I'm currently using an internal Active Directory certificate with all of the SANs included (9 total).  Everything seems to work fine thus far.  I want to switch to a 3rd party certificate in order to make the Firefox experience more streamlined.   Is the following limitation still a factor when using a SAN certificate vs. a wildcard certificate?

https://technet.microsoft.com/en-us/library/dn781533.aspx?f=255&MSPPError=-2147217396

This certificate approach works as long as you have five or fewer servers in your deployment. If you have more servers, you can’t use the Subject Alternate Name field (it is limited to just five servers). Instead, you need to get a wildcard certificate to cover all the servers in the deployment.

Thanks!

Hello,

I have new 2012 RDS enviornments with 2012 r2 gateways and 2012 session host. From Windows 7 machines, Ive been telling customers to use the latest client RDC 8.1 which works great. It wont work with RDC 7.1 which is fine.

Besides new features in the new clients and in windows 2012 R2, is there a scenario where rdc 7.1 might work connecting through a 2012 R2 gateway?

I was just curious as to exactly why 7.1 will not work. Is it just the new features, or does it have to with crypto as well?

I was thinking it might have to do with 7.1 using RPc over HTTP and 2012 R2 doesnt do that anymore.

Thanks

I started to receive the following error on the client side when trying to go through a 2012 R2 gateway on 443 from win7. It is not every client. I get the following errors on a win7 box using RDC 8.1. I'm successful when connecting from a win2k12 machine.

I receive the following message on the win 7 box:

"Your computer cant connect to the remote computer because an error occurred on the remote computer."

In the TerminalServices-ClientActiveXcore log, I receive the following errors:

RDP ClientActiveX has been disconnected (Reason= 50331674)

RDPClient_Gateway: An error was encountered when transitioning from AAStateCreatingOutChannel to AAStateError in response to 21 (error code 0x80072EFE).

RDPClient_Gateway: An error was encountered when transitioning from AAStateInitializingTunnel to AAStateError in response to 6 (error code 0x80072EFE).

Thoughts?

I have installed an RD Connection Broker, web access, and licensing server (12rdgate1).  I have linked this server to a public ip address and natted the standalone firewall to access ports 443, and 3389.

When I browse to the website, I am presented with a login.  After authenticating, I get presented with a published RemoteApp.  After clicking on the RemoteApp, I am presented with another login screen.  After logging in, it appears that it is doing something.  After a few moments, I get an error message:  "Your computer can't connect to the remote computer because an error occurred on the remote computer that you want to connect to.  Contact your network administrator for assistance."

I have checked the event viewer on 12rdgate1 for errors in the system, security, and application logs and can't find any entries relating to the time of the event.  I've even cleared the logs (after saving them), and re-tested with no entries relating to the problem being shown.

I only have one terminal server in the collection for the remote app.  I have also cleared those logs (system, security, and application), and re-tested, with no entries relating to the problem being shown.

If I attempt to do this internally, I don't get errors, and things work the way that they should (Using a laptop that is connected via wireless internally, and through a hotspot to get access externally).  I have even tested this from home with the same results.

I have seen in articles relating to Windows 2008 R2 about changing the security negotiation to a different level, but, can't find that to test here.

Certificates are from a separate certificate server that was created internally, and the certificate root has been imported into all machines, along with the intermediate certificate as well.

I've run out of things to check.  Can someone point me in a direction to find this problem and fix it?

Thanks for your time.

Jimmy

Hi all,

Some time ago I opened this thread:
https://social.technet.microsoft.com/Forums/en-US/08f91854-27c2-4bc8-8845-d2435db51c1f/hanging-upd-profiles-in-2012-r2-rds-environment?forum=winserverTS

Since then I've made some changes in the GPO's, but this seemed to have the affect that a lot of users now get TEMP profiles in de RDS environment regularly.

The Event Viewer System logs show these messages:
Event ID 16: The access history in hive \??\C:\Users\USERNAME\ntuser.dat was cleared updating 2157 keys and creating 297 modified pages.
Event ID 16: The access history in hive \??\C:\Users\USERNAME\AppData\Local\Microsoft\Windows\UsrClass.dat was cleared updating 367 keys and creating 47 modified pages.

Also there are a lot of these events logged:
Event ID 20499: Remote Desktop Services has taken too long to load the user configuration from serverboth DC's for user USERNAME

This leaves the User Profile Disk corrupt and the only way to resolve this is to restore the UPD from an earlier moment.

Any thoughts?
I see a lot of RDS logs and searching online give a lot of results (non-related) back.

Kind regards,

Matthijs

Hello,

I have problem with RDS farm - smart card authentication. I will be very grateful for any kind of help ;)

My setup:

Dell Wyse t10 terminal - windows server 2012r2 rds farm (2 hosts servers).

Case 1 if user session doesn't exist, then they can login with smart card without any problems. Pin and certificate are provided from terminal.

Case 2 if user session exist and if their session is on the second server (for example terminal connected to terminal01 host, but their session is on terminal02 host), then windows try to login to the second one (this is of course how it should be), but user must to provide pin again...

thx in advance

Good day!

So, i have a small problem understanding certificates for RDS environments.

HEres what I have:

a broker with the name RDSBroker.site1.contoso.com

several RDSHs with names like RDSHXX.site1.contoso.com, where the XX stand for the number of the server, for example RDSH01.site1.contoso.com. Currently i have 01-04, in the future there will be a lot more and i cant say right now how much.

my collection, which is named WTScollection is accessed through round robin DNS. meaning, my colletion name has a entry in the DNS for every RDSH's IP.

When I connect to WTScollection i get the first certificate warning from on of the RDSHs, for example RDSH03.site1.contoso.com. And if the Breoker decides to redirect me i get a second certificate warning from another RDHS.

What kind of certificate do i need exactly (i assumed wildcard vertificate or SAN certificate?) and on which Servers does this need to be imported and in which location?

Has succesfully installed Office on both the session hosts as specified in artichle https://technet.microsoft.com/en-us/library/dn782858.aspx. 

As long as i only use one host it all work prefect, but if I get logged onto host 2 I get this error.

It still works if i press OK. but the message keeps popping up if I happends to switch host again.

Any help or suggestions is appreciated.

Hello,

i have a curious problem which i am not able to properly solve...we have some clients which are connected through vpn client connection or even vpn site to site connection

We have the following infrastructure

LoadBalancer (one VIP listening for port TCP/443, TCP/3389, UDP/3391)
VIP DNS Names = rdpbroker.local + +rdweb.local + rdpgw.de
-> rdpbroker address accessed by the Clients (rdpbroker.local) AND rdp Gateway address (rdpgw.local)

RDP Brokers (rdweb, Gateway and Broker installed)
rdpbroker01.local
rdpbroker02.local

RD Session Hosts
DNS Name = rdsh01.local
DNS Name = rdsh02.local
DNS Name = rdsh03.local
DNS Name = rdsh04.local

IP(!) is permitted for the Clients to all Systems, all Server Systems are in the same subnet (VIP included). This are the Settings for the collection

And this is a sample application rdp file

redirectclipboard:i:1
redirectprinters:i:1
redirectcomports:i:0
redirectsmartcards:i:0
devicestoredirect:s:*
drivestoredirect:s:C:
session bpp:i:32
prompt for credentials on client:i:1
span monitors:i:1
use multimon:i:1
remoteapplicationmode:i:1
server port:i:3389
allow font smoothing:i:1
promptcredentialonce:i:1
videoplaybackmode:i:1
audiocapturemode:i:1
gatewayusagemethod:i:2
gatewayprofileusagemethod:i:1
gatewaycredentialssource:i:0
full address:s:rdpbroker.local
alternate shell:s:||calc
remoteapplicationprogram:s:||calc
gatewayhostname:s:RDPGW.de
remoteapplicationname:s:Rechner
remoteapplicationcmdline:s:
workspace id:s:rdpbroker.local
use redirection server name:i:1
loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.FARM_Name
alternate full address:s:rdpbroker.local
signscope:s:Full Address,Alternate Full Address,Use Redirection Server Name,Server Port,GatewayHostname,GatewayUsageMethod,GatewayProfileUsageMethod,GatewayCredentialsSource,PromptCredentialOnce,Alternate Shell,RemoteApplicationProgram,RemoteApplicationMode,RemoteApplicationName,RemoteApplicationCmdLine,RedirectPrinters,RedirectCOMPorts,RedirectSmartCards,RedirectClipboard,DevicesToRedirect,DrivesToRedirect,LoadBalanceInfo
signature:s:

I tried Telnet on the ports, ping, mstsc on the address rdpbroker.local...everything works like expected but when i use the applications through radc they try to connect to the Gateway...but i dont know why?

Can someone explain why the Client doesnt recognise he is in the lan?

Any help is very welcomed

Thanks in advance

Kind regards

Hello,

We have been notified that our license is about to expire so after going to Administrative tools - Remote Desktop Services - RD licensing manager - Right clicking our server I have entered our license number and activated it.

Result: http://i.imgur.com/MJWgVUE.jpg

Thought we are good. Today again I saw a warning notification in event viewere that it's about to expire.

ID: 1068

ID: 1129

Still everything is green in RD licensing manager ( Image from before)

Upon checking on RD licensing manager ( Via server manager ) two warnings are shown:

http://i.imgur.com/hANj91i.png

Now since we are working in WORKGROUP I'm unable to find any way to set RD licensing mode.

Found a guide which tells me to edit two gpedit.msc settings :

Set the remote desktop licensing mode : per device
Sse the specified remote desktop license server: IP address of the server

I'm not too found with editing local group policy settings so I'm asking would this be our solution?

Hello,

normally we use published applications (remote apps) for our Clients, but we have thinclients which are not capable to use remoteapps, so we need to provide them remote desktop sessions

While we do not want to place more remote desktop session Hosts, we want to run our rdsh as remoteapps and remote Desktop Hosts

So far no Problem
- Remoteapp Clients use RDWeb or RDAC rdp files to access everything. Works flawless, no Problem. Selected certificate for deployment is used for everything.
- Remotedesktop Clients just use our Broker Adress to Access the farm. Works so far...but the Clients throws warnings about the certificate.
-> This can be solved running the following command
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<hash of our certificate>"

This sets the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SSLCertificateSHA1Hash

But if i have this value, i run on remotedesktop Gateway (with Windows Application Proxy) on Error 0x607...so solve this Problem i have to remove this key (see https://social.technet.microsoft.com/Forums/windowsserver/en-US/e0f8f58f-58c9-49fc-9d48-f6bfde830f17/rdweb-authentication-error-0x607 )

But now i have again the untrusted self signed certificates when i connect to the Desktop...so?

I deleted the self signed certificate from the remotedesktop cert store...changes nothing, after reboot it is there again. The certificate i want to use is in the "remotedesktop cert store", the Network Service has access to the private key.

Does anyone know how to prevent the generating the self signed certificate and force the well known certificate not only for remoteapps without the SSLCertificateSHA1Hash key? The certificate i want to use is a SAN certificate which includes the session host Name as fqdn and short name

Thanks in advance.

Hello

is it possible to use out-gridview on application in remoteAPP ?

Get-Service | Out-GridView work fine in TSE connection

but don't work on remoteApp session

Hi guys

I have this issue in RDS 2008 where users keep getting disconnected and prompted for credentials.

I have checked:

• Configuration Properties > Sessions "Active session limit" to Never (force it by overriding user settings).
  This has been set through group Policy
• The licensing appears to be correct with no errors
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
  fDenyTSConnections and all RDSH servers have set to 0.
• No HTTP redirection on default web site.

I checked a few other things, but nothing has prevailed.

I found the Event 4634 where accounts were being logged off on the AD server.

Im not too sure what the cause is, anything to look for?

Thanks
NN

My laptop with windows 10 with MRD is ok, but my my MacPro with latest operating system give the error when opening remote : "The requested session access is denied". 

The password is verified by the owner of the server. 

Jonny

We have deployed Work Folder for our user with Folder redirection for some folder like desktop or documents.

This work well however when those user need to connect to the Remote Desktop Server, they have no way to access their document since the folder redirection will point to the right location, but will not sync with the server copy since there is no Work Folder client for R2012 R2.

So since Work Folder is deployed per gpo, using a user gpo, there is no way to detect using the GPO if the user is logging to his laptop or the RDS session, therefore beside using loginscript, I have no way to fix that, or create a different folder redirection base on the computer.

Does anyone have a solution for this?

Hello,

Is there anyway to change the default level of tls 1.0 for gateway server. I noticed that once I disable tls 1.0 in the registry on the gateway server, windows 7 machines with  RDC 8.1 cannot connect to the gateway. however, win10 machines still can connect. Once I turn tls 1.0 back on win 7 machines can connect great.

So can i have the gateway use a different encryption level?

Let me know if i need to provide more details.

Reference:

https://technet.microsoft.com/en-us/library/dd320345%28v=ws.10%29.aspx

"By default TLS 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server."

**update: So it might not be the gateway that handles that handshake between client and gateway. As I mentioned, I tested connecting from windows 2012 R2 machine. In the logs, the handshakes were tls 1.2 all the way. however, on a win7 with rdc 8.1, it drops back to tls 1.0 on the gateway connection. Not sure why.

Thoughts?

I have to rebuild the RDS on Windows Server 2012, so all Collections were gone. I want to "import" existing virtual desktops into the Collections, but cannot figure out how to achieve it, any suggestion?

Background

The RDS deployment used to have two servers, Server A is having everything and Server B is just RDVH.  Server A have hardware problem and I have to rebuild from scratch.  Before taking done server A, I moved all virtual desktops to Server B.  Now server A is up again with RDS, I want to "import" the virtual desktops into collections.

Thanks for offering any suggestions.

Hello.

We have a customer that uses a terminal server (windows server 2012 R2).
Office users connect thru remote desktop for normal use.
Most printers are installed on the serverside and no issue's there.

The reception however has a local printer (HP 2055d) over USB.
So she uses this one for some documents that are for her eyes only.
Computer OS is windows 7 pro 64bit.

Problem that happens is when she wants to printed sorted. So a contract that has to be printed 2 times. She wants page 1,2,3 and then page 1,2,3. if she does it local with a pdf or notepad it works. If she does it from the remote desktop session it's not sorting. It's printing, but not sorting, so page 1,1,2,2,3,3. I thought it was the printer but at my office with a different (hp) server that is connected over the network (IP) it also isn't working when connected to the terminal server.

When connected to a different server (the file server / dc) it IS working as expected.

I have installed latest HP Universal Printer Driver on the local client, and @ the terminal server.

What could be the reason sorted printing is not working?

Excuse,

I want to adjust my workstation (Windows Server 2008 Standard) display font like Windows XP can change it to "Extra large fonts ", but I can't find it on my server 2008.

Does any one can tell me the setting at where on Server 2008?

I don't want to change icon, just font size...

Thanks.