locked
Windows 2016 RDS event 1306 Connection Broker Client failed to redirect the user... Error: NULL RRS feed

  • Question

  • I'm attempting to setup a Windows 2016 RDS Standard Deployment for Session Hosting.  The layout is as follows:
    RDS01 - RDS Connection Broker and Web Access
    TS02 - RDS Session Host
    TS03 - RDS Session Host

    The domain these servers are part of has (1) Windows 2008 Server and (2) Windows 2016 Servers acting as DCs.  The domain is running at Windows 2003 Functional Level.

    All servers are on a single routed network with no firewall between them.  All DNS A and PTR records for all servers exist and resolve on all hosts.  All servers can be pinged by each other. In other words, there are no network connectivity issues.

    I've setup the RDS deployment several times w/ the same results.

    The Issue
    I can login via the RDWeb interface on RDS01 from a Win10 desktop and connect to the published RDP desktop without issue (i.e. no error messages to the user) and no errors in the logs.  When I try to directly RDP to RDS01, I successfully authenticate as a user (per the event log) but get an error stating that the user doesn't have access to the system.  In the event log I get event id 1306 with the message of "Remote Desktop Connection Broker Client failed to redirect the user <domain>\<test user>.  Error: NULL".  

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-TerminalServices-SessionBroker-Client" Guid="{2184B5C9-1C83-4304-9C58-A9E76F718993}" />
      <EventID>1306</EventID>
      <Version>0</Version>
      <Level>2</Level>
      <Task>104</Task>
      <Opcode>13</Opcode>
      <Keywords>0x2000000000000000</Keywords>
      <TimeCreated SystemTime="2016-12-29T16:47:27.634726700Z" />
      <EventRecordID>47</EventRecordID>
      <Correlation ActivityID="{F4209120-29ED-44E4-845A-25A2570F0000}" />
      <Execution ProcessID="828" ThreadID="3668" />
      <Channel>Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational</Channel>
      <Computer>rds01.[redacted.domain]</Computer>
      <Security UserID="S-1-5-20" />
      </System>
    - <UserData>
    - <EventXML xmlns="Event_NS">
      <param1>[redacted.domain]</param1>
      <param2>[redacted.user]</param2>
      <param3>NULL</param3>
      </EventXML>
      </UserData>
      </Event>


    If I RDP to RDS01 as an administrator, I get the same error message but the RDP session opens and presents the desktop on RDS01.

    I can RDP directly to TS02 or TS03 and login as a user and open the RDP session.  Redirection to some degree appears to be working in that I can disconnect a user session from TS02 and RDP to TS03 and the session is redirected back to TS02.  The event logs on RDS01 record this happening as well.

    What I've tried already
    1. In searching this event 1306 issue, I found several posts with this exact same behavior in WS 2012/R2.  Most "solutions" suggested point to the fact that the RDS Session Broker doesn't have sufficient authority to look up the users AD group membership via the tokenGroupsGlobalAndUniversal attribute or AuthzInitializeContextFromSid API function which leverages the tokenGroupsGlobalAndUniversal attribute.  (Example: https://social.technet.microsoft.com/Forums/windowsserver/en-US/29733a87-dbda-47bc-8b37-6eeac5ab5a0a/2012-rds-nonadministrators-can-not-access-vdi-pool?forum=winserverTS#97d883f1-7a64-4d02-9492-309638f92e79 )

    The service is running as "Network Service" which does have network access via the Computer Object's authority in AD.  So following Microsoft's instructions (https://support.microsoft.com/en-us/kb/331951), I've added RDS01 to both the Windows Authorization Access Group and Pre-Windows 2000 Compatibility Access groups and rebooted RDS01 with the same results.  

    2. I've verified the Windows Authorization Access Group has rights to read the tokenGroupsGlobalAndUniversal property/attribute on my test users and the computer objects of the servers.

    3. I've setup an AD Service account following Microsoft's instructions (https://support.microsoft.com/en-us/kb/842423) with a similarly described access issue.  The service account user was added to the Windows Authorization Access Group.  This was unsuccessfully as well w/ the same event 1306 error.

    4. I ran the following powershell commands to verify access of the Connection Broker to the OU (https://technet.microsoft.com/en-us/library/jj215512.aspx#)

    Test-RDOUAccess -Domain [redacted.domain] -OU "Computers" -ConnectionBroker rds01.[redacted.domain] -verbose


    This failed so I ran the following to grant access

    Grant-RDOUAccess -Domain watsons.local -OU "Computers" -ConnectionBroker rds01.watsons.local -verbose 


    The Test-RDOUAccess then succeeded.

    I repeated this for the OUs that contained the users and the server computer objects.

    I've disabled all GPOs to ensure there's no conflicts but have seen no change in the behavior or error messages.

    With all that, I've exhausted every option that I can find to resolve this error to gain the expected functionality.  As a work around for the moment, I've setup a round-robin DNS A record that points to TS02 and TS03 w/ a very short TTL.  This gives the test users the ability to login and atleast test the desktop functionality.

    Sorry for being so long winded with this but I thought it better to put all the cards on the table.

    I'm open to any and all suggestions.

    Thx!

    • Edited by f-n-b Saturday, December 31, 2016 7:13 PM formatting
    Saturday, December 31, 2016 7:06 PM

Answers

  • Hi,

    For the problem, I have tested for this on Windows Server 2016.

    For the RD Connection Broker do not redirect the session to RDSH in a new RDS environment, you need configure the default collection on RDCB in registry.

    You should create the registry value DefaultTsvUrl under the path below with tsv://MS Terminal Services Plugin.1.<collection alias> on RDCB.

    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings

    For the value, you could find it in Event Viewer on RDCB like below.

    Note: you should make back up before modifying registry.

    Here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/en-US/09c884f3-5bad-4a30-b707-99ea02c50c63/rd-session-broker-will-not-work-with-desktop-sessions?forum=winserverTS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Tuesday, January 3, 2017 11:28 AM
    • Marked as answer by f-n-b Wednesday, January 4, 2017 1:54 AM
    Tuesday, January 3, 2017 11:28 AM

All replies

  • Hi,

    For the problem, I have tested for this on Windows Server 2016.

    For the RD Connection Broker do not redirect the session to RDSH in a new RDS environment, you need configure the default collection on RDCB in registry.

    You should create the registry value DefaultTsvUrl under the path below with tsv://MS Terminal Services Plugin.1.<collection alias> on RDCB.

    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings

    For the value, you could find it in Event Viewer on RDCB like below.

    Note: you should make back up before modifying registry.

    Here is a similar thread below for your reference.

    https://social.technet.microsoft.com/Forums/en-US/09c884f3-5bad-4a30-b707-99ea02c50c63/rd-session-broker-will-not-work-with-desktop-sessions?forum=winserverTS

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Jay Gu Tuesday, January 3, 2017 11:28 AM
    • Marked as answer by f-n-b Wednesday, January 4, 2017 1:54 AM
    Tuesday, January 3, 2017 11:28 AM
  • Jay,

    Thank you for the information as that fixed my issue.  

    Cheers!

    Wednesday, January 4, 2017 1:56 AM
  • Hello,

    I create the string value, adding the value, but not working.

    DP to brokers servers do not working anymore.

    Any update??


    peggyguylaine1@yahoo.fr

    Wednesday, April 11, 2018 5:40 PM
  • I get the same error,

    When I add broker to HA, no more able to connect to session host servers. (1305 and 1296 error==< FAIL TO REDIRECT THE CLIENT. I use rdweb before so collections setting is present on .rdp file)

    Any update?


    peggyguylaine1@yahoo.fr

    Wednesday, May 8, 2019 11:15 AM
  • I just checked the event viewer and I couldn't find the necessary value , I don't have Error 800 only 832.

    Any other ways to find it ?

    

     
    Tuesday, July 9, 2019 7:29 AM