I have a department of 3 to 5 users that require RDP access to a member server that is hosting a network Application. Their function is to update data on this application. To do this they require the following:

1. access to the application folder (D: only)
2. access to tools winthin the application (to import the data into the application)
3. restart/stop/start 2 of the application services

How can I give them RDP access but restrict them from performing any other functions on the server apart from those listed above?

Thanks in Advance.

Hi all

A single PoC RDWB server times out fine during web inactivity with the IIS setting Sites > RDWeb > Pages > Application settings > PrivateModeSessionTimeoutInMinutes & PublicModeSessionTimeoutInMinutes values being adhered to.  However since implementing NLB front end on two RDWB servers and changing to RDS to HA, the session remains permanently active - the user is never logged out.

I'm using MS NLB in Unicast with Single Affinity.

I'm wondering if there's some type of NLB heartbeat interfering with RDS's time-out functionality?

Any thoughts appreciated.

Lea

Hi.

I know we can lock the user or computer to run only .rdp files with specific SHA1 thumbprint by using GPO.

What I need to know is: Is there any way to make the server accept connections only from signed .rdp files?

Picture:

Server SRV1 is ready to use, and clients download the .rdp file from RDWeb Access.

Cliente PC1 runs the signed .rdp file and is able to connect to server SRV1.

Cliente PC2 creates a .rdp file ( local rdp file, not signed )  to try to connect to server SRV1 using the same or different parameters from the original signed .rdp file and is NOT abre to connect to SRV1.

Is it possible?

I don't mean to be negative towards Microsoft technology, especially on a Microsoft forum where I'm asking for help. However, we have had a very poor experience with the user profile disks in our RemoteApp (2012R2) deployment over the last year or two. We've had quiet periods here and there but it seems like it is far from resilient as far as error handling goes. Maybe we're the only ones who have these struggles but nonetheless, we cannot allow our users to continue to have poor experiences. We would like to maintain the redundancy that the RemoteApp structure provides as that works very well but we want user settings to be the same no matter which they log into. The new user profile disk solution was great at first but as we scaled up over time, it became more and more problematic. We have always had poor experiences with roaming profile type technology with Windows and are procuring potential third party solutions. Has anyone found something third party that is stable that can replicate the functionality of the user profile disks in a RemoteApp deployment?

Thank you in advance for your time!

Hello,

Is there anyway to change the default level of tls 1.0 for gateway server. I noticed that once I disable tls 1.0 in the registry on the gateway server, windows 7 machines with  RDC 8.1 cannot connect to the gateway. however, win10 machines still can connect. Once I turn tls 1.0 back on win 7 machines can connect great.

So can i have the gateway use a different encryption level?

Let me know if i need to provide more details.

Reference:

https://technet.microsoft.com/en-us/library/dd320345%28v=ws.10%29.aspx

"By default TLS 1.0 is used to encrypt communications between Remote Desktop Services clients and RD Gateway servers over the Internet. TLS is a standard protocol that helps to secure Web communications on the Internet or intranets. For TLS to function correctly, you must install an SSL-compatible X.509 certificate on the RD Gateway server."

**update: So it might not be the gateway that handles that handshake between client and gateway. As I mentioned, I tested connecting from windows 2012 R2 machine. In the logs, the handshakes were tls 1.2 all the way. however, on a win7 with rdc 8.1, it drops back to tls 1.0 on the gateway connection. Not sure why.

Thoughts?

Hello,

The problem is that users can see the remote application icons. But when they click on it, nothing happens. So authentication works, the remote apps are loading in "RD Client".

We are trying to setup webfeed access on mobile devices (IOS/Android). We installed the "RD Client" app. And we use webfeed to setup remote apps on a device (https://ourdomain/rdweb/feed/webfeed.aspx).

I can see on the reverse proxy and the gatewayserver incoming and outgoing traffic. IIS logging is also showing that IIS is responding to the device. But somewhere it stops interacting. Anyone got an idea why?

Thanks in advance for your help,

Ingmar

IIS Logging:

2016-04-12 10:48:26 99.99.99.99 GET /favicon.ico - 443 - 11.11.11.11 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 https://ourdomain/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 302 0 0 31
2016-04-12 10:48:26 99.99.99.99 GET /RDWeb/Pages/ - 443 - 11.11.11.11 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 https://ourdomain/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 302 0 0 46
2016-04-12 10:48:26 99.99.99.99 GET /RDWeb/Pages/nl-NL/Default.aspx - 443 - 11.11.11.11 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 https://ourdomain/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 302 0 0 31
2016-04-12 10:48:26 99.99.99.99 GET /RDWeb/Pages/nl-NL/login.aspx ReturnUrl=/RDWeb/Pages/nl-NL/Default.aspx 443 - 11.11.11.11 Mozilla/5.0+(Windows+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 https://ourdomain/RDWeb/FeedLogin/WebFeedlogin.aspx?ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 200 0 0 265
2016-04-12 10:48:40 99.99.99.99 GET /rdweb/feed/webfeed.aspx - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 421
2016-04-12 10:48:40 99.99.99.99 GET /RDWeb/Feed/rdp/cpub-Bureaublad_Goois-Bureaublad_Goois-CmsRdsh.rdp - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 31
2016-04-12 10:48:40 99.99.99.99 GET /RDWeb/Feed/rdp/mstsc256_32x32.png - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 31
2016-04-12 10:49:11 99.99.99.99 GET /rdweb/feed/webfeed.aspx - 443 - 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 302 0 0 31
2016-04-12 10:49:11 99.99.99.99 GET /RDWeb/FeedLogin/WebFeedlogin.aspx ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 443 - 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 401 2 5 31
2016-04-12 10:49:11 99.99.99.99 GET /RDWeb/FeedLogin/WebFeedlogin.aspx ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 443 - 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 401 2 5 31
2016-04-12 10:49:11 99.99.99.99 GET /RDWeb/FeedLogin/WebFeedlogin.aspx ReturnUrl=%2frdweb%2ffeed%2fwebfeed.aspx 443 BUS\insni_admin 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 46
2016-04-12 10:49:11 99.99.99.99 GET /rdweb/feed/webfeed.aspx - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 62
2016-04-12 10:49:11 99.99.99.99 GET /RDWeb/Feed/rdp/cpub-Bureaublad_Goois-Bureaublad_Goois-CmsRdsh.rdp - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 31
2016-04-12 10:49:11 99.99.99.99 GET /RDWeb/Feed/rdp/mstsc256_32x32.png - 443 S-1-5-21-1935655697-162531612-839522115-14581 11.11.11.11 Microsoft%20Remote%20Desktop/8.1.13+CFNetwork/758.2.8+Darwin/15.0.0 - 200 0 0 31

Good afternoon, everybody!

I have had a successful RDS deployment on Server 2012 R2 for quite some time now. Unfortunately, now that we are beginning to roll out some Windows 10 PC's, we are running into issues. I have a 2012 R2 RDS deployment at home as well, and I have no issues connecting to it from Windows 7, 8.1, or 10; whether internally or externally. This is what is confusing me the most.

The RDS deployment I have at work is a four server deployment. Two session hosts, one broker, and one server shares the RDWeb and Gateway roles. This may not be standard, but it is the easiest method behind our NetScalers. I only need port 443 opened on the firewall and one external IP.

Connecting from internally works from Windows 7, 8.1, or 10. Connecting externally works with Windows 7 or 8.1, but I get an error from Windows 10 computers: "Your computer can't connect to the remote computer because an error occurred on the remote computer that you want to connect to"

I have been racking my brain, scouring event logs, and searching Google for weeks now. The only thing I could find as a Band-Aid for the issue was a registry setting:

HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client

Name: RDGClientTransport

Type: Dword

Data: 1

This fixes the issue from Windows 10, but I do not want to require users to make this registry change on their personal computers. Most would not know what to do or how to do it.

Has anybody else experienced this? Any ideas on what else to check out? Everything works fine from Windows 7 and 8.1, so the Remote Desktop Services deployment is working properly. Is there something on the server side I can do to eliminate the requirement for the registry modification on users' computers?

I would appreciate any help with this, and thank you in advance!

Eric

Hello,

normally we use published applications (remote apps) for our Clients, but we have thinclients which are not capable to use remoteapps, so we need to provide them remote desktop sessions

While we do not want to place more remote desktop session Hosts, we want to run our rdsh as remoteapps and remote Desktop Hosts

So far no Problem
- Remoteapp Clients use RDWeb or RDAC rdp files to access everything. Works flawless, no Problem. Selected certificate for deployment is used for everything.
- Remotedesktop Clients just use our Broker Adress to Access the farm. Works so far...but the Clients throws warnings about the certificate.
-> This can be solved running the following command
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="<hash of our certificate>"

This sets the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SSLCertificateSHA1Hash

But if i have this value, i run on remotedesktop Gateway (with Windows Application Proxy) on Error 0x607...so solve this Problem i have to remove this key (see https://social.technet.microsoft.com/Forums/windowsserver/en-US/e0f8f58f-58c9-49fc-9d48-f6bfde830f17/rdweb-authentication-error-0x607 )

But now i have again the untrusted self signed certificates when i connect to the Desktop...so?

I deleted the self signed certificate from the remotedesktop cert store...changes nothing, after reboot it is there again. The certificate i want to use is in the "remotedesktop cert store", the Network Service has access to the private key.

Does anyone know how to prevent the generating the self signed certificate and force the well known certificate not only for remoteapps without the SSLCertificateSHA1Hash key? The certificate i want to use is a SAN certificate which includes the session host Name as fqdn and short name

Thanks in advance.

Hi,

How does Windows 10 IoT Enterprise supporting Remote Desktop Services - VDI and Session Deployments? Is there any documentation available? Dell is delivering Wyse Zero Clients with Windows 10 IoT Ent:

http://www.dell.com/us/business/p/wyse-d-class/pd?layoutvariation=MasterPageFileVariation2

Thanks,
Al

Hello

i've had some users report of extreme slowness when viewing various pdfs on our remote desktop servers. these pdfs are below 1Mb and users have no issues with larger pdfs. i myself have opened a reported pdf on the remote desktop servers without any problems. it seems this affects some users.

we have adobe reader x 10.1.4.

i have already implemented Adobes suggestion to implement reg values - https://helpx.adobe.com/acrobat/kb/slow-display-performance-terminal-server.html

this hasnt helped certain users.

is there something inside a users windows profile which could impact performance?

thanks

Elroy

Hi!

Environment: around 20 Hyper-V VM's running on Windows Server 2012, all of them used remotely (RDP) by domain users, users have logon time restrictions configured. Right now, I have a policy that disconnects RDP sessions based on how long they have been connected but it is not ideal because they can reconnect a moment before their logon time expire and stay connected after work hours.

So, it would be better if all the rdp sessions closes at specific time (6:00pm in my case).

Is there a way to do this?

Thanks!

Paul Sánchez

I had installed RDS and removed it because it's not needed now and now i can no longer remote in to this server.  I saw this same question but it was on 2008 R2 and the answer does not apply.  Can someone please point me in the right direction.

Thanks

With Server 2008 R2, we used to be able to give permissions using Remote Desktop Session Host to allow selected remote desktop users the ability to sign off other remote desktop users. But now with Server 2012 R2, in the Server Manager it  says you have to be logged on as a domain user to manage servers and collections. This server is not part of any domain and it's not going to be. This server is a workgroup. Our company server is used for Quickbooks with about 50 remote desktop users from all over the region.

I don't see any option to perform this task in group policy or local security policy. Remote Desktop Session Host is already installed. Is there another way to bring this up or maybe use the command line to give access?

We have two 2008 R2 servers that have started randomly throwing up the "Remote Desktop Services are currently busy" error every 2-3 days and users are unable to connect.  When you run a "query session" from CMD prompt you see lots of disconnected sessions with a blank usernames. Only way to fix the situation is to reboot the server.

I have already installed the following hotfixes but it has not helped.

KB2661332

KB3014783

The current client to host (RDP to RDP) setup is that our client is using a Server 2012 R2 terminal server in house and connects to our Server 2008 R2 terminal server.   It may be of note that it didn't start happening till the client upgraded their RDP server to Server2012 R2.

Any ideas as to how to stop this from happening?

Hello all!

I have a problem that is driving me nuts for a week now. - On Windows Server 2012 installation I have Terminal Server and some users. All neatly managed in AD, GPOs, etc.

The problem is that the user can't manage their own redirected printer. When I get into printer properties, any setting on advanced is grayed out.

Even if I give the user admin privileges or click open as admin, everythign there is grayed out.

I tired turning off GPOs, disabling Easy Printing, etc. Nothing worked.

I have never experienced this kind of problem before, and don't know where to start. Any help is appreciated - if you need more details, just ask!

Thanks!

Hello Guys,

Need some help.

I was having a certificate mismatch when trying to access my rdweb connection, because i have a public certificate that didn't match the broker name.

I used Set-RDPublishedName.ps1 to change the fqdn to match my certificate name, and now i get the following error.

Any ideias?

Hi,

I have an RDS 2012 R2 farm that has all the roles on 1 server (gateway, web access, connection broker, licensing) and 3 x session host servers. I have a .local domain so I've used a public cert and followed the work around found herehttp://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 that changes the client access name on the connection broker to one that matches the public FQDN found on the cert.

If I connect through a web browser then I have no problems so I know the fundamental properties around permissions to RDP into the farm are correct.

However, if I try to connect using a standard RDP client I get the error "The connection was denied because the user account is not authorized for remote login". I think the problem is around the fact that it is trying to connect to the broker server itself rather than the farm. If I put my test user in the Remote Desktop Users group on the connection broker then it connects but to the connection broker itself rather than one of the session hosts. 

I've used chrome to download the RDP file that works that I get through the web GUI to have a look at the settings and I've mimicked all the settings (including the "Connect from anywhere" settings relating to the RD Gateway" yet I still get the problem. If I use the actual RDP file (downloaded via chrome) then it works no problem.

I know I can just publish the RDP file to my users and problem solved but I have a load of thin clients that are unmanaged (and not on domain) so I want avoid a visit to each one if possible.

Does anyone know why it is trying to connect to the server with all the roles directly rather than being passed on to a session host?

If anyone can help I'd be most grateful.

Cheers,

Tristan

One of my users trying connect to other machine through RDP,he is getting the error message which i have attached the screen shot. also enable "allow connections from computer  running any versions of remote desktop" on both the side.PREVIOUSLY IT WAS WORKING .

Abp