One of our customer's is receiving a strange "Protocol Error" when connecting to a RemoteApp via RD WebAccess.  They are able to log into WebAccess just fine and the vast majority of the time are able to launch RemoteApps successfully.  On occasion however they receive the error below (RemoteApp Disconnected - "Because of a protocol error, this session will be disconnected. Please try connecting to the remote computer again.")

If the user immediately re-launches the RemoteApp it works just fine.

I didn't find anything relevant in the event logs.

• Their RDS environment is all Windows 2012 R2, with three session hosts, RD Gateway, RD Broker, and RD WebAccess.
• Affected users already have the latest Remote Desktop clients on Windows 7.
• Affected users are both local to the RDS servers and across private WAN links or site-to-site VPN's.

Here's a key piece of information - The problem started in April after RDS and the customer's RiverBed configurations were changed to match RiverBed's recommended best practices. Basically RDS traffic began being optimized by the RiverBeds so the compression& encryption settings on RDS was turned down/disabled to allow the RiverBeds to perform this function. 

I don't believe that the RiverBeds themselves are the cause of the problem due to the fact that some of the users that experience the intermittent problem are local to the RDS servers, thus their traffic is not going through the RiverBed appliances. I suspect that the so called "Protocol Error" may be related to encryption or compression in RDS but I haven't been able to narrow it down. This conclusion is more due to the fact that the problem started after making the compression & encryption change and not really because of any specific evidence pointing in that direction.

I had suggested to the customer that we reverse the RDS compression & encryption settings (one at a time) as a test to try to narrow the problem. They are reluctant to do this however because making these changes in RDS and the RiverBeds in April made such a dramatic difference in their overall performance - they don't want to go backwards!

I am considering using WireShark to sniff some packets, but because the problem is so intermittent (it can be days between errors) and the fact that I don't know what "protocol" is causing the problem, it is likely to be difficult to come up with a decent enough filter to grab useful data. It would be like drinking out of a firehose!

Anyone else ever see this error? Anyone?

-Ted

When I run the commands while logged in I get the results immediately. This is not in a "run as administrator" session. This is a newish 2012 R2 install.

Here is from opening PS right from the desktop:

====

PS U:\> hostname
RDCB001

PS U:\> Import-Module remotedesktop

PS U:\> Get-RDServer -ConnectionBroker rdcb002.ads.local
Server                                             Roles                                                                                              
------                                             -----                                                                                              
RDCB001.ADS.LOCAL                                  {RDS-CONNECTION-BROKER}    

====

Now, from a pssession:

=====

$username = "ads\admin.acct"
$password = ConvertTo-SecureString "Mypassword" -AsPlainText -Force

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
$currsess = New-PSSession -ComputerName rdcb001.ads.local -Credential $cred
Enter-PSSession -Session $currsess

[rdcb001.ads.local]: PS C:\Users\admin.curtis\Documents> whoami
ads\admin.acct
[rdcb001.ads.local]: PS C:\Users\admin.curtis\Documents> hostname
RDCB001

[rdcb001.ads.local]: PS C:\Users\admin.curtis\Documents> import-module remotedesktop

[rdcb001.ads.local]: PS C:\Users\admin.curtis\Documents> Get-RDServer -ConnectionBroker rdcb002.ads.local
Get-RDServer : The RD Connection Broker server is not available. Verify that you can connect to the RD Connection Broker server.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-RDServer

======

I only have 2 broker servers, and it does the same regardless of the -connectionbroker value (the example here is after making sure that the active broker is this server)

I get the same error when running this from orchestrator as a "run a command" with powershell -file c:\script\blah.ps1

Hi,

We have configured Terminal Service on Windows Server 2012 R2 andactivated CAL's for Remote desktop which was working fine.

Now we are getting below error and unable to take RDP session.

We have cleared the Grace Period registry key and rebooted the server post that it is workingbut again it is giving 120-days of grace period.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Please let me know even though we have activated RD CALs why this grace period option is triggered for every 120-days.

Please suggest how do we get rid of this grace period? Is it a default behavior or is there any fix available forServer 2012 R2?

Hi!  This is a strange one. And it only happens on one of my several computers.  Let me give a bit of background:

    I manage a Windows server 2012 R2 Essentials on a small church network.  We only have 5 clients on the network, and we keep it very simple...none of the clients join a domain.  And I try to manage the network remotely from a computer running Windows 10.  So when I started this several years ago, the browser I use to connect to the server was expected to be Internet Explorer, with ActiveX controls enabled.  I prefer Firefox, so I used some addons like IE Tab to simulate the IE environment in Firefox, and I got this to work quite well.  I would log onto the server, and be presented a list of clients on the server network to which I could connect remotely.  I have the server configured so that when I choose it, I get the desktop instead of the server Dashboard.  And this all worked fine. 

   THEN, sometime recently, I noticed a change.  I guess it was prompted by the depreciation of Internet Explorer, because suddenly the ActiveX requirements disappeared.  And I guess the change was as a result of Microsoft updates to Server 2012 R2. I enter the remote access URL for the server:   ####.remotewebaccess.com, and provide my user ID and password when requested.  Then I choose the server to bring up a remote desktop, but now the process has changed:  I notice that I am downloading a file named   servername.rdp  and executing it, which presents me with the remote desktop I desire.  After my sessions are over, I look for the .rdp file, but it seems that it has been removed after serving its purpose. This is all very fine, and in fact better than using the ActiveX features. 

  HOWEVER, I have one computer where this does not work.  It happens to be one which I have used for a long time, and when a new OS has become available, I have done an in-place upgrade and not a clean install.  So there are probably lots of bits and pieces lying around from years ago.  But when I use Firefox to access the server login screen, that works fine, but when I get to the next screen and select the server for a  remote desktop, nothing happens. 

   I have made some progress in explaining this--I suspected my Firefox configuration, so I created a new Firefox profile and tried it.  This time I got the notice that the  servername.rdp file is to be downloaded, and when I click OK, it downloads it.  But it does not execute it.  It just sits there in the download directory. 

  And I have made a bit more progress by doing a clean install of Windows 10 on a different partition of this computer, and the remote desktop comes up just fine, as expected.  So it is not a hardware problem.  And I have checked the system files with sfc /scannow, and they all seem OK.

  I have other computers which I can use to manage the server.  Incidentally, all my computers are running Windows 10 pro version 1607.  However, the one in question is my main computer, and since I have had this problem, I am concerned that there may be other things broken also until I get this fixed.  So I really would like to know what has happened and how I can fix it!  Hope some of you can help, and thanks. 

    Art

actor39

Hello,

I have come across several posts with a member "TP" was able to help resolve very similar issues.

Hoping he is still around and able to help me. I was not able to find a way to message directly on here.

So we have a 2012 RDS environment, the DC is also server 2012.

When users double click the RDP icon it takes almost almost a minute to connect.

It gets stuck at "configuring remote session"

I think its related to either the FQDN, DNS or certificate but we have had 3 people internally look at this and we just cannot figure it out. It was working fine when we intially set the servers up and worked for about 6 months, then last month, just out of the blue it started doing this.

Hoping someone will be able to assist

TP if you are here and able to assist we would be so very grateful to you!

Thanks!

I had an existing 2012 R2 RDS deployment on a single server with all roles including RDCB. I added an additional 2x hosts to act as desktop session hosts and 1x host to act as the eventual web access, gateway and broker for the farm.

As the only supported method for this was to setup HA for the broker service I went about doing this as per instructions for this - I added the 2x DNS records, added groups and SQL access etc and all appears OK there.

Now when clients try access the session hosts or remoteapp hosts via web access they receive the message "The connection was denied because the user account is not authorized for remote login". Appears the connections are trying to connect to the broker server I have added because if I add the user to the remote desktop users group on the new broker server they can login - but they are logged into the connection broker!

There is a blog from MS advising items to add to RDP file properties but this is not applicable as the issues are happening via web access and the required information is added.

Here are the servers in the deployment and roles

RDS-REMOTEAPP1 (Existing Server)

• Connection Broker (HA)
• Web Access
• Session Host (RemoteApps)
• License Server
• Gateway

RDS03

• Gateway
• Web Access
• License Server
• Connection Broker was added and should be part of HA but is not listed in the Deployment Servers for some reason?

RDS01

• Session Host

RDS02

• Session Host

Here are the contents of the RDP File saved from the web access:

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:1
devicestoredirect:s:*
drivestoredirect:s:*
redirectdrives:i:1
session bpp:i:32
prompt for credentials on client:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:RDSBROKER.DOMAIN.LOCAL
gatewayhostname:s:mail.externaldomain.com.au
workspace id:s:RDSBROKER.DOMAIN.LOCAL
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.Desktop
use multimon:i:1

How do I fix this issue or what is setup incorrectly?

Or should I just blow this all away (how do I do that?) and create a new farm?

I have configured RemoteApps and setup a connection which can be accessed by clients using https://remoteapps/rdweb, but the problem is only two users are allow to connect at once.  

I installed the licensing service and activated, I currently am configured for user cals.  

It has if they are connecting using the remote admin clients.

This machine is Windows 2012RD and a member of a domain controller.

On Service RDS on windows Server 2008 Can configure and define policy for remote desktop client .

But on windows Server 2012 i install RDS already and configure RDS on web already but cannot found menu setting Configure Remote desktop client . Please Advise me

Hi All,

I have a single AD environment in which client computers with at least Windows 7 OS are connecting mostly to a 2012 RDS collection but sometimes they are connectig to legacy 2003 TS hosts.

The issue seems to be that the client would loose its issued 2012 CAL when it connects to the 2003 host and get a new one when again connecting to a 2012 host. As a result, clients will have muiltiple device CALs assigned in the licensing manager and that's a pain.

Please let me know if there is a workaround you may know how to handle this.

Thank you in advance.

Zsolt

Folks,

Just noticed this becoming an issue on a Windows 2012 R2 Terminal Server after the last round of Patch Tuesday updates stemming from August 9th, 2016.

Typically, I'm rebooting the server every 24 hours to over-correct the issue - rebooting not being the best option here.  

In previous discussions, it's advised to remove KB3002657 or KB3035132 from the server.  Is this still the best option to restore full functionality even with the last round of patches and updates? Just to confirm, we are not using webroot as an AV solution. 

Hi,

I'm a little bit confused since 2008r2 rds farms.

I have three rds hosts named server1.domain.com through server3.

I have a single remote desktop gateway with session broker and web access role installed. Named gw1-server.domain.com. I connect from the outside with name.domain.com. Everything is ssl'ized with an asterisk certificate *.domain.com.

What I want is connect to my session host without web access. Just the rd client.

I can succesfully connect when i set name.domain.com in my gateway properties field, and server1.domain.com in the hostname field. The client is than logged on to a server with most resources left, so that can be either one to three. Everything fine so far. BUT, now server1.domain.com is down for maintenance. My clients, that have their pre-configured rdp icon on their desktop pointing to server1.domain.com, cannot connect anymore.

I was in the understanding that the session broker would manage this. So I guess i have something mis-configured. On the other hand, clients are evenly distributed over the different rds hosts when they connect. So the session broker is doing something.

Best regards,

Ruud Boersma

MCITP Enterprise administrator

I know on Windows Server 2012 R2 there is an option to assign different static IPs to each user or application by using either a DHCP server or setting a range of IPs via the registry. I need more control than that and need to assign a specific internal IP per user for some of the SIP-based applications to work. I need to NAT specific internal IPs to specific external IPs using the firewall and the only way I can achieve this is to make sure each user gets a unique static IP that remains the same every time a user logs in. 

From what I read, this is not possible using Windows Server out of the box so I am asking if anyone knows a third party product or registry key setting that will allow me to set a specific internal IP per user when they login to Remote Desktop on the Windows Server. Does anyone know of a way to make this happen - even if it requires a third party program? 

Thanks in advance, 

Scott

Hello Everyone,

Can anyone please confirm me, Is it possible to upgrade WIn 2008 Std SP2 X64 Terminal server to Win 2012 R2.

As per the article it look to me that we after inplace upgrade Terminal services will not work.

Please give solution for it.

Thanks

Sanjiv

Hey All,

I have a question regarding USER RDS CAL's & DEVICE RDS CAL's and how they are granted. I am running XenApp 7.8 which is provisioning out several servers for my users. These servers are identical however they are separated by OU's. Each OU has a specific GPO that defines the RDS license server as well as the licensing mode. All servers are reporting the correct settings and there are NO licensing errors or issues to speak of. 

The issue is that if I take a look at my RDS License server, I see mainly User RDS CAL's being issued. I do have a few Device RDS CAL's issued out but that number is not even close to what it should be. I have ran an RSOP on a few random users and everything comes back correct (proper GPO, proper RDS license server and mode). 

I did find some references where USER RDS CAL's are not actually issued/monitored and instead temp licenses are issued, but I didn't find anything related to Device RDS CAL's. My question is this; are the RDS CAL's only required to allow users to log onto a server (meaning that they do not technically need to be issued) and only meant for auditing purposes; or, should I actually see users receiving the correct licenses at all times?

Again, I'm not seeing any errors and I do not have any users complaining about not being able to log in, this is strictly a licensing question. I just need to understand how the system works when a mixed RDS CAL environment is used. We have purchased enough licenses to satisfy both groups so we are in compliance. I just want to confirm if thats all I need to be concerned about. 

Thanks!

We have this issue on many 2012 RDS session hosts. The issue has been seen at different clients with different set ups, some have a simple 1 session host RDS server, some have 4 or 5 session hosts in a load balanced farm with RD gateway, connection brokers, RDWeb, ect. The problem in simplest explanation:

A user will call the help desk saying they cannot access the server. They will get an error when RDP is trying to connect. 

We check the session hosts, and will find many errors:

"Event ID 4005 - The Windows logon process has unexpectedly terminated"

At that point in time, users who are currently logged in may be able to still work, or their session may lock up (it is not consistent). 

Regardless of the current users logged; after the logon process crashes, it continues to crash upon every user attempt to log on. It will happen indefinitely until the server is rebooted. We can not log in, not even via console until the server is rebooted.

Then, everything works fine for some amount of time (not consistent) it may be a couple of days, or it may be weeks, or a month even. 

We have had the case open with Microsoft for about two months and they cannot determine what is wrong. 

I believe I may have found a possible cause; Webroot Secure Anywhere antivirus. Since we have tried everything from moving from roaming profiles to local profiles, removing all printers, blocking inheritance of GP, fresh server builds with minimal software, ect - it has to be something that is consistent across the board on all servers. 

The only thing I can find consistent across the board is the Antivirus; Webroot. 

I am curious if anyone else is having this issue? I would like to pin point this to something but it is so intermittent and we cannot force replicate the problem. 

Hello,

My situation:

- Domain workstation are: Windows 7.

- External TS server to the domain but workstations are allowed to connect to, The TS use an SSL certificate.

- Can not access to the TS to change the setting.

The problem I have, when the users try to connect to the TS the receive the following Error (see image)



I searched through the internet, I did not found a solution or a right path to my solution.

I know its related to that the client workstations does not have the matching certificate, which I dont have and I need to find a workaround.

Is there a way to use GPO to change the setting on all the workstations ? Does affect the Others RDP shortcut already deployed on the domain?

Thank you

Gateway: Windows 2012 R2 
Connection Broker: Windows 2012 R2 Windows Internal DB

Can you please advise the limit RDWeb is able to enumerate. After 997 we get the following thrown by RDWeb services and no user can enumerate apps from web feed. See below error from RDweb log:

I'm assuming it comes down to array bounds issue but I can't seem to find any documentation where Microsoft indicates such a limit?

Hey guys,

I have been testing RDS 2012 for a couple weeks as my firm is looking to move away from rds 2008. I am having a few issue publishing apps as some of the file locations cannot be changed in rds 2012. For example, in RDS 2008 from RemoteApp Manager I am able to change the location and icon of an application by simply going into properties (capture 1):

I am unable to do this in RDS 2012 since the location cannot be edited (Capture 2):

Does anybody have a work around for this? It is important that we are able to run the batch file when the app is launched to change file path etc. I have tried adding the file path to Command-Line Parameters with no luck.

Thanks,