Remove From My Forums

2012 RDS: Non-Administrators can not access VDI pool

Question
0

Sign in to vote
I am currently setting up server 2012 VDI using 2 servers. A connection broker, web access, licenseing server and a VM Host server. I have followed the wizards, created my master image, created the collection, and setup group policy to add the group I want to give RDS access to Allow log on through terminal services & Remote Desktop Users group.

When I connect using my admin account everything works, it connects to the connection broker and then forwards to one of the running VMs.

When I connect using a non-admin account I am prompted with: The connection was denied because the user account is not authorized for remote login. I also get the following in the event log:

TerminalServices-SessionBroker
RD Connection Broker failed to process the connection request for user ***\****.
Failed to find Resource Plugin OR an end point for the user.
Error: Access is denied.

TerminalService-SessionBroker-Client
Remote Desktop Connection Broker Client failed while getting redirection packet from Connection Broker.
User : ***\****
Error: Element not found.

--
Remote Desktop Connection Broker Client failed to redirect the user ***\****
Error: NULL

I searched the internet high and low and I can not figure this out. I have even put the the non-admin users in the remote desktop users on the server just to see what would happen, same results if trying to connect to the pool. But I am able to connect directly to the server. I am also able to directly connect to a VM in the pool using a non-admin account.

Any help would be appreciated.
- Edited by skeiffer_ Wednesday, October 24, 2012 7:18 PM
Wednesday, October 24, 2012 7:17 PM

Answers

2

Sign in to vote
Just updating this thread as we have found the problem. Unknown to me, due to how we have to handle user information by law the computer account of the connection broker did not have access to some of the information on the user objects. Admin accounts working was just a red haring. That has now been fixed for the broker and everything works great.

Thanks for the help.
- Marked as answer by skeiffer_ Thursday, October 25, 2012 9:41 PM
Thursday, October 25, 2012 9:41 PM

All replies

0

Sign in to vote

What OS are you using for the VDI desktops (VMs)? Only Windows 7 SP1 and Windows 8 are supported. If you are using Windows 7 SP1, make sure you update the integration components in the VM to the Windows Server 2012 version.

In Windows Server 2012, you no longer need to provision VMs and modifying the Remote Desktop Users group is not necessary. The RDMS UI will do this for you.
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Wednesday, October 24, 2012 7:24 PM
0

Sign in to vote

The VMs are Windows 8 enterprise and they were all provisioned from the UI using the wizard.

Wednesday, October 24, 2012 7:36 PM
0

Sign in to vote

Hi,

In Server Manager -- Remote Desktop Services -- Collections -- <your VDI collection> -- Tasks -- Edit Properties -- User Groups tab, please make sure that a group is listed that the user is a member of. For example, you may use Domain Users if the user is a member of that (they are by default).

Thanks.

-TP

Wednesday, October 24, 2012 7:46 PM
0

Sign in to vote

Hi,

In Server Manager -- Remote Desktop Services -- Collections -- <your VDI collection> -- Tasks -- Edit Properties -- User Groups tab, please make sure that a group is listed that the user is a member of. For example, you may use Domain Users if the user is a member of that (they are by default).

Thanks.

-TP

The user is in the group that is listed, just triple checked.

Wednesday, October 24, 2012 7:49 PM
0

Sign in to vote

Hi,

Please run a quick test to see that collection security filtering is functioning. Please log on to RD Web as the test user account and verify that the icon for connecting to the collection is present. Leave the web browser open.

In Server Manager, add a group to the user groups tab that the test user is not a member of, then remove all groups listed that the user is a member of. After completing this, please refresh the RDWeb page, and verify that the icon for the collection is no longer present. Once you have verified that this works, please return to Server Manager and add the group that the user is a member of back in, refresh RDWeb, and test again.

Please reply with your results.

Thanks.

-TP

Wednesday, October 24, 2012 8:01 PM
0

Sign in to vote
Hi,

Please run a quick test to see that collection security filtering is functioning. Please log on to RD Web as the test user account and verify that the icon for connecting to the collection is present. Leave the web browser open.

In Server Manager, add a group to the user groups tab that the test user is not a member of, then remove all groups listed that the user is a member of. After completing this, please refresh the RDWeb page, and verify that the icon for the collection is no longer present. Once you have verified that this works, please return to Server Manager and add the group that the user is a member of back in, refresh RDWeb, and test again.

Please reply with your results.

Thanks.

-TP

I have added a group my test account is NOT a member of, removed the orginal group, and refreshed the page. The icon for the collection is STILL present (even though it should not be).

EDIT: I tried logged in with a second test account that was never in the original group and the collection is not displayed. Is there a delay from when you set the group and when the change takes effect?
- Edited by skeiffer_ Wednesday, October 24, 2012 8:31 PM
Wednesday, October 24, 2012 8:18 PM
0

Sign in to vote

The error messages indicate that Connection Broker is not able to find an endpoint (VM) for the incoming connection request to be routed to, and so the user ends up trying to connect directly to the Connection Broker instead (which you can't do as a user since it is a redirector and in drain mode).

You don't mention how you are connecting though...what OS is your client and are you logging on to RDweb or using the feed, or trying to enter something directly into mstsc.exe?
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Wednesday, October 24, 2012 8:26 PM
0

Sign in to vote

The error messages indicate that Connection Broker is not able to find an endpoint (VM) for the incoming connection request to be routed to, and so the user ends up trying to connect directly to the Connection Broker instead (which you can't do as a user since it is a redirector and in drain mode).

You don't mention how you are connecting though...what OS is your client and are you logging on to RDweb or using the feed, or trying to enter something directly into mstsc.exe?

Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

I am connecting from rdweb on a windows 8 enterprise client. I have tried from rdweb on a windows 7 sp1 client, and I have also tried using the .rdp file. All tests have had the same results, if the user is a non-admin the messages listed in the original post occur.

Wednesday, October 24, 2012 8:34 PM
0

Sign in to vote

What kind of collection is this? Pooled/personal, managed/unmanaged?

Also, what OS are your domain controllers and what functional level are they configured at?
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Wednesday, October 24, 2012 9:22 PM
0

Sign in to vote
What kind of collection is this? Pooled/personal, managed/unmanaged?

Also, what OS are your domain controllers and what functional level are they configured at?

Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

The collection is a pooled managed collection.

The OS of the DCs is 2008 r2 sp1. The functional level is 2008 r2.
- Edited by skeiffer_ Wednesday, October 24, 2012 9:30 PM
Wednesday, October 24, 2012 9:29 PM
0

Sign in to vote

Sounds like it is time to start pouring through event logs and doing advanced troubleshooting. It doesn't seem to me that you have anything configured wrong as far as Remote Desktop Services is concerned....this seems like something else going with network communication or domain infrastructure.

Have you considered opening a case with Microsoft Support?
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Wednesday, October 24, 2012 9:36 PM
0

Sign in to vote

Sounds like it is time to start pouring through event logs and doing advanced troubleshooting. It doesn't seem to me that you have anything configured wrong as far as Remote Desktop Services is concerned....this seems like something else going with network communication or domain infrastructure.

Have you considered opening a case with Microsoft Support?

Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

I have dug around in the event log quite a bit and I am not finding much other than what i listed above. Since this is a test environment I am just going to blow it away and start over again. If I get the same results I may consider contacting support.

Wednesday, October 24, 2012 9:43 PM
0

Sign in to vote

You mentioned you were trying with an .rdp file....where did you get the .rdp file that you were using? (RemoteApp manager no longer exists).

Can you share the .rdp file?
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Wednesday, October 24, 2012 9:49 PM
0

Sign in to vote

Hi,

Yes, there can be delay due to security token caching on the RDWeb server.

For example, let's say you have a user named testuser1. You log on to RDWeb as testuser1. One minute later you add testuser1 to a group that is listed on the User Groups tab of a collection. Next you refresh the RDWeb and notice that the collection does not show up--the reason it does not show up (yet) is because the existing security token does not have the newly-add group.

Have you tried adding the test user account to the User Groups tab of the collection? After adding the user please test to see if you get the same error. The only time I have seen the specific error you are receiving is when the user does not have permission to the collection.

-TP

Wednesday, October 24, 2012 10:47 PM
2

Sign in to vote
Just updating this thread as we have found the problem. Unknown to me, due to how we have to handle user information by law the computer account of the connection broker did not have access to some of the information on the user objects. Admin accounts working was just a red haring. That has now been fixed for the broker and everything works great.

Thanks for the help.
- Marked as answer by skeiffer_ Thursday, October 25, 2012 9:41 PM
Thursday, October 25, 2012 9:41 PM
0

Sign in to vote

Just updating this thread as we have found the problem. Unknown to me, due to how we have to handle user information by law the computer account of the connection broker did not have access to some of the information on the user objects. Admin accounts working was just a red haring. That has now been fixed for the broker and everything works great.

Thanks for the help.

This is why I was asking about your DC and functional level. I have seen this problem in the past with older DCs and functional levels.

Can you share the specific settings that you changed?
Don Geddes - SR Support Escalation Engineer - Remote Desktop Services - Printing and Imaging

Thursday, October 25, 2012 11:30 PM
0

Sign in to vote

Dear skeiffer_,

I am having the same issue here with the same functional level, I even added the users to the domain admins group but failed to connect to the pool. Can you please provide me of what is the exact issue and how to solve it?

You help is highly appreciated.

BR,

Nader G.

Tuesday, November 20, 2012 5:31 PM
0

Sign in to vote

That is / was my problem as well. To quickly confirm (i've been trying to solve this problem for over 6 hours) I gave my Connection Broker enterprise admin access (test environment) and it worked.

Can you elaborate on what exact permission it needs? I will need to apply proper permissions..

Thank you so much!

Wednesday, December 5, 2012 12:43 AM
0

Sign in to vote

I have the same problem and the work around did work. I've had a ticket with MSS open for a while now and thought I solved it via group policy updates last week (we had bad policies). It didn't work and I've been watching this thread hoping someone would post the answer. MSS hasn't provided me with the answer yet. As soon as they do, I will post it here.

Thursday, December 6, 2012 3:03 PM
0

Sign in to vote

MSS pretty much said that since it's working and Server 2012 is so new that they don't have documentation and are closing the case. They had me send them a link to this page.

So for now... you have to have the computer account in an administrator level group.

Thursday, December 20, 2012 1:55 PM
0

Sign in to vote

any new about this case? I have same problem.
erick Maquine

Friday, February 22, 2013 12:18 PM
6

Sign in to vote
RESOLUTION
==========
If Connection Broker and RD Web Access are used, add the computer accounts for each server to the Windows Authorization Access group of the domain. You must also verify that this group has read access to the user properties of each user object that you are deploying personal virtual desktops to:

1. Look at the Properties of the user account and then select the Security tab. Check to see if the Windows Authorization Access group has effective permissions to read the msTSProperty01 attribute of the user.
2. If this group does not have read access to this property, do the following:
a. On the security tab of the new user account that was created, click Advanced and then highlight Windows Authorization Access Group and click Edit.
b. Change to the Properties tab and check Read all properties and then select OK.
- Proposed as answer by Ritesh kumar Arora Friday, February 22, 2013 4:33 PM
Friday, February 22, 2013 4:33 PM
1

Sign in to vote

Thank you!!! This worked perfectly.

Tuesday, February 11, 2014 2:57 PM
1

Sign in to vote

Why is this not in the documentation? This was the answer I have been looking for. Thanks

Tuesday, February 11, 2014 9:51 PM
0

Sign in to vote
Am having the exact same problem, only difference is my domain in a 2012 functional level. I tried all of the above = doing the steps listed by Ritesh, even tried giving the WAA group full control but no luck. I also tried what RobOttawa said and gave my CB Enterprise Admin access and that didn't help either.

Any other suggestions?! This has plagued me forever. The only thing I find that will fix it is if I reboot the CB completely then it will work for a day, maybe a couple days and then this same problem shows up again. Same symptoms, same events in the log, everything. I was so crossing my fingers this thread would help but it hasn't. Every user account in the domain admins group has no problem - every regular user account has this issue.

Anyone?
- Edited by Racey Cave Friday, March 7, 2014 10:42 PM
Friday, March 7, 2014 10:38 PM
0

Sign in to vote

Hi Racey,

i have the same problem...have you solved it??

Thanks,
David

Friday, June 20, 2014 3:30 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

2012 RDS: Non-Administrators can not access VDI pool

Question

Answers

All replies