Trying to connect to our new Remote Desktop Gateway but cannot connect. I am able to see the Welcome message to the RDGateway, but cannot connect to the remote computer after clicking ok.

The error thrown from remote desktop is as follows;

Remote Desktop can't connect to the remote computer...for one of these reasons:

1) Your user account is not authorized to access the RD Gateway

2) Your computer is not authorized to access the RG Gateway

3) You are using an incompatible authentication method

In the event log of the RDGateway under Network Policy & Access Services I see the following

EVENT 6274

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:

               Security ID:                                        NULL SID

               Account Name:                                %DOMAIN%\%USERNAME%

               Account Domain:                                            %DOMAIN%

               Fully Qualified Account Name:   %DOMAIN%\%USERNAME%

Client Machine:

               Security ID:                                        NULL SID

               Account Name:                                %COMPUTERNAME%.%DOMAIN%

               Fully Qualified Account Name:   %DOMAIN%\%COMPUTERNAME%$

               OS-Version:                                       -

               Called Station Identifier:                              UserAuthType:PW

               Calling Station Identifier:                             -

NAS:

               NAS IPv4 Address:                          -

               NAS IPv6 Address:                          -

               NAS Identifier:                                 -

               NAS Port-Type:                                Virtual

               NAS Port:                                           -

RADIUS Client:

               Client Friendly Name:                   -

               Client IP Address:                                           -

Authentication Details:

               Connection Request Policy Name:          TS GATEWAY AUTHORIZATION POLICY

               Network Policy Name:                  -

               Authentication Provider:                             Windows

               Authentication Server:                 %RDGATEWAY-COMPUTERNAME%.%DOMAIN%

               Authentication Type:                    Unauthenticated

               EAP Type:                                           -

               Account Session Identifier:                         -

               Reason Code:                                   5

               Reason:                                                               The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

EVENT 4402

There is no domain controller available for domain AD.

Under Remote Desktop Services I see the following;

Event 201

The user "%DOMAIN%\%USERNAME%l", on client computer "%CLIENT-IP%", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

I have been searching the internet for an informative network\firewall drawing for the Terminal Services Licensing traffic when it comes to firewall ports requirements etc 

Does someone have a detailed description or a (visio) drawing showing the ports required for WTS Licensing?

We have the following Citrix based Terminal Server environment:

- Windows 2008 R2 running XenApp6
- Clients come from internal (LAN) and external connections (Citrix Access Gateway)
- There is a firewall between the Citrix XenApp WTS farm and the MS Terminal Services Licensing server (Win 2008 R2)

Can someone explain how the TSCAL\RDCAL "traffic" flows and the ports required from A-Z ?

Hi,

I have an RDS Deployment (2012R2), which I would like to remove. However, I can't find any info on how to do this, any ideas?

Cheers

Chris Gibson

Hi all,

We have plans to provide VDI to multiple organisations in the same Active Directory, separated by Organisational Units. As nothing stops users to install LDAP tools we would like to hide all containers which are not supposed to see. To do so I enabled "List Object" mode with dSHeuristics value 007.

So far everything fine but... when I untick "List contents" on a root of domain.local for Authenticated Users, Remote Desktop does not work for non-admin users anymore. Nothing in logs and all I get is "Access is Denied" when I RDP to Remote Desktop Server.

As it is my test environment I tried the following:

• Set Read for Authenticated Users on System container, as well with inheritance
• Set Full control except List contents on domain.local applied to this object only

No luck and it works only when List contents is ticked.

Please help.

Matt

Celox Group - Cloud Provider

Dear all,

i have on my lab two servers that needs https access for external access.

Server one is Exchange 2013, Server 2 os RD Web Access.

i need both servers to be accessible from outside on the https.

on my Firewall i've Nat port 443 to the exchange and is working fine no issues.

on my RD Web Access server i've configured the http redirection to https redirection, when somebody hit my domain external on port 80 support to be redirected to the local https of the RD Web access server. and i've nated port 80 to the RD web access server, somehow its not working

can someone please put me on the right direction ?

regards

Julien

Hi there,

We have one domain with 40 sites. On each site is a RODC, wich also has RDS. (RDS the old way, no broker installed)

The RODC's are 2008R2 and 2012R2 servers.

Everything works fine, however everyone can access all servers as a straight forward RDS user (no VDI).

Everyone is in the build in group for remote user.

I'd like to have people that work on ServerA  only are able to contact serverA  for RDS.

B on B, C on C and so on ...  This for all 40 sites.

I made a policy for each site allowing RDS_A to access server A and so on. Is this the right way to do it, or can I do it having less GPO's ?  I need 40 right now!!!  Linking the policy to the right OU, containing the specific server.

Something is still wrong, because other people still can access serverA.

I get into it, but maybe I'm doing it wrong, so please give me some advice :)

Thanks,

Ben.

Ben van der Meer

I'm trying to publish a Windows 2012r2 RDweb and RD gateway server in such a way that in order to use the rd gateway you need to provide your normal AD credentials followed by a prompt for a one-time-password that gets sent to the user by SMS

according to this article:

https://code.msdn.microsoft.com/Remote-Desktop-Gateway-517d6273/view/Reviews

this should be possible using a Pluggable Authentication Module on the gateway server - does anyone know of a product that uses these APIs? or some other method to achieve it?

Note that I can put it behind a (sadly deprecated) TMG server (or a citrix netscaler) and do the sms auth there by radius on the https://server/rdweb interface, but as it is handed off to the mstsc.exe client which tries to tunnel through https://server/rdweb interface, it needs to re-auth, so fails (the above article suggests the cookie can be transferred into the *.rdp file, but it doesn't appear to happen)

the MS Azure MFA service (and a few other 'cloud' auth products I've seen) is a radius server that expects a response to the SMS, via SMS - this is not the solution we're aiming for

Similarly, installing a 3rd party GINA on every host accessible via the gateway is also not an acceptable solution.

logically, the functionality should live at the gateway or the reverse proxy, but I cant find a way of doing it in the reverse proxy, and I cant find a product that uses the API MS provide for it - can someone steer me in the right direction?

There is another thread open under the "General" section. I was asked to post it here. I have left the other thread open because I believe this is not just applicable to the Remote Desktop Services Role. (http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/94b0d7f7-6a26-4795-8c1f-ffee1ac309aa/)

Hey everyone,

I have now seen this issue happen on multiple Windows Server 2008 Terminal server setups. The services that time out are not exactly the same across all the servers, but a number of them are the same on all of them.

Here are the lists of services that timed out on one of these servers, along with the time it happened.

• 80237AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
• 80307AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BITS service.
• 80237AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CertPropSvc service.
• 80407AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CryptSvc service.
• 80437AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
• 80507AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NlaSvc service.
• 80537AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RasMan service.
• 80607AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
• 80637AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the seclogon service.
• 80707AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
• 80737AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
• 80807AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UxSms service.
• 80837AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinVNC4 service.
• 80851AM - The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
• 80907AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.
• 80938AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.
• 81008AM - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

In the end, the server has to be restarted for us to access it and for users to connect to it.

Doing some research, I cam across this KB article (http://support.microsoft.com/kb/972596/), but not sure if it applies to this situation. I have seen other people post about this issue, but haven't come across anything that states the cause and resolution.

Has anyone else faced this or is facing it at the moment?

Any tips or suggestions would be great!

Thanks a lot!

Warm regards,
Sri

I have VDI 2012 environment  I installed tow servers and setup cluster between them and create one server for RD Broker and I created on it personal collection pool and I added on personal collection windows 7 professional SP1 and I assigned this virtual machine to specific user .

and I created self certificate on RD WEB server and once connect from physical machine to RD web then I can see the collection and once connect to this virtual machine then the remote connection stuck on the "loading virtual machine" more than 5 minutes after that appear message "the remote desktop disconnect by administrator etc.."

 when open the Event viewer under remote desktop I saw the below error :

Source:        Microsoft-Windows-TerminalServices-SessionBroker

Date:          9/23/2013 11:39:33 AM

Event ID:      802

Task Category: RD Connection Broker processes connection request

Level:         Error

Keywords:     

User:          ###############

Computer:      ###########

Description:

RD Connection Broker failed to process the connection request for user #########.

Error: VM plugin failed to wakeup a VM.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

  <System>

    <Provider Name="Microsoft-Windows-TerminalServices-SessionBroker" Guid="{D1737620-6A25-4BEF-B07B-AAC3DF44EFC9}" />

Hi,

I am running a VM with an RDS 2012 deployment and all required roles on this VM: Web Access, Gateway, Licensing, Connection Broker and Session Host.

Only change from standard settings is that the RD Gateway's https port has been changed from 443 to 444 to allow it to work behind a NAT firewall where port 443 is required for another website. Router has got port forwarding from external port 444 to VM's port 444 (RD Gateway's port needs to be changed for RDWeb to work properly, otherwise the port number is dropped from its URLs).

In the internal network everything is working fine as one would expect with Deployment Properties RD Gateway set to Automatic (or Custom with "Bypass RD Gateway server for local addresses" set to True), for all of RemoteApps, RDWeb and rdp-client.

Externally, i.e., coming through the router from the outside, I can get the Windows 8 rdp-client (Note: this does not seem to work with a Windows 7 SP1 rdp-client even after patching and changing group policies to support rdp-protocol 8) to work by manually setting the RD Gateway to [myFQDN]:444 under Options/Advanced. It goes through the RD Gateway, the authentication is logged on the server, desktop comes across. Accordingly, in a saved rdp-file this shows as gatewayhostname:s:[myFQDN]:444.

What is not working externally are RemoteApps and RDWeb. Obviously, I have set the Deployment Properties RD Gateway to Custom Settings with the appropriate external FQDN (and, yes, the certs are good) but there is no option to set a the changed port number as the field does not allow this (same goes for the equivalent Powershell command). The downloaded rdp-files for the RemoteApps clearly show that the port for the RD Gateway is not picked up (gatewayhostname:s:[myFQDN] rather than the expected gatewayhostname:s:[myFQDN]:444). I guess that RDWeb uses the same rdp-files that the RemoteApps download (as can be found in the registry) so I assume that whatever solves the one will also solve the other.

Any ideas for a resolution? Or is this a bug/intentional restriction? It kind of beats the purpose of allowing a different port number if it is only fully working in a local network.

Thanks for your help.

Hi there,

I'm now testing RemoteFX on Server 2012. Right now, I've encountered the following problem. I would like to see if anyone can help me to fix it.

My Server 2012 is running on a HP Z620 workstation with Intel Xeon E5-2620 CPU and Nvidia Quadro 2000 GPU. I used Windows 8 drivers on that machine so that the device manager does show any unknown hardware.

Then, I install HyperV and RDS on the server. HyperV can use Quadro 2000 as GPU for RemoteFX. Then I created two Windows 7 Enterprise SP1 32-bit VMs and fully patched them. The two VMs have RDP enabled and I've configured their firewall to allow both RDP and RDP with RemoteFX connection. The two VMs can be access via other Windows 7 RDP clients. Also, I've applied KB2749168 to the VMs so that Server 2012 HyperV manager can connect to them.

Now, I add the "RemoteFX 3D Video Adapter" to one VM and rebooted. HyperV VM manager can connect to that VM. But other Windows 7 RDP client cannot connect to it. It seems that the login is successful and shortly after some handshaking, the RDP client quits.

I then used HyperV manager to connect to the VM with RemoteFX. In the Eventlog, I notice the following:

---

Application and Services Log\Microsoft\Windows\RemoteDesktopService-RdpCoreTS\Admin

Warning EventID : 5

The client computer does not support RemoteFX. The connection will be made with the RDP Graphics. The relevant status code was 0x101

---

---

Application and Services Log\Microsoft\Windows\RemoteDesktopService-RdpCoreTS\Operational

Error EventID : 161

The RemoteFX encoding engine encountered an error (0x80004005)

---

Grateful if there is any hints for me.

Best Regards

Steve

OK Scenario:

Host : a Windows 7 Enterprise with SP1, configured as a VM on a 2012R2 Virtualization host with RemoteFX d3d adapter component AND RDP8.0 installed and configured per this article:

http://support.microsoft.com/kb/2592687

Client : a Windows 7 Professional SP1 with an updated client (Shell Version 6.3.9600, Control Version 6.3.9600, Remote Desktop Protocol 8.1 Suppoerted)

problems:

1.the windows 7 host used to add log entries into the RemoteDesktop-TSCore log Admin section upon clients connecting, per this article:

http://technet.microsoft.com/en-us/library/ff817575

but it is not doing it anymore after upgrading the RDP to 8. no signs of Event ID 2 in the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin

2.the client is unable to RDP into the host if the "speed" of the client (the "experience" tab) is set to anything but the "LAN 10MB". it used to work with "Automatically Detect" settings before, until I manually changed it per the above technet article to activate RemoteFX (read the square at the middle-bottom of the article).now, even if I switch it back to automatic speed detection or some other speed, it goes just up to the "Estimating speed and quality" connection phase and then suddenly quits. the only way to get to the remote desktop is to set it back to "LAN 10" manually.

the Remote host just has some "warnings" regarding the previous (non-LAN) attempts, saying that the client is not capable of RemoteFX so RDP Graphic module will be used; no "errors". but as I told you, the client simply quits after the speed estimation.

Setup is as follows

Server 1 - Server 2012 R2  Session Host, Connection Broker, Web Access, Licensing

Server 2 - Server 2012 R2  Session Host

I want to be able to provide load balancing for this environment however whenever i try to add server 1 into the session collection it allows me to but then if i log off i cant log back in using RDP unless i use the switch mstsc.exe /admin and i get the following error message -

"The remote computer server 1 that you are trying to connect to is redirecting you to another remote computer named server 2. Remote Desktop Connection cannot verify that the computers belong to the same RD session host server farm. You must use the farm name not the computer name when you connect."

If i remove the server from the session collection it will then allow me to RDP back into the server and manage it as normal

When using the RD Client app on iOS devices to launch programs from a Remote Resource Feed we always get a language bar appearing on the screen. The language bar doesn't appear when using RemoteApp from a PC or if I login into the server directly, only when using the iOS app.

The language bar also shows the default language as English US which is not the default. In Language screen in Control Panel we only have English UK listed. The Welcome screen and New user setting is also all set to English UK, the only place I can see English US is in the Override Windows display language drop down menu in the Advanced Settings.

I am assuming the language bar is showing because it some how thinks English US is the default but not sure how to remove this. The language on the iOS devices are also English UK.

I have tried re-creating profiles and also actually adding the English US keyboard then removing it but neither worked.

The RemoteApp server is Windows 2012 R2.

Any help/ideas appreciated, thanks.

Hello

Someone know the site or information about the OS available for Remote Desktop pool
For Example If I can Create one collection Linux and that support version.

VDI/RDS

Thank you 

Hugo Monge

the mac clients are running RDC for mac version 2.1 and they cannot connect to Windows 2008 R2 TS server. They get the error "You were disconnected from the Windows-based computer because of problems during the licensing protocol".

really appreciated if someone have a fix for this.

thanks,

/dan

Hi Friends.

I'm trying to print locally trought terminal services on Windows 2008 Server Foundation R2, The Server is a DC too.

I saw this article: http://support.microsoft.com/kb/968605

I did the procedure but nothing happens, the error appears again. Some solution to workaround this problem?. This is a little network, i don't have other server, but we need terminal services to run a remote application.

Thanks.

Whenever I remote desktop to my work PC, the mouse buttons on the work PC are reversed. I have to go into the Control Panel, Mouse utility and hit the checkbox to 'Switch the Primary and Secondary Buttons' restoring to the default functionality. 

Work PC has Windows XP. My home PC is running Windows 7. 

Adding to the frustration, whenever I use a different laptop to remote into work, I have to set it back to normal (unchecking the 'Switch the primary and secondary button' checkbox). the secondary laptop is also running Windows 7. 

I use a VPN then I use Remote Desktop to gain access to my work pc. 

I don't understand why this is happening. Maybe a driver issue? Not sure. 

We are currently in a Upgrade Scenario from our old Windows XP/ Citrix XenDesktop Farm to a new VDI Installation. The new Installation is a Windows Server 2012 R2 Remote Desktop Services Collection using Remote Desktop Virtualizaion Hosts on 2012 R2 too.
The VD- Clients are Windows 8.1 ENT and the User Endpoints are HP ThinClients with Windows Embedded 8.1 Industry Enterprise.

The user connects to his Virtual Desktop via 8.1 Embedded (RDP8.1)

We want all new USB- Drives to map natively in the RDP- Session (RemoteFX USB redirect) so USB- Sticks or CD/DVD Drives are controlled by the VD-Client OS.
We understand, that there are so called "high level devices" which RDP is using per Default. We also know, that there is a GPO that redirects all "other supportet USB devices". That works well for e.g. Webcams, but we want to override the"high Level devices" policy an simply map a e.g. USB Stick natively to the RDP Destination.

Currently the drive is mapped as a "high Level usb device" and the usb key has no drive letter, cant be formattet or used in other RemoteApp Sessions initiated on the VD- Client OS.

The Systems we are using:

Windows 8.1 Enterprise - VD Client on HyperV 2012 R2 FO Cluster
Windows 8.1 Embedded Industry Enterprise as ThinClient OS
Windows Server 2012 R2 as Middleware (RDS VDI Collection, Web Access)

Thank you in Advance

Chris

Environment

Windows 2012 R2 RDS license server issuing device CALs

5 Citrix farms (PS4, PS4.5, XA5, XA6, and XA6.5) 

Symptoms

- RDS device CALs issued through the PS4/Windows 2003 R2 and PS4.5/Windows 2003 R2 servers show the Citrix server name in the Window 2012 R2 RD license manager console instead of the workstation name (See below).

- The PS4/Windows 2003 R2 and PS4.5/Windows 2003 R2 servers are issuing a large number of device CALs to workstations.  For example, we have two PS4/Windows 2003 R2 servers that publish a single application.  There are 20 users of the applications with dedicated workstations that should all have a device CAL, but everyday I see device CALs being issued from these servers (See below).  

Any help would be greatly appreciated.  Thank you.

 Scott