locked
RDS Gateway/collection issues, web access works RRS feed

  • Question

  • Hello all,

    I am trying to create a proof of concept RDS deployment in Azure with the following architecture:

    I've got the servers and services I need in the cloud setup and configured and have been trying to test the functionality of the solution.  I can log in to the session host collection with RD Web Access without an issue, however this doesn't work when trying to set up an MSTSC connection through the gateway.  I've tried to reverse-engineer my MSTSC settings from the RDP file that Web Access provides (and successfully connects) with.  So, the RDP connection specifies the correct information for the gateway server, while the remote system it points at is simply the DNS name for the load balancer for the brokers.  When I try this with a user account to start a session, they'll be met with "The connection was denied because the user account is not authorized for remote login".  If I try this with a domain admin account, it places my session on whichever system I am pointing at (in this case the RD broker).  It seems to me that there's something with the Web access method that is specifying the collection to be used upon connecting, whereas simply trying to connect through MSTSC does not.  For the life of me, I cannot figure out why.

    In previous iterations of this, one could specify through the registry the default collection to be used for connections to the broker, but I don't believe this was a Microsoft recommended solution and was unsupported.  Is this what needs to be done?  Alternatively, I could set up a load balancer in front of the session hosts and try to connect directly to that through the RD gateway - but doesn't that cut out the connection broker?  How then is the RDS load balancing enforced?  What about the collection properties, like UPD settings?

    Setup:

    • Two 2016 RDS Gateway servers set up in a farm + web access role
    • A load balancer pointing to these servers
    • A certificate on each of these RD gateway servers matching the DNS name of the load balancer
    • A CAP and RAP that should allow connecting users access to the resources they need (can review this if necessary)
    • Two 2016 RD Connection Brokers set up in high-availability
    • A load balancer pointing to these servers
    • A certificate on these servers matching the DNS name of the CB load balancer
    • Certificates installed on the root store of the host attempting to connect
    • A single collection defined within the RD management console
    • Session host with the appropriate setup
    • No problems getting in to a session on a session host through web access

    This is a proof of concept environment, so I can make any changes necessary to it and even provide access if necessary.  The crux of the issue is that if Web access is working, I presume everything in the solution is working and the only difference between that and connecting with the RD gateway and pointing at the connection broker is that there's something in the web access that is specifying the collection to use, whereas a straight-up terminal server connection is not.

    It seems to me I should be able to set up MSTSC to use the RD gateway, point at the connection broker and be put on a session host with my users' session, but that hasn't been working and I am not sure what I need to do to get this functioning.  I've scoured many articles and resources about this without much luck - Any help would be greatly appreciated!

    Friday, May 26, 2017 4:27 PM

Answers

  • Hi,

    Since Windows Server 2012, it's recommended to connect to RDS collection via RD Web Access site, .rdp file downloaded from the site, or RemoteApp and Desktop Connections configured within Control Panel, as proper connection settings are generated by RD Web plugin.

    If you'd like to connect via collection name directly, you may configure default collection via registry as you mentioned above, which is under

    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings

    Here is a related thread below for you:

    Connection Broker (Server 2012) what server to connect to

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4c997fe7-94ad-4793-8780-704e48e976e6/connection-broker-server-2012-what-server-to-connect-to-?forum=winserverTS

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Tuesday, June 6, 2017 9:53 AM
    • Marked as answer by mmbcint Monday, June 12, 2017 6:26 PM
    Monday, May 29, 2017 9:43 AM
  • Hi,

    I believe the session would be redirected to RD SH within the default collection.

    That's why normally users need to use RD Web Access, or .rdp file downloaded from it to connect to desired RD resources.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Thursday, June 8, 2017 10:34 AM
    • Proposed as answer by Amy Wang_ Monday, June 12, 2017 6:47 AM
    • Marked as answer by TP []MVP Monday, June 12, 2017 8:16 PM
    Thursday, June 8, 2017 10:31 AM

All replies

  • Hi,

    Since Windows Server 2012, it's recommended to connect to RDS collection via RD Web Access site, .rdp file downloaded from the site, or RemoteApp and Desktop Connections configured within Control Panel, as proper connection settings are generated by RD Web plugin.

    If you'd like to connect via collection name directly, you may configure default collection via registry as you mentioned above, which is under

    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\ClusterSettings

    Here is a related thread below for you:

    Connection Broker (Server 2012) what server to connect to

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/4c997fe7-94ad-4793-8780-704e48e976e6/connection-broker-server-2012-what-server-to-connect-to-?forum=winserverTS

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Amy Wang_ Tuesday, June 6, 2017 9:53 AM
    • Marked as answer by mmbcint Monday, June 12, 2017 6:26 PM
    Monday, May 29, 2017 9:43 AM
  • Thanks Amy,

    This did work for a direct RDP session to the gateway and connecting users were placed on a session host in the default collection.

    A quick follow-up question - lets say I have another group of power users that requires a different session host environment with additional tools (and associated licenses, etc.) to work.   Suppose I have created another collection for them and have specified the user groups allowed to connect to each collection.

    Since the collection information that was specified in the session-helper information in the Web access RDP file is now being used in the default collection for the connection broker, what will happen to a client from that group of power users when it tries to connect through the RD gateway without using web access?  By default, the broker would try to use the collection I identified - but the user groups they belong to are assigned to a different collection.

    What will happen in this scenario?

    Tuesday, June 6, 2017 5:46 PM
  • Hi,

    I believe the session would be redirected to RD SH within the default collection.

    That's why normally users need to use RD Web Access, or .rdp file downloaded from it to connect to desired RD resources.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Thursday, June 8, 2017 10:34 AM
    • Proposed as answer by Amy Wang_ Monday, June 12, 2017 6:47 AM
    • Marked as answer by TP []MVP Monday, June 12, 2017 8:16 PM
    Thursday, June 8, 2017 10:31 AM
  • Thanks Amy, I think my questions have been sufficiently answered.
    Monday, June 12, 2017 6:26 PM