RemoteApp Source not working from RDWeb
-
Tuesday, September 29, 2009 6:51 AMI have 2 servers at the moment managed by a connection broker. If I choose a RemoteApp source instead of RD conncection broker then 1 of my servers populates all the apps fine. If I choose the other host then it errors and says 'RD Web Access was not able to access xxxx. Verify that the RD Session Host server name was entered correctly, that the server is running and connected to the network, and try again.' All the servers are R2 and I can RDP to each of the session hosts fine.
Amit MCSA 2003, VCP, CCA, MCTS:2008 AD
All Replies
-
Tuesday, September 29, 2009 6:15 PMModeratorHi Amit,
Have you verified that the other host is actually up and running? It seems like a silly question, but the connection broker caches the list of RemoteApps it retreives from the RDSH servers, so it is possible that you might be seeing cached results when RDWA is pointing to the connection broker. Also try looking at the event log for the RemoteApp and Desktop Connection Management service on the RD Connection Broker machine (Applications and Services Logs\Microsoft\Windows\RemoteApp and Desktop Connection Management) and see if there are any errors communicating with the other host there.
If that all checks out, and only the RDWA server cannot communicate with the RDSH server, then here are a few more things to check:
- Can you successfully make other connections from the RDWA server to the RDSH server? I.e., is this a networking issue between the two machines?
- Is the RDWA server in the "TS Web Access Computers" security group on the RDSH server?
Hope that helps,
Travis -
Wednesday, September 30, 2009 7:10 AMI think you've found it but not sure what my next step is.
On my RD Connection broker / web access box I am getting events 'Access to the WMI interface on the Remote Desktop Session Host server xxxxx was denied. Add the Remote App and Desktop Management computer to the TS Web Access Computers security group on xxxxx.'
I have checked the security group on the session host and the TS Web Access computer is in there. Not sure what my next move is ? All servers can ping each other fine and there are no network issues between them.
Amit MCSA 2003, VCP, CCA, MCTS:2008 AD -
Wednesday, September 30, 2009 6:37 PMModerator We use WMI to communicate with the RDSH server. Various issues can cause WMI to deny access or return error codes. Here's a few things you can try:
1. Check if the "TS Web Access Computers" security group on the RDSH server has incorrect permissions in DCOM and/or WMI:
For checking DCOM security settings:
1. Start the Component Services MMC snapin
2. Navigate to Component Services -> Computers -> My Computer
3. Right-click on My Computer and select properties
4. Go to the COM Security tab
5. Under Access Permissions, click the Edit Limits button
6. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.
7. Under Launch and Activation Permissions, click the Edit Limits button
8. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.For checking WMI security settings:
1. Start the WMI Control MMC snapin
2. Right-click the WMI Control node and select properties
3. Go to the Security tab
4. Navigate to Root->CIMV2->TerminalServices
5. With TerminalServices selected, click the Security button
6. Ensure that TS Web Access Computers is in the list with Execute Methods, Enable Account, and Remote Enable set to "allow"2. Verify the RD Session Host server's firewall allows WMI calls.
3. Verify that the RD Connection Broker hasn't lost its trust relationship with the domain.
4. See if non-RDS related WMI calls can be successfully made to the RDSH server. This can help differentiate between a general WMI issue and an issue calling the RDS WMI provider.
Hope that helps,
Travis- Marked As Answer by Travis HoweMicrosoft Employee, Moderator Thursday, October 01, 2009 5:18 PM
-
Thursday, October 01, 2009 7:44 AM Travis - I think you hit the nail on the head...thanks for that. It was the WMI security settings. Not sure why but the TS Web Access Computers was missing and once adding this and setting the security right I can now talk the server from the RD Connection Broker.
Amit MCSA 2003, VCP, CCA, MCTS:2008 AD- Marked As Answer by Amit Ace Friday, October 02, 2009 7:58 AM
-
Tuesday, December 15, 2009 5:02 PMAre you running these servers in a virtual environment? Did you use a tool to clone an initial server?
I am seeing the same issues related to creating a VM and running sysprep then cloning it with TS roles already installed.
I am seeing orphaned SIDS instead of the group missing. I was unable to assign a bacend TS server to Web Access. I added the group back in and the apps appeared.
Thanks,
Mike -
Wednesday, May 26, 2010 1:38 AMI can verify the same thing happened to me. It was in the WMI Contol MMC under "Root->CIMV2->TerminalServices" Security. There was an orphaned SID that had the appropriate rights. I had to add the "TS Web Access Computers" group back in and grant the appropriate rights.
-
Thursday, February 17, 2011 5:42 PMI had the exact same problem. TS Web Access computers was missing from the WMI security settings. It showed a SID with the settings. This server was built as a clone from another server. I ran sysprep on the server, and then used Acronis to image it to a second server. Is that the root cause of the missing security?
-
Wednesday, July 27, 2011 8:51 PMThis post saved my day! I ran into this issue due to using sys prep with the RDS service installed.
-
Friday, August 12, 2011 9:05 PM
Also had this problem. But afer checking the group, dcom security, wmi security still no success.
After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
but after making the change below it works1. Start IIS
2. go to Application Pools
3. Select RDWebAccess
4. Go to Advanced settings
5. under Process Model change the identity to the domain administrator and password
6. do a iisresetAfter those changes it works for us.
Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
know the domain administrator has to much rights. Have to look into this later.Think the problem is related to the fact the RD WebAccess is also domain controller.
please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation
- Proposed As Answer by Brian Rapier Tuesday, August 30, 2011 4:26 PM
-
Tuesday, August 30, 2011 4:26 PM
ThaAlso had this problem. But afer checking the group, dcom security, wmi security still no success.
After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
but after making the change below it works1. Start IIS
2. go to Application Pools
3. Select RDWebAccess
4. Go to Advanced settings
5. under Process Model change the identity to the domain administrator and password
6. do a iisresetAfter those changes it works for us.
Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
know the domain administrator has to much rights. Have to look into this later.Think the problem is related to the fact the RD WebAccess is also domain controller.
please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation
Thanks for this, I had run into this issue before after an MS Update that took days to get working again, after uninstalling the patch that caused the issue. I cannot remember the full patch ID, but the last part was 9917. Now after another update the issue shows up again.....
Changing this setting worked like a charm. Though I used "Network Service" over a Domain Admin account.
Brian
-
Tuesday, July 24, 2012 6:36 AM
Thank you that one, fixed my issue.
RD Web Access was not able to access the RD Session Host server ts02.--.com.au. Verify that the computer account of the RD Web Access server is added to the TS Web Access Computers security group on the RD Session Host server.
event 8 RADWebaccess -
Wednesday, August 08, 2012 5:26 PM
Also had this problem. But afer checking the group, dcom security, wmi security still no success.
After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
but after making the change below it works1. Start IIS
2. go to Application Pools
3. Select RDWebAccess
4. Go to Advanced settings
5. under Process Model change the identity to the domain administrator and password
6. do a iisresetAfter those changes it works for us.
Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
know the domain administrator has to much rights. Have to look into this later.Think the problem is related to the fact the RD WebAccess is also domain controller.
please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation
I attempted this solution as well as using a Domain Admin OR the Network Service account but changing this option breaks RD Web access entirely (yes I did do an iisreset).
The RD Web access will only funciton under ApplicationPoolIdentity.
- Edited by IQ_IT Wednesday, August 08, 2012 5:27 PM
-
Thursday, November 29, 2012 8:41 PM
I had the same exact problem, and this solution fixed my issue as well. I also cloned a VM, then did a sysprep to change the SID which led me to this issue. Thanks to all involved, this was a HUGE help. I also wanted to add that in addition to modifying the WMI security settings to add the TS Web Access Computer group, I also had to re-import the security certificate(s) and re-add them to RemoteApp Manager under Digital Signature Settings - I hope this helps someone as this thread has helped me.
Thank you!!!
-
Friday, December 21, 2012 5:54 PM
Just wanted to acknowledge. This solution worked for me. I was just initially installing RDWA, RDSH, and RDCB and encountered this issue :
"RD Web Access was not able to access the RD
Connection Broker server specified. Ensure that the computer account of the RD
Web Access server is a member of the TS Web Access Computers security group on the RD Connection Broker server."I checked all the DCOM and WMI settings and they're all good so I looked at the IIS and followed Christian's solution.
Allan
- Edited by SystechVan Friday, December 21, 2012 5:56 PM
-
Sunday, January 06, 2013 4:05 PM
Thank you very much for the fix to this issue.
We had a VMWare server crash and I manually moved the VM's to another host. During the move VMWare asked if the VM was copied or moved, I selected move.
When the server came up it did a WMI auto recovery (event ID 65) and reregistered some components (event ID 63).
The permissions for the "TS Web Access Computers" group was missing in Root->CIMV2->TerminalServices.
-
Monday, January 21, 2013 6:08 PMI have had this issue several times over the past few months. I was well familiar with this post, it was in my favorites, I have had to reset the rights on WMI each time. I was reading up on this again this week, and looking at making the IIS change above, as I had been treating the symptom but not the disease. On Friday this happened again, and correcting the WMI rights did not fix the issue. We wound up re-applying SP1 with a Microsoft engineer, and then he did the following, which appreas to have fixed the issue. Perhaps the IIS identity stuff above is the same sort of fix, but I thought I'd post it as an alternative solution. The MS engineer's name was Ritesh. Here's what he did: Full control rights for the iiswebpool\rdwebaccess account were applied to the c:\windows\web\rdweb\app_data\rdwebaccess.config file and the c:\windows\web\rdweb\pages\rdp folder on the RD Web Access portal server. This resolved the issue of one TS server's failure to report remoteaccess icons resulting in ALL system icons not being displayed. This scenario was successfully tested with Ritesh still on the line to confirm. The IIS identity item above may accomplish the same thing, and I may still try applying it later, but for now adding these 2 rights fixed it for me. I still have no fix for why the WMI rights disappeared in the first place.
-
Tuesday, January 22, 2013 1:50 PM
I to have had this issue. Whats differnt for me is the WMI permissions are constantly getting reset. Either on restart or overnight. Has anyone seen this? I've come accross this:
This one talks to writing a script to get them to repopulate but I am hesistant to do this as it looks like it was in beta when they were discussing this fix
http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx
I also went through all of this as well
http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx
-
Thursday, January 24, 2013 9:36 AM
I to have had this issue. Whats differnt for me is the WMI permissions are constantly getting reset. Either on restart or overnight. Has anyone seen this? I've come accross this:
This one talks to writing a script to get them to repopulate but I am hesistant to do this as it looks like it was in beta when they were discussing this fix
http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx
I also went through all of this as well
http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx
I'm in the same boat as Howard, Martin and others. Our RDSH servers reset WMI settings on reboot, happens on 4 out of 5 servers. Pretty serious problem, since it breaks our RDWeb platform. >_<
Howard, you mention 2 links, but you pasted the same link twice. Could you find the link to the script you mention? I would like to have a look at it.
Oh, and our servers were NOT cloned. Clean installs from Windows Deployment Server.
Cheers
Simon
Edit/Update: Happens on random servers. 1st reboot, WMI settings were gone on servers 1,2,3 and 5. Next reboot it was only server 3.- Edited by Simon Juul Larsen Thursday, January 24, 2013 9:59 AM Small update
-
Monday, January 28, 2013 1:55 PM
We logged a support incident with MS support (113012410163979 in case somebody's interested), and I think the problem is solved now.
I have restarted both RDSH's and RDweb servers at least 10 times today, and haven't seen the issue reappear, but I still had some event ID 1000 and 1010 in the RemoteApp and Desktop Connection Management/Admin. Please give this a try if you have the same issue, and let us know what your results are. Mileage may vary, and use at your own risk and blah blah. :)
Here is the response I got from MS support. The part I think helped out was section 3 (last one) - Rebuilding the WMI repository on each RDSH and RDweb server.
Please confirm if you have perform the following steps: ============== •Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server. •Modify the DCOM permissions on the RD Session Host server. •Modify the Windows Management Instrumentation (WMI) security settings on the RD Session Host server. I noticed that you have added the WMI permission, please also confirm if the DCOM permission is corrected. After that please try to reboot the RDS servers to test if this issue still occurs, if this issue still occurs on some servers, please collect the following steps: ================= 1. Please let me know the details for the RDweb failure, can you logon the RDweb of if the RemoteApp icons are unable to be listed. Please capture a screenshot to us. 2. Please perform the following steps on the affected server to test if the WMI basic query works. ------------------- Run wbemtest, connect the namespace root\cimv2 Click Query… and enter query as: Select * from Win32_ComputerSystem. Note: If the WMI query works, above command will list the computer name. 3. Please try to rebuild the WMI Repository on the affected RDS server and the RDweb server. ========================= a. Disable and stop the WMI service. sc config winmgmt start= disabled net stop winmgmt b. At a command prompt (cmd), change to the WBEM folder. cd %windir%\system32\wbem c. Rename the repository folder rename repository repository.old d. Re-enable the WMI service. sc config winmgmt start= auto e. Run the following command to manually recompile all of the default WMI .mof files and .mfl files cd %windir%\system32\wbem for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s
Cheers
Simon
-
Tuesday, January 29, 2013 9:01 PM
Hey Simon,
Definately been through that process before including step 3. I will try it again and see if it works. If not I will open a case as well. I am sorry but I couldn't find the other link. I will post as soon as I do.
If you still get the 1010 errors then some of your servers have already dropped their wmi permissions. Double check all your servers to make sure they all have the permissions set.
- Edited by Howard.Feldman Tuesday, January 29, 2013 9:04 PM
-
Thursday, January 31, 2013 5:19 PM
Another thing we did to our problem server was to use a scheduled task to do a salvage repository on WMI
C:\Windows\System32\wbem\WinMgmt.exe /salvagerepository
It does this every morning after the server reboots. So far so good, although we did wind up applying 2 fixes at once, so I don't have proof of which one is truly helping.
YMMV.
-
9 hours 10 minutes ago
Same problem, same fix! Took me real long time, pulled a lot of hair, glad to saw this post! For me it was the WMI sec settings, they disappeared after a Windows patch round. My App sources are even physical boxes, so no movement or whatsoever involved.
All kudos!
.png)
