavailable-error-when-configuring-user-profile-disk-to-use-a-samba-share?forum=winserverTS

So would like clarification, is SMB 3.0 a requirement?

I have managed to setup a file share on a windows 2012r2 box on storage which does not support SMB3.0 and it works... I don't know if windows is doing something funky in the back end to make it work though.

Thanks