Hi all,
This one is driving me NUTS! The problem itself is when I go to connect to a session host using a web access server I get the error in the title. This is only happening to some of my session hosts and not all. I have compared them and can't find a single difference. I also cant find anything useful in the event logs about this. Below is my setup.
A full RDS environment using all Windows Server 2012 Data Center. Nothing 2008 R2. All Clean installs.
I have 6 servers a VM's split evenly between 2 ESXi 5.1 Hosts.
1. MP-RDP-CB1.inucoda.net (Connection Broker 1)
2. MP-RDP-CB2.inucoda.net (Connection Broker 2)
3. MP-RDP-GW1.inucoda.net (Gateway Server 1)
4. MP-RDP-GW2.inucoda.net (Gateway Server 2)
5. MP-RDP-WA1.inucoda.net (Web Access Server 1)
6. MP-RDP-WA2.inucoda.net (Web Access Server 2)
inucoda.net is an network that is the Domain that all servers are joined to via 2 Domain Controllers splits between each ESXi Host.
My outside domain that you can get to from the web is ucoda.net
The connection brokers have all servers used including session hosts added to the server pool and are configured in HA mode. They use a SQL Server 2012 Fail-over cluster that is on a separate set of VMs for their database and the DNS is configured as round robin. MP-RDP-CB.inucoda.net. There are two entries of this each with one of the two IPs of the CB1 and CB2 servers.
On each CB server there is a RDS License server role installed with CALs installed and activated/registered. Both LIC servers have been added to the RDS deployment properties.
The GW servers each have the NLB role installed with an extra network adepter for NLB use. There is a DNS name of MP-RDP-GW.inucoda.net that points to the NLB IP of the GW Cluster. Also both GW servers were added to the GW Server Farm part of the the
GW properties.
The WA servers are also in a NLB Cluster with an extra adapter and a DNS of MP-RDP-WA.inucoda.net pointing to the NLB IP.
Up steam from our inside Windows Domain at our ISP level there is a DNS entry of MP-RDP-WA.ucdoa.net and it points to the NLB IP of the WA NLB Cluster. (This is not a public IP, we require you be on our VPN to be able to access the IP).
For certificates we have a Comodo issued wildcard of *.ucoda.net with the corresponding Comodo Root Trust and Intermediate Certs. We also have a wildcard *.inucoda.net created by our inside CA.
The *.inucoda.net cert is used for the CB SSO, CB Publishing, and GW while the *.ucoda.net cert is used for the WA.
All session hosts have been configured to use the *.inucoda.net for their RDP sessions.
I can confirm that the *ucoda.net cert is used for the WA part and all other parts are reporting the *inucoda.net, all with no errors or warnings.
For each session collection only one session host is used with no apps, (just RDP). Security is set to only use NLA, SSL 1.0, High.
On each session host I have verified that the *inucoda and *ucoda certs are installed and the internal CA and Comodo CA/Intermediate CA is installed in the correct stores. I have also verified that COM Security has the domain\TS Web Access group set with full perms for the Access and Launch/Activation. Also for WMI Root\CMIV2\TermicalServcies Security has the domain\Ts Web Access group set with full perms. Lastly each group/user that has access to RDS is listed in the Remote Desktop users.
I've checked that both WA servers are listed in the TS Web Access group.
The GW servers RAS/RAP policies are set to be pretty open for testing with using any port, any network resource, and Domain Users and Domain Admins listed.
I have been trying to connect with Windows 8 and Windows 7 clients as the domain\administrator account. Some of my session hosts connect fine and other don't . It's always the same ones that connect and don't connect. I can't find any difference between the. I've also blown away my entire RDS and started over with just a 3 server single node model with no NLB or RR DNS and the same exact error happens on certain servers. I have sense gone back to the 6 server setup described here and again the same error on the same session hosts.
I have also tried Negotiate and RDS Compatible and disabling NLA only for security. No change. Now here is the interesting part. If I remove GW servers from RDS by just saying not to use them (not actually uninstalling them or anything), all session hosts connect just fine every time. When I first did my RDS setup I got he same error with code 0x607 for every connection attempt and found i had to set the RAS/RAP to use any network resource instead of Domain Computers. However, it is currently set like that and some still don't connect. So it works with out the GW servers just fine. It also works without them in the 6 node setup as well as the 3 node setup.
I don't want to use it without the GW servers because since I am using all inside subnets with a VPN I have to add the CB IP/Name to my host file or it will not resolve and give an error about reaching the Connection Broker. Because I want to use a HA setup this is no good as there are two servers for it. That's why I use the NLB IP of the WA and publish it with outside DNS with our ISP.
Any ideas at all??
Thanks,
Chris