none
2016 RDS redirection error

    Pertanyaan

  • Hi,

    I have got RDS working nicely for apps now, SSO and no warnings or certificate errors. Great... until I try and use MSTSC to remote desktop on to the RDS servers, which some of our users will have to do.

    RDSBROKER.domain.lan = Broker, RD Web

    TS1 + TS2 = Session host servers

    There is no Gateway as zero external access, purely on LAN. All 2016 server.

    If I MSTSC to the broker, I get the following warning.

    The remote computer that you are trying to connect to is redirecting you to another remote computer.

    The remote computer that you are trying to connect to is redirecting you to another remote computer.

    So this is what I need to fix.

    There is one single collection, lets call it COLLECTION, which has a couple of RemoteApps published that are working great now.

    But as I said, we will have a number of users who will be connecting to the full desktop, rather than a published remote app.

    What am I missing please?

    I guess it is something to do with the "Farm" or the "Farm Name"... but reading online people just say that is the Collection name.

    I tried adding a DNS round robin with the name collection.domain.lan but when I connect to that I get certificate warnings again... which is strange as I am using an internal CA Wildcard cert that is trusted by the clients. So I am not sure if that is right and even needed in our case. Our users would be fine connecting to the connection broker via MSTSC to get their desktop.

    Let me know any thoughts please?

    Many thanks - James

    Rabu, 13 Juni 2018 15.11

Semua Balasan

  • Been doing some more testing, well, experimenting.

    It seems that when I connect to collection.domain.lan it does the round robin to the TS servers, but I get the cert issue. Looking in to that further, I am seeing the locally signed cert, not the cert from our internal CA which is what is being used by remote app.

    Maybe I just need to tell the TS servers to use a different cert? Is that possible / advisable? Or am I barking up the wrong tree?

    Thanks

    Rabu, 13 Juni 2018 15.33
  • Hi James,

    Please note that a single collection is intended to publish full desktop or RemoteApps, not both.  You can try to have both a single collection if you want to but keep in mind, depending on your unique configuration, you may run into issues as a result.

    Now that I've given you the warning that you are doing things in a way that is unsupported and may/will cause problems, please confirm that you are launching the full desktop session using icon in RD Web Access or a .rdp file with the correct settings as downloaded from RDWeb using non-IE browser?  You could unpublish all the RemoteApps that are currently published on the collection, refresh the RDWeb page, then download the .rdp file using non-IE browser and that way you will have .rdp file with correct settings for full desktop.

    A faster method to get the full desktop icon to show up in RDWeb so you can download it would be to edit the registry of the broker to manually turn it on:

    HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Terminal Server\ CentralPublishedResources\ PublishedFarms\ <collectionAlias>\ RemoteDesktops\ <collectionAlias>

    ShowInPortal     REG_DWORD     0x00000001

    Otherwise you could manually edit one of the RemoteApp .rdp files and use rdpsign.exe on the broker to re-sign it when you are finished editing.

    Thanks.

    -TP


    Rabu, 13 Juni 2018 15.46
    Moderator
  • Hi James,

    A faster method to get the full desktop icon to show up in RDWeb so you can download it would be to edit the registry of the broker to manually turn it on:

    HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Terminal Server\ CentralPublishedResources\ PublishedFarms\ <collectionAlias>\ RemoteDesktops\ <collectionAlias>

    ShowInPortal     REG_DWORD     0x00000001

    -TP

    Rabu, 13 Juni 2018 16.06
    Moderator
  • Thanks TP, we were just running MSTSC locally and connecting to the broker.

    Will take a look at the above changes and report back, may not be till tomorrow. Thanks.

    Kamis, 14 Juni 2018 09.41
  • Had some time to look at this. The way the customer wants to access this is RemoteApp for published apps and the handful of people on slow connections he wants them to launch MSTSC from their PC and connect in to the server that way.

    It does work, but the certificates are acting strange.

    Again, certs work perfectly for published apps.

    We have a DNS entry, collection.domain.lan which points to the broker (have also tried round robin to the 2 RDS servers).

    Interestingly.

    A) if via MSTSC, I connect to "Collection" - The cert that it warns me about is the internal CA Wildcard I have configured in RDS (which you would expect)

    B) If via MSTSC I connect to FQDN of "Collection.domain.lan" I get a cert warning for the Self Signed cert of the RDS SH server itself.

    2 thoughts.

    1) Is there a way to control which cert gets used in case B)? It is obviously not anything to do with any of the RDS Connection Broker / Session configuration.

    2) Is this because I am using a wildcard SSL, would I be better swapping that SSL out for an internal CA CAN certificate, that has the names

    Collection,

    Collection.domain.lan

    RDSBroker.Domain.Lan

    Sessionhost.Domain.Lan (1 and 2).

    What do you think?

    There must be a way to control which SSL is being used in case B), I'm just not sure where that setting is?

    Kamis, 14 Juni 2018 12.21
  • Hi,

    Try downloading the .rdp file for full desktop from RDWeb (after you have everything configured), and distribute this to the handful of people.  They can save the .rdp file on their desktop and double-click it when they want to connect.

    In this way, they will be using the correct settings to connect and will connect to the broker first and be redirected to a RDSH just like the RemoteApp users.

    -TP

    Kamis, 14 Juni 2018 12.27
    Moderator
  • Yeah, will be doing that this afternoon thanks.

    But have found out we might also have some thin clients which adds to the issue.

    Thing is, it works, but we get certificate mismatch errors.

    MSTSC to the collection.domain.lan and it works, you login, get cert warning and say OK, it works just fine.

    There must be a way to switch which certificate answers this call. If there is, then this would be done.

    Kamis, 14 Juni 2018 13.46
  • Yeah, will be doing that this afternoon thanks.

    But have found out we might also have some thin clients which adds to the issue.

    Thing is, it works, but we get certificate mismatch errors.

    MSTSC to the collection.domain.lan and it works, you login, get cert warning and say OK, it works just fine.

    There must be a way to switch which certificate answers this call. If there is, then this would be done.

    Hi,

    Thin clients that are designed for Server 2012 (preferably designed for Server 2016) and higher should be used.  In this way the thin client will connect to the broker, verify the broker's certificate, and be redirected to the RDSH, similar to what happens from a windows PC.  Updated thin clients will also support other features of the latest versions of RDP for the best user experience.

    -TP

    Selasa, 19 Juni 2018 18.18
    Moderator