Hi everyone,

There seems to be a blizzard of questions and misunderstandings about certificates for Svr 2012 TS.

Here is another one. I've just set up a TS system and its working using its self signed certificates. There are three servers; 2 are session hosts and everything else is on the 3rd. All three are domain member servers and there is a domain CA.

I've search and googled this issue and read many of the articles on the subject. Maybe I'm just not getting some of the finer points of detail.

For example this post looks promising

https://technet.microsoft.com/en-us/library/cc732329?f=255&MSPPError=-214721739

as it has the statement

"You can generate and submit a certificate request to obtain a certificate from a stand-alone or an enterprise certification authority (CA)."

Great we are making progress here, but wait, it then keeps the answer a secret. :-(

Is there a way to get a Certificate Signing Request out of a TS system and install a signed certificate? I read one article that described getting a CSR from IIS on the RDGW server, which I did and I then got a signed certificate from the domain CA and tried to install it on the RDGW server. The certificate from the Domain CA is in .cer and .p7b format. But the "Configure the Deployment" wizard wants the certificate to be in .pfx format. That, I believe, includes the private key. Why would I want to replace the private key?

I've probably missing something obvious here, or missing the point completely, as this process appears at best obfuscated and at worst is downright user aggressive!

I've been generating CSR's and installing signed certificates on MS and Open Source web and e-mail systems for years. I have a fair idea what I'm doing - I'm not a guru but not daft either. But there must be a subtlety I'm missing on this one.

So can this be done? I'm beginning to doubt it. I looked for how-to's on some well known public CA's Knowledge Bases. They don't seem to know either.

If there is a in depth "how to" that describes this in excruciating detail, I'd really like to read it.

Thanks for reading so far

Pointers and wisdom most welcome.

:-)

Ken

Hello,

I have a sound issue with a 2008 server (32 bit). I'm monitoring the server via an RDP-Session that's up and running 24/7. Sometimes, the audio-output on the Client PC (Win 7 pro, 32 bits too) fells silent. Sound on the ClientPC itself (outside the RDP-Session) is fine, within the Session everything seems to be okay (volume control, Microsoft RDP Audio Device), just there is no sound. If I close the Session and reconnect, sound is back - sometimes for a day, sometimes for a week... Audio in the Console-Session or in other RDP-Sessions at the same time is flawless.

The WAN-Link between the two sites is a bit shabby, but as long as the session itself doesn't break I don't see a reason why a few beeps shouldn't come through.

After searching for a solution for a while now I have found hundreds of threads and solutions for no sound in RDP-Sessions at all, even a MS-Hotfix for shabby sound - but obviously I'm the only guy with such a problem.

Ideas anyone?

Thanks.

Hello,

We are facing a strange problem, the below is a description:

- We have a several terminal server 2008r2/2012r2

- Sometimes some users can not open their sessions on the server, due to the corrupted profile.

- For now my solution is to delete the user profile and at the next login they can login.

- The problem we have is we can not delete there associated folders without restarting the TS server?

I want to know if they are a solution to to delete the user profile and the associated folder without restarting the TS server because sometimes it happens 2,3 times a day?

Thank for your help

Hello,

i need to block access to the internet via IE, my users cant surffe  the internet when  they log in to the Terminal server.

what is the simply method to block it?

Thanks,

Itai

Hello,

We need 15 Remote Desktop Connection for our remote users. We have HPE ML310E Server and are going to purchase HPE Windows Server 2012 R2 Standard with 15 HPE RDS CALs. Question is, do we need to purchase standard user CALs as well with RDS CALs? 

OnSite Geeks

Desired result (should be fairly simple-NOT):  I need to access my server via Windows Remote Desktop via VPN from remote locations.  I can VPN to the machine just fine.  

1. The Server is set with a Static IP.  Connected to my AT&T router.  This router is configured with DHCP, IPv6 enabled, and allows me to assign the Static IP's to either of my two computer. 
2. An address pool is setup with a pool of 3 static IP's. I have 5 total [1 for server, 1 for personal PC, 3 for pool on server]  
3. Group Policies, Remote Desktop all set and enabled.  
4. Remote Access Management Console
5. I can see in Remote Access Mgmt Console the user is connected, and one of the static IP's are assigned. Authentication = MSChapv2
6. Also in Remote Access Mgmt Console under the domain name it shows:  VPN [Services - Big red X with Operations status & state showing Critical& Services State respectively.

Remote Access Error:  The following error occurred in the Point to Point Protocol module on port:  VPN3-127, UserName XXX.  The connection was prevented because of a policy configured on your RAS/VPNserver.  Specifically the authentication method used by the server to verify your user name and password may not match the authentication method in your connection profile.  Please contact the Administrator of the RAS server and notify them of this error.   

• I've triple checked NPS to make sure the policy was enabled and to grant access for VPN-Dial Up, DHCP and RGateway
• All are set with PEAP and/or EAP-MSCHAPv2

The other related error: 

The address of remote RADIUS Server xxxx in server group VPN-access resolves to Local address xxx, and will be ignored.  THis is listed twice.  Once each for IPv4 and IPv6 address.

Again my goal:  Very simple - Provide remote access to my server.  I can VPN in, but am blocked with Windows Remote Desktop.  Actually tried Chrome RD also. Same results.  This is a new server setup and the only thing on the Server besides the operating system. Is SQL Server.

I will be eternally for any an all help!

Christopher 

Thank you, Chris

I have new setup which is working fine externally for Windows 8.x and Windows 10 clients, but not working with any Windows 7.

When launching a published WebApp users on Windows 7 are getting error message "Your computer can't connect to the remote computer because and error occurred on the remote computer you want to connect to. Contact your network administrator for assistance."

The setup is:

• RDWeb published applications
• Comodo wildcard certificate for Web, Gateway and Connection Broker
• Again, no issues with Windows 8.x and 10
• Three servers: CB, Web and Gateway on server A, single session host B, licensing on one of the DCs
• There are no errors or Audit Failures logged in event logs, or any of the RDS servers
• KB2903333 fix number 2 applied anyway even though no Audit Failures
• RDP 8.1 installed on Windows 7 clients and IE 11
• External connecting computers are a mix of Domain laptops and personal systems.  My test system is standalone Windows 7 with all MS updates, never been on domain, no local security policies and AV and firewall disabled for testing
• "Allow connection only from computers running Remote Desktop with Network Level Authentication" has been unchecked on session collection
• I have tested with Firewall services disabled on CB and Session Host with no difference.

I'm stumped. Any ideas?

Hello, 

I have an approved GPU that is enabled for RemoteFX on my Windows 2012 R2 Hyper-V server.  I DO NOT have a VM collection or VDI pool.  I have installed Windows 7 SP1 Enterprise as a VM on the Hyper-V server and enabled RemoteFX.  I have verified it installed by connecting through the Hyper-V console and verifying in device manager.

When I try to connect the Win 7 VM using RDP, I get the error message:

"The remote session was disconnected because there were network problems during the licensing protocol"

The Windows 7 VM has been fully updated.

After some research I found one guy on these forums who said this:

"Have you added the VM with the RemoteFX vGPU to a collection?  You must do this in order for RemoteFX to function correctly and for the client that is connecting to obtain a license. "

To use RemoteFx does I need a session collection and then a licensing server?  RemoteFx wont work just straight RDP'ing to a created VM on a Hyper-V server?

Thanks!

I have set up a test Server 2012 RDS collection (Single Server for now) and implemented User Profile disks.

I have two problems.

First: My generic test user can connect and does successfully use the user profile disk as expected. However, atlogoff, the system event log contains these errors:

The error (NTFS 137) is: The default transaction resource manager on volume C:\Users\ts3.test encountered a non-retryable error and could not start.  The data contains the error code.

The warning (NTFS 50) that concerns me is:

It appears that the user profile disk is being "disabled" or "disconnected" before the profile data is completely written at logoff. What can I do to troubleshoot this?

Second:

Update: A post from Mike Connor on the following page: -LINK- solved the problem described below. 

My administrative user always logs on now with a temporary profile. At the beginning, the UPD was working and mounting. That stopped working. In attempting to troubleshoot, I logged the admin user off and deleted the UPD disk file from the share. I remember it working again after generating a new UPD disk file in the share. Soon, it quit working again. I deleted the UPD disk file again from the share and ever since, it has never regenerated a new UPD andalways logs on with a temporary profile.

I can't ping my rds gateway remotely (internal is fine). I checked that https is listening on port 443. I set my router to port forward https requests to my server port 443. I have a self signed certificate on my server for testing purposes as well. What I'm I missing? I can ping the IP address of my router. Also set IIS default gateway to my FQFN.

Thank You

EVENT ID: 1152 - Failed to create KVP sessions string. Error Code 0x8007007A
Source: Microsoft-Windows-TerminalServices-RemoteConnectionManager
Log: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational

We are currently experiencing the above mentioned error intermittently on both of our RD Servers. Both servers and virtualised on separate 2012 Hyper-V servers running Core. Both run 2012 R2 and belong to the same pool. Users have been complaining about getting kicked off of the servers during the day and when we check the disconnects coincide with the above Event ID 1152. The servers are fully patched and licenced, there are no licencing errors.  We have exhausted all avenues attempting to find the fix for this so are open to any suggestions or assistance you can give.

Regards,

Anthony

Hello,

I'm having a problem with a newly created 2008 R2 RDS Farm. Full desktop logins are fast for remote users (under 10 seconds), but RemoteApps and RDWeb apps take about 30 seconds to load (once loaded, subsequent apps load in 2-3 seconds). The details button is greyed out for about 25 seconds while waiting for the app to load and then when it is finally becomes enabled, the app loads in about 3 seconds.

The RDS setup consists of:

1 Gateway server
1 Connection Broker/License server
2 Session Host/RDWeb servers

I have tried the following:

-Unchecking "Bypass RD Gateway server for local addresses" under the session host settings in RemoteApps manager on both session host servers
-Disabling UAC on all servers (oddly enough this seemed to increase the login time)
-Disabling client device redirection

Nothing has improved the speed. Any other suggestions? Thanks

I have set up a standard 3 node 2012 R2 RDS for testing. All virtualized on VMware ESXi 5.0. I have a connection Broker, session host, and web access server. I have published several applications and I can access them without a problem. Here is my issue:

When I try to log on to my session host server either locally or thru RDP, I am always logged in with a Temporary profile. It does not mater what user account I use. Even logging on locally as the administrator I get a temporary profile.

All windows updates are installed and current.

I have removed the server from the domain, deleted the account, and rejoined it to the domain.

I have deleted all .bak registry entries from here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

There is a hotfix here for a similar issue on 2012 but it does not apply to 2012 R2

The only event viewer errors are:

1515 (Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.)

1511 (Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.)

Any suggestions to resolve would be greatly appreciated.

Russ

I don't know exactly where to start, so I picked here.

We have users trying to reach https://www.tax.ny.gov with IE 11 in their RDS sessions (Win2k12 R2, all current patches).

They get this error:

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://www.tax.ny.gov again. If this error persists, contact your site administrator.

All TLS 1.x is on by default in IE 11!! (I know the site uses TLS 1.2)

That site is in the IE Trusted Sites Zone by group policy!!

I can't think what could be the problem...suggestions anyone??

There is a group policy for explicitly forcing IE to use TLS 1.x but I have not tried it yet, I don't want to break other sites by accident, I will test it this evening.

This is not a Compatibility View problem.

Thank you, Tom

We are running a new forest with only Windows 2012R2 domain controllers. We have setup a new Remote Desktop Services deployment in this forest. We also have an old forest and we have a two-way trust in place. However, we cannot add an RD Session host to our new deployment from the old forest. It will fail during the check compatibility test stating that it is unable to connect using Windows PowerShell remoting. The host to be added is a Windows 2012 R2 server and has remote powershell enabled. We believe the problem is based on a double hop Kerberos failure but we cannot find any definitive documentation of whether or not this configuration is supported, and, if it is, how to make it work. ANy help or guidance would be greatly appreciated.

Dennis Ervin

Dennis Ervin

I've been experiencing issues connecting to a remote system with RDP.  The server has been operational for several years and is one of 4 servers identical servers located at the same site.  Recently, one of the other servers crashed that I had been remoting into for a long time so I had to start using this server to RDP into.  Once our on-site IT personnel redirected port forwarding to this NAT'd server I was able to log in remotely to make some changes, including adding a role as a Remote Access VPN server using the Routing and Remote Access Server Setup Wizard and removing the Network Threat Protection component of Symantec Endpoint Protection so that I can use and configure the Windows Firewall.

While working through the Routing and Remote Access Server Setup Wizard, my RDP session locked up and disconnected.  I was able to reconnect after on-site personnel completed the wizard and restarted the computer, but once I reconnected, after a minute or 2, I was again disconnected and could not reconnect until the server was restarted.  I presumed adding the VPN role affected my RDP access, and decided to remove the VPN server role. 

Now, I cannot RDP into the server unless it is freshly rebooted, and even then it only allows me to stay connected for a couple of minutes before the connection is lost and I'm unable to reconnect again until the server is restarted.  One vicious cycle; able to login after reboot only to have the connection dropped and require a restart to reconnect again.  

This server also hosts a database that client systems are only able to access for a short period of time after reboot before their connection drops. 

I've quadruple checked the Windows Firewall inbound rules, uninstalled the anti-virus application completely, even going so far as having to obtain their removal application to ensure every piece of it was removed, and I'm still having the same issue. 

The entire issue started when I tried to add the VPN role.  I'm sure uninstalling and reinstalling the anti-virus several times hasn't helped either, but as it stands right now, I have a server that shortly after restarting is unable to communicate; not with the internet, not on the local area network, not remotely.   On-site personnel are trying their best to follow my troubleshooting telephonically but it's getting to the point where I'll have to find out what's wrong and provide an easy fix remotely, or, make a trip half-way around the world to try to figure it out myself (which would be EXTREMELY difficult/close to impossible right now). 

Quesitons: 

1) Why would I be able to connect remotely after reboot and then get disconnected shortly thereafter? (Service/application causing the issue hasn't started until shortly after a reboot??)

2) Why does it not only kill remote access, but LAN and internet access on the server?

3) What else can be checked to help diagnose and troubleshoot the issue?

I have done a lot of searching on the web but haven't found issues identical to my own. I've seen information on uninstalling a patch and a seen a hotfix for RDP issues, but that still wouldn't help LAN and internet access on the server.  This server ran local RDP access, local client access to the database, and could access the internet for years prior to the recent changes and issues. 

Edit:  The system I'm remoting into the server with is a Win 7 Pro system, and the database clients are also Win 7 Pro.

Edit 2:  I've found information on the VPN "binding" to the port that may have been improperly configured which could be causing the issue.

Hi

i got below error message while i try to obtain the Terminal CAL license Key pack through my Windows server 2003 Terminal License server "Remote Desktop Licensing Service is unable to process your request. Make sure you provide the correct information. If the problem persist try other method of activation. Error code is 4095."

My Terminal Server is Open License 2012 that i need to downgrade to windows server 2003 that is actually out of the support. But in this case i really need this TS CAL to run on my Window Server 2003. I would be appreciate if you could help.

Best Regards with Thanks,  Sovann from Cambodia