none
RDS WebAccess connects to connection broker instead to session collection

    Question

  • Hello,

    I'm running a configuration with a RDS Gateway and RDS Web Access role combined on one server, a seperate connection broker and multiple session collections.

    I want to start using Web Access but experience a confusing problem. When I log in with credentials of collection A, I get as expected the remote apps configured on collection A on the RDWEB page. But when I try to connect it tries to connect to the connection broker instead of session collection server(s).

    Did I miss something?

    Regards,

    Erik

    Friday, December 06, 2013 10:09 AM

Answers

  • Hi Erik,

    Okay, seems like a problem with using the gateway.

    For reference, normal log sequence is similar to this:

    1. The user "DOMAIN\username", on client computer "74.125.131.98", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

    2. The user "DOMAIN\username", on client computer "74.125.131.98", met resource authorization policy requirements and was therefore authorized to connect to resource "broker.domain.com".

    3. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "HTTP".

    4. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "UDP".

    5. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "broker.domain.com" using UDP proxy. The authentication method used was: "Cookie".

    6. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "UDP".

    7. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "broker.domain.com" using UDP proxy. The authentication method used was: "Cookie".

    8. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 14847 bytes and received 1373778 bytes. The client session duration was 7 seconds. Connection protocol used: "HTTP".

    9. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 2004 bytes and received 5915 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".

    10. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 876 bytes and received 3497 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".

    11. The user "DOMAIN\username", on client computer "74.125.131.98", met resource authorization policy requirements and was therefore authorized to connect to resource "192.168.1.51".

    12. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "192.168.1.51". Connection protocol used: "HTTP".

    13. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "192.168.1.51". Connection protocol used: "UDP".

    14. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "192.168.1.51" using UDP proxy. The authentication method used was: "Cookie".

    ...

    In the above you see that entries 1-10 are for connecting to RD Gateway and then the broker, whereas entries 11+ are for connecting to the RDSH server (ip address: 192.168.1.51) that the user was redirected to.

    Do you have another client machine you can test with? For example, a Windows 7 PC with RDP 8.0 Client installed?

    Is the Server 2012 or 2012 R2?

    -TP

    • Marked as answer by Erik Snijder Wednesday, December 11, 2013 3:05 PM
    Monday, December 09, 2013 4:28 PM
    Moderator

All replies

  • Hi Erik,

    Please make sure the client you are using has RDP 8.0 or RDP 8.1 client installed.

    When launching a RemoteApp under Server 2012/2012 R2 RDS it is normal and expected for it to connect to the RD Connection Broker which will then redirect the connection to the appropriate RDSH or Win7/8/8.1 VM depending on the collection.

    Thanks.

    -TP

    Friday, December 06, 2013 11:33 AM
    Moderator
  • Hi TP,

    I'm connecting from a 8.1 windows machine. The errors states: Remote Desktop can't connect to the remote computer: 'connection broker computer' for one these reasons.....

    So it's trying to log in on the connection broker which is not allowed of course.

    Erik 

    Friday, December 06, 2013 1:37 PM
  • Hi Erik,

    What is the precise error message?

    Why is it unable to connect?  Are you connecting from an external PC, or internal?  If external, do you have RD Gateway installed and configured?

    If it was trying to log on directly to the broker instead of just being redirected to the collection a regular user would get access denied.  Based on your description they are getting a different message so it is likely there is another reason their connection is not working.

    -TP

    Friday, December 06, 2013 1:56 PM
    Moderator
  • To clarify:

    The configuration is perfectly working except via the RDWeb.

    I have configured no Remote Apps so as default I see the rdp-connection to the RDSH server with the correct name.

    When I doubleclick I get the first time dialog:

    Type: Remote desktop connection
    External Computer: Connection-broker
    Gatewayserver: Gateway-server

    When I click connect I get the error as you would expect when a user is not allowed to login:
    Remote Desktop can't connect to the remote computer "Connection-broker" for one of these reasons:
    1) Your user account is not listed in the RD Gateway's permission list.
    2) You might have specified the remote computer in NetBIOS format (for example, computer1), but the RD Gateway is expecting an FQDN or IP address format.

    Internal and external give the same results

    Erik


    Friday, December 06, 2013 2:30 PM
  • Hi Erik,

    In RD Gateway Manager, properties of the RD CAP, please check that you have listed a group that the user is a member of on the Requirements tab -- User group membership box, and that you have not listed any groups in the Client computer group membership box.

    Also in RDG Manager, properties of RD RAP, please check that you have listed a group that the user is a member of on the User Groups tab, and on the Network Resource tab you have Allow users to connect to any network resource selected.  You can change this to a more secure setting later if you wish.

    When logged on to the RD Gateway server, please test that you can connect to the RD Connection Broker server using the FQDN shown when you connect via RDWeb, using mstsc /admin.  This is to verify that the FQDN of the broker can be resolved from the RDG server.

    For more information you may look at the gateway log on the RD Gateway server.  It is in Event Viewer under Applications and Services Logs\Microsoft\Windows\TerminalServices-Gateway

    Thanks.

    -TP


    Friday, December 06, 2013 3:02 PM
    Moderator
  • Hi Erik,

    I would like to check if you need further assistance.

    Thanks.


    Jeremy Wu

    TechNet Community Support

    Sunday, December 08, 2013 1:02 PM
    Moderator
  • Hello,

    Over the weekend I checked the settings over and over again but couldn't find anything.

    TP: Alle the settings are correct, everything is working fine with the use of MSTSC, only not via RDWEB.

    Even tried to create new collection on a new RDSH without gateway server involved and published some apps.

    The apps are still trying to connect the Connection Broker server instead of the RDSH server which is publishing the apps. I'm lost.

    There's is nowhere I can check or change the remote apps settings from server manager is there?

    Regards,

    Erik

    Monday, December 09, 2013 9:31 AM
  • Hi Erik,

    I said it above but I will say it again:  it is normal and expected for the users to connect to the Connection Broker when launching RemoteApps or full desktop connections in Server 2012/2012 R2.  From there the broker automatically redirects them to the appropriate RDSH server or Win7/Win8/Win8.1 VM.  As far as the end user is concerned they only see the published name of the broker as well as the gateway in the prompt.

    In your case users are having a problem either connecting to the broker or the target RDSH or both.

    1. Please post the relevant entries from the RD Gateway log.

    2. From your screenshot it appears you removed RDG from the Deployment Properties for testing purposes.  When you tested this on the internal network, does the RemoteApp launch okay?  It should work fine internally.  If it does not work internally, please test by connecting directly to DIAGOCS-GW02.CLOUD.LOCAL using mstsc /admin and reply back with the results of your test.

    When RD Gateway is configured the expected sequence is:  user connects to RDG on TCP 443 and UDP 3391, RDG connects to broker on TCP/UDP 3389, broker redirects, RDG connects to RDSH on TCP/UDP 3389.  You can see from this that it is critical for the RDG to be able to connect to the broker for things to be able to succeed.

    Without RD Gateway configured the expected sequence is:  user connects to broker on TCP/UDP 3389, broker redirects, user connects to RDSH on TCP/UDP 3389.  In this case you can see it is critical for the user to be able to connect to the broker for things to be able to succeed.

    Thanks.

    -TP

    Monday, December 09, 2013 10:55 AM
    Moderator
  • Thanks TP for your patience.

    I (finally) get the fact that the broker will redirect the remoteapp session. I also found that some groups were not populated correctly. After correcting this and re-adding the gateway back in the picture and create a seperate server for the RDSWA, I'm still not able to connect externally as well as internally via RDWEB. The error (after a 20 sec wait) however changed to:

    The gateway log states:

    On the connection broker however I cannot find any entry at that time stamp.

    I have no trouble connecting to all the servers mutually with MSTSC /admin with an admin account. All firewalls are switched off. On the gateway I change the RAP to connect to anything for everybody.

    regards

    Monday, December 09, 2013 3:27 PM
  • Hi Erik,

    What does the gateway log say? It does not show up in your post.

    I know you said this above, but to double verify, if you log on to the RD Gateway server, open mstsc /admin, and attempt to connect to DIAGOCS-GW02.CLOUD.LOCAL it works fine?

    When you say the firewalls are switched off are you saying that you have set all three profiles to Off in Windows Firewall with Advanced Security (wf.msc) on all servers?

    -TP

    Monday, December 09, 2013 3:33 PM
    Moderator
  • Hi,

    The gateway logs states:

    The user "demo-user1@cloud", on client computer "10.100.5.95:62709", has initiated an outbound connection. This connection may not be authenticated yet.

    So something is happening on the gateway. No logs after that

    I just checked again and I can login with mstsc /admin form the gateway to the diagocs-gw02.

    According to the post: http://tech.jesseweeks.me/2013/07/configuring-custom-rdp-shortcuts-for.html I made a such a custom rdp file with

    use redirection server name:i:1

    and loadbalanceinfo:s:tsv://MS Terminal Services Plugin.1.<RDS COLLECTION NAME>

    full address:s:diagocs-gw02.cloud.local

    This works fine internally! I'm redirected to the Demo RDS Collection.

    Regards

    Monday, December 09, 2013 3:49 PM
  • Hi Erik,

    Okay, seems like a problem with using the gateway.

    For reference, normal log sequence is similar to this:

    1. The user "DOMAIN\username", on client computer "74.125.131.98", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP".

    2. The user "DOMAIN\username", on client computer "74.125.131.98", met resource authorization policy requirements and was therefore authorized to connect to resource "broker.domain.com".

    3. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "HTTP".

    4. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "UDP".

    5. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "broker.domain.com" using UDP proxy. The authentication method used was: "Cookie".

    6. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "broker.domain.com". Connection protocol used: "UDP".

    7. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "broker.domain.com" using UDP proxy. The authentication method used was: "Cookie".

    8. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 14847 bytes and received 1373778 bytes. The client session duration was 7 seconds. Connection protocol used: "HTTP".

    9. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 2004 bytes and received 5915 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".

    10. The user "DOMAIN\username", on client computer "74.125.131.98", disconnected from the following network resource: "broker.domain.com". Before the user disconnected, the client transferred 876 bytes and received 3497 bytes. The client session duration was 0 seconds. Connection protocol used: "UDP".

    11. The user "DOMAIN\username", on client computer "74.125.131.98", met resource authorization policy requirements and was therefore authorized to connect to resource "192.168.1.51".

    12. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "192.168.1.51". Connection protocol used: "HTTP".

    13. The user "DOMAIN\username", on client computer "74.125.131.98", connected to resource "192.168.1.51". Connection protocol used: "UDP".

    14. The user "DOMAIN\username", on client computer "74.125.131.98", successfully connected to the remote server "192.168.1.51" using UDP proxy. The authentication method used was: "Cookie".

    ...

    In the above you see that entries 1-10 are for connecting to RD Gateway and then the broker, whereas entries 11+ are for connecting to the RDSH server (ip address: 192.168.1.51) that the user was redirected to.

    Do you have another client machine you can test with? For example, a Windows 7 PC with RDP 8.0 Client installed?

    Is the Server 2012 or 2012 R2?

    -TP

    • Marked as answer by Erik Snijder Wednesday, December 11, 2013 3:05 PM
    Monday, December 09, 2013 4:28 PM
    Moderator
  • Hello TP,

    Thanks for pointing me in the right direction! Biggest hurdle is taken!

    2 things were happening:

    The first was that it worked from a 2008R2 server. According to http://support.microsoft.com/kb/2903333/nl I changed the 'EnforcedChannelBinding' to 0 and then I got it working from 8.1/2012 also.

    Secondly, from an identical 2008R2 RDS environment I was used to create a RAP on the RDGW with local groups including the external FQDN of the RDSH because of my wildcard certificate. I now have to use the local FQDN of the RDSH and add the RDCB to get it working.

    'Only thing left' are some certificate issues. When starting the RemoteApp I first get a warning that the name on the certificate (.nl wildcard cert) does not correspond with the name of the RDCB (diagocs.gw02.local). Also the RDSH gives a certificate error. I found several different threads concerning this issue but no luck so far.
    I have used the wildcard certificate for the whole RDS configuration, installed it on all servers and created an internal secondary DNS zone with wildcard domain.

    It is maybe out of the scop for this thread but maybe you can point me again in a right direction.

    Thanks!!


    Tuesday, December 10, 2013 7:59 AM
  • Hi Erik,

    Okay, for the certificate issue you need to change the published FQDN for the broker so that it matches your wildcard certificate. You can use this cmdlet to do that:

    Change published FQDN for Server 2012 or 2012 R2 RDS Deployment

    http://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80

    For example, you could change the FQDN to remote.yourdomain.nl.  To make this work you need to have a DNS A record for remote.yourdomain.nl on the internal network that points to the broker.

    You also mentioned you get a second certificate error when connecting to the RDSH.  What is the exact error that you receive?  Please correct the certificate error for the broker above by changing the FQDN and then let us know the exact error you receive when connecting to the RDSH.

    Thanks.

    -TP

    Tuesday, December 10, 2013 11:10 AM
    Moderator
  • Hi,

    Thank you for the link. Is it necessary to also change the ClientAccessName or can I just change only the name of the Connectionbroker? Because I have multiple session collections.

    The certifcate error on the RSDH is fixed.

    Regards

    Tuesday, December 10, 2013 12:34 PM
  • Hi,

    Changing ClientAccessName changes the name that appears in the published .rdp files for all collections.  In other words, it changes the name that clients use to connect to the broker.  Please go ahead and change it using the cmdlet.

    Thanks.

    -TP

    Tuesday, December 10, 2013 12:46 PM
    Moderator
  • Ok, Nothing seems to happen. Remote app still trying to connect to broker.local

    Commands completes successfully on the connection broker:

    PS C:\install> .\Set-RDPublishedName.ps1
    cmdlet Set-RDPublishedName.ps1 at command pipeline position 1
    Supply values for the following parameters:
    (Type !? for Help.)
    ClientAccessName: broker.publicdomain.nl

    With MSTSC I verified I can connect to the public FQDN from the RDGW and RDWA. Is there somewhere I can check if the settings are correct? 

    Thanks

    Tuesday, December 10, 2013 1:44 PM
  • Hi Erik,

    Did you refresh the RDWeb page after making the name change?  This is necessary to get the new version of the rdp file (the rdp files are embedded in the web page).

    If you are using RemoteApp and Desktop Connections on the client PC you will need to manually update the feed through the control panel.

    -TP

    Tuesday, December 10, 2013 1:48 PM
    Moderator
  • Hi TP,

    Performed IISRESET and even reboot, nothing changed.

    Tried to execute .\set-RDpublishedname on the RDWA and got:

    cmdlet Set-RDPublishedName.ps1 at command pipeline position 1
    Supply values for the following parameters:
    (Type !? for Help.)
    ClientAccessName: broker.publicdomain.nl
    iwmi : Invalid namespace
    At C:\sources\Set-RDPublishedName.ps1:9 char:11
    + $return = iwmi -class "Win32_RDMSDeploymentSettings" -namespace "root\CIMV2\rdms ...

    Also tried:

    PS C:\sources> set-clientaccessname -connectionbroker diagocs-gw02.cloud.local

    cmdlet Set-ClientAccessName at command pipeline position 1
    Supply values for the following parameters:
    ClientAccessName: broker.publicdomain.nl
    set-clientaccessname : The RD Connection Broker server is not configured for high availability.
    At line:1 char:1
    + set-clientaccessname -connectionbroker diagocs-gw02.cloud.local

    Thanks

    Tuesday, December 10, 2013 2:22 PM
  • Hi Erik,

    1. When you opened a powershell prompt did you choose Run as Administrator?

    2. Please run on the connection broker server.

    Thanks.

    -TP

    Tuesday, December 10, 2013 3:05 PM
    Moderator
  • Hi TP,

    See my post above the last. At first I performed the command on the connectionbroker with succes but nothing happened. PS was running as administrator.

    I will reboot the RDCB tonight, maybe that will trigger something.

    Thanks

    Tuesday, December 10, 2013 3:45 PM
  • Hello TP,

    Succes, after a reboot I performed the command again and that worked immediately.

    I want to thank very much you for your effort and patience!

    Regards,

    Erik

    Wednesday, December 11, 2013 3:04 PM
  • Hi Erik,

    The change takes effect immediately--no restart required.

    Please try to change the name again:

    1. Log on to the broker server as an administrator

    2. Right-click on the powershell icon in the taskbar and choose Run as Administrator

    3. Change the name:

    Set-RDPublishedName "broker.publicdomain.nl"

    4. Verify that the name was changed by logging on to RDWeb (or refreshing the page) and clicking a RemoteApp icon.  The name in the prompt should have changed.

    If the above does not fix it for you then perhaps we should do a quick Skype session with screen sharing software so we can get this fixed.  I have had good feedback on the cmdlet so far but there was one other person that said they were seeing a similar problem whereby it did not seem to change the name. I would like to find the root cause.

    Thanks.

    -TP

    Wednesday, December 11, 2013 3:16 PM
    Moderator
  • Thank you TP, as I mentioned in my last post, everything is working now as it should. The command was executed successfully was effective immediately.

    Thanks!

    Wednesday, December 11, 2013 3:23 PM
  • Hi Erik,

    You are welcome.  Great to hear it is working now.

    -TP

    Wednesday, December 11, 2013 3:26 PM
    Moderator