none
RemoteApp Source not working from RDWeb RRS feed

  • Question

  • I have 2 servers at the moment managed by a connection broker. If I choose a RemoteApp source instead of RD conncection broker then 1 of my servers populates all the apps fine. If I choose the other host then it errors and says 'RD Web Access was not able to access xxxx. Verify that the RD Session Host server name was entered correctly, that the server is running and connected to the network, and try again.' All the servers are R2 and I can RDP to each of the session hosts fine.
    Amit MCSA 2003, VCP, CCA, MCTS:2008 AD
    Tuesday, September 29, 2009 6:51 AM

Answers

  • We use WMI to communicate with the RDSH server. Various issues can cause WMI to deny access or return error codes. Here's a few things you can try:

    1.  Check if the "TS Web Access Computers" security group on the RDSH server has incorrect permissions in DCOM and/or WMI:

       For checking DCOM security settings:
       1. Start the Component Services MMC snapin
       2. Navigate to Component Services -> Computers -> My Computer
       3. Right-click on My Computer and select properties
       4. Go to the COM Security tab
       5. Under Access Permissions, click the Edit Limits button
       6. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.
       7. Under Launch and Activation Permissions, click the Edit Limits button
       8. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.

       For checking WMI security settings:
       1. Start the WMI Control MMC snapin
       2. Right-click the WMI Control node and select properties
       3. Go to the Security tab
       4. Navigate to Root->CIMV2->TerminalServices
       5. With TerminalServices selected, click the Security button
       6. Ensure that TS Web Access Computers is in the list with Execute Methods, Enable Account, and Remote Enable set to "allow"

    2.  Verify the RD Session Host server's firewall allows WMI calls.

    3. Verify that the RD Connection Broker hasn't lost its trust relationship with the domain.

    4. See if non-RDS related WMI calls can be successfully made to the RDSH server. This can help differentiate between a general WMI issue and an issue calling the RDS WMI provider.

    Hope that helps,
    Travis

    Wednesday, September 30, 2009 6:37 PM
    Moderator
  • Travis - I think you hit the nail on the head...thanks for that. It was the WMI security settings. Not sure why but the TS Web Access Computers was missing and once adding this and setting the security right I can now talk the server from the RD Connection Broker.
    Amit MCSA 2003, VCP, CCA, MCTS:2008 AD
    • Marked as answer by Amit Ace Friday, October 2, 2009 7:58 AM
    Thursday, October 1, 2009 7:44 AM

All replies

  • Hi Amit,

    Have you verified that the other host is actually up and running? It seems like a silly question, but the connection broker caches the list of RemoteApps it retreives from the RDSH servers, so it is possible that you might be seeing cached results when RDWA is pointing to the connection broker. Also try looking at the event log for the RemoteApp and Desktop Connection Management service on the RD Connection Broker machine (Applications and Services Logs\Microsoft\Windows\RemoteApp and Desktop Connection Management) and see if there are any errors communicating with the other host there.

    If that all checks out, and only the RDWA server cannot communicate with the RDSH server, then here are a few more things to check:
    - Can you successfully make other connections from the RDWA server to the RDSH server? I.e., is this a networking issue between the two machines?
    - Is the RDWA server in the "TS Web Access Computers" security group on the RDSH server?

    Hope that helps,
    Travis
    Tuesday, September 29, 2009 6:15 PM
    Moderator
  • I think you've found it but not sure what my next step is.

    On my RD Connection broker / web access box I am getting events 'Access to the WMI interface on the Remote Desktop Session Host server xxxxx was denied. Add the Remote App and Desktop Management computer to the TS Web Access Computers security group on xxxxx.'

    I have checked the security group on the session host and the TS Web Access computer is in there. Not sure what my next move is ? All servers can ping each other fine and there are no network issues between them.
    Amit MCSA 2003, VCP, CCA, MCTS:2008 AD
    Wednesday, September 30, 2009 7:10 AM
  • We use WMI to communicate with the RDSH server. Various issues can cause WMI to deny access or return error codes. Here's a few things you can try:

    1.  Check if the "TS Web Access Computers" security group on the RDSH server has incorrect permissions in DCOM and/or WMI:

       For checking DCOM security settings:
       1. Start the Component Services MMC snapin
       2. Navigate to Component Services -> Computers -> My Computer
       3. Right-click on My Computer and select properties
       4. Go to the COM Security tab
       5. Under Access Permissions, click the Edit Limits button
       6. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.
       7. Under Launch and Activation Permissions, click the Edit Limits button
       8. Ensure that TS Web Access Computers is in the list, with all of the permissions set to “allow”.

       For checking WMI security settings:
       1. Start the WMI Control MMC snapin
       2. Right-click the WMI Control node and select properties
       3. Go to the Security tab
       4. Navigate to Root->CIMV2->TerminalServices
       5. With TerminalServices selected, click the Security button
       6. Ensure that TS Web Access Computers is in the list with Execute Methods, Enable Account, and Remote Enable set to "allow"

    2.  Verify the RD Session Host server's firewall allows WMI calls.

    3. Verify that the RD Connection Broker hasn't lost its trust relationship with the domain.

    4. See if non-RDS related WMI calls can be successfully made to the RDSH server. This can help differentiate between a general WMI issue and an issue calling the RDS WMI provider.

    Hope that helps,
    Travis

    Wednesday, September 30, 2009 6:37 PM
    Moderator
  • Travis - I think you hit the nail on the head...thanks for that. It was the WMI security settings. Not sure why but the TS Web Access Computers was missing and once adding this and setting the security right I can now talk the server from the RD Connection Broker.
    Amit MCSA 2003, VCP, CCA, MCTS:2008 AD
    • Marked as answer by Amit Ace Friday, October 2, 2009 7:58 AM
    Thursday, October 1, 2009 7:44 AM
  • Are you running these servers in a virtual environment?  Did you use a tool to clone an initial server? 

    I am seeing the same issues related to creating a VM and running sysprep then cloning it with TS roles already installed.

    I am seeing orphaned SIDS instead of the group missing.  I was unable to assign a bacend TS server to Web Access.  I added the group back in and the apps appeared.



    Thanks,

    Mike
    Tuesday, December 15, 2009 5:02 PM
  • I can verify the same thing happened to me.  It was in the WMI Contol MMC under "Root->CIMV2->TerminalServices" Security.  There was an orphaned SID that had the appropriate rights.  I had to add the "TS Web Access Computers" group back in and grant the appropriate rights.
    Wednesday, May 26, 2010 1:38 AM
  • I had the exact same problem.  TS Web Access computers was missing from the WMI security settings.  It showed a SID with the settings.  This server was built as a clone from another server.  I ran sysprep on the server, and then used Acronis to image it to a second server.  Is that the root cause of the missing security?
    Thursday, February 17, 2011 5:42 PM
  • This post saved my day!  I ran into this issue due to using sys prep with the RDS service installed.
    Wednesday, July 27, 2011 8:51 PM
  • Also had this problem. But afer checking the group, dcom security, wmi security still no success.

    After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
    but after making the change below it works

    1. Start IIS
    2. go to Application Pools
    3. Select RDWebAccess
    4. Go to Advanced settings
    5. under Process Model change the identity to the domain administrator and password
    6. do a iisreset

    After those changes it works for us.
    Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
    know the domain administrator has to much rights. Have to look into this later.

    Think the problem is related to the fact the RD WebAccess is also domain controller.
    please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation

    • Proposed as answer by Brian Rapier Tuesday, August 30, 2011 4:26 PM
    Friday, August 12, 2011 9:05 PM
  • ThaAlso had this problem. But afer checking the group, dcom security, wmi security still no success.

    After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
    but after making the change below it works

    1. Start IIS
    2. go to Application Pools
    3. Select RDWebAccess
    4. Go to Advanced settings
    5. under Process Model change the identity to the domain administrator and password
    6. do a iisreset

    After those changes it works for us.
    Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
    know the domain administrator has to much rights. Have to look into this later.

    Think the problem is related to the fact the RD WebAccess is also domain controller.
    please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation

    Thanks for this, I had run into this issue before after an MS Update that took days to get working again, after uninstalling the patch that caused the issue.  I cannot remember the full patch ID, but the last part was 9917.  Now after another update the issue shows up again.....

    Changing this setting worked like a charm.  Though I used "Network Service" over a Domain Admin account.

     

    Brian

    Tuesday, August 30, 2011 4:26 PM
  • Thank you that one, fixed my issue.

    RD Web Access was not able to access the RD Session Host server ts02.--.com.au. Verify that the computer account of the RD Web Access server is added to the TS Web Access Computers security group on the RD Session Host server.
    event 8 RADWebaccess

    Tuesday, July 24, 2012 6:36 AM
  • Also had this problem. But afer checking the group, dcom security, wmi security still no success.

    After a lot of debugging figured out the the RDWeb server still was not able to do the WMI call to the RD hosts.
    but after making the change below it works

    1. Start IIS
    2. go to Application Pools
    3. Select RDWebAccess
    4. Go to Advanced settings
    5. under Process Model change the identity to the domain administrator and password
    6. do a iisreset

    After those changes it works for us.
    Checked with a comparable situation here the identity was internal network tried to change it this and do a iisreset but did not work.
    know the domain administrator has to much rights. Have to look into this later.

    Think the problem is related to the fact the RD WebAccess is also domain controller.
    please let me know if this solution helps you, and let me know if the RD Webaccess is also domain controller in your situation

    I attempted this solution as well as using a Domain Admin OR the Network Service account but changing this option breaks RD Web access entirely (yes I did do an iisreset).

    The RD Web access will only funciton under ApplicationPoolIdentity.


    • Edited by IQ_IT Wednesday, August 8, 2012 5:27 PM
    Wednesday, August 8, 2012 5:26 PM
  • I had the same exact problem, and this solution fixed my issue as well.  I also cloned a VM, then did a sysprep to change the SID which led me to this issue.  Thanks to all involved, this was a HUGE help.  I also wanted to add that in addition to modifying the WMI security settings to add the TS Web Access Computer group, I also had to re-import the security certificate(s) and re-add them to RemoteApp Manager under Digital Signature Settings - I hope this helps someone as this thread has helped me.

    Thank you!!!

    Thursday, November 29, 2012 8:41 PM
  • Just wanted to acknowledge. This solution worked for me. I was just initially installing RDWA, RDSH, and RDCB and encountered this issue :

    "RD Web Access was not able to access the RD
    Connection Broker server specified. Ensure that the computer account of the RD
    Web Access server is a member of the TS Web Access Computers security group on the RD Connection Broker server."

    I checked all the DCOM and WMI settings and they're all good so I looked at the IIS and followed Christian's solution.

    Allan

     

    • Edited by SystechVan Friday, December 21, 2012 5:56 PM
    Friday, December 21, 2012 5:54 PM
  • Thank you very much for the fix to this issue.

    We had a VMWare server crash and I manually moved the VM's to another host. During the move VMWare asked if the VM was copied or moved, I selected move.

    When the server came up it did a WMI auto recovery (event ID 65) and reregistered some components (event ID 63).

    The permissions for the  "TS Web Access Computers" group was missing in Root->CIMV2->TerminalServices.

    Sunday, January 6, 2013 4:05 PM
  • I have had this issue several times over the past few months. I was well familiar with this post, it was in my favorites, I have had to reset the rights on WMI each time. I was reading up on this again this week, and looking at making the IIS change above, as I had been treating the symptom but not the disease. On Friday this happened again, and correcting the WMI rights did not fix the issue. We wound up re-applying SP1 with a Microsoft engineer, and then he did the following, which appreas to have fixed the issue. Perhaps the IIS identity stuff above is the same sort of fix, but I thought I'd post it as an alternative solution. The MS engineer's name was Ritesh. Here's what he did: Full control rights for the iiswebpool\rdwebaccess account were applied to the c:\windows\web\rdweb\app_data\rdwebaccess.config file and the c:\windows\web\rdweb\pages\rdp folder on the RD Web Access portal server. This resolved the issue of one TS server's failure to report remoteaccess icons resulting in ALL system icons not being displayed. This scenario was successfully tested with Ritesh still on the line to confirm. The IIS identity item above may accomplish the same thing, and I may still try applying it later, but for now adding these 2 rights fixed it for me. I still have no fix for why the WMI rights disappeared in the first place.
    Monday, January 21, 2013 6:08 PM
  • I to have had this issue.  Whats differnt for me  is the WMI permissions are constantly getting reset.  Either on restart or overnight.  Has anyone seen this?  I've come accross this:

    This one talks to writing a script to get them to repopulate but I am hesistant to do this as it looks like it was in beta when they were discussing this fix

    http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx

    I also went through all of this as well

    http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx

    Tuesday, January 22, 2013 1:50 PM
  • I to have had this issue.  Whats differnt for me  is the WMI permissions are constantly getting reset.  Either on restart or overnight.  Has anyone seen this?  I've come accross this:

    This one talks to writing a script to get them to repopulate but I am hesistant to do this as it looks like it was in beta when they were discussing this fix

    http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx

    I also went through all of this as well

    http://technet.microsoft.com/en-us/library/ee891251(v=ws.10).aspx

    I'm in the same boat as Howard, Martin and others. Our RDSH servers reset WMI settings on reboot, happens on 4 out of 5 servers. Pretty serious problem, since it breaks our RDWeb platform. >_<

    Howard, you mention 2 links, but you pasted the same link twice. Could you find the link to the script you mention? I would like to have a look at it.

    Oh, and our servers were NOT cloned. Clean installs from Windows Deployment Server.

    Cheers
    Simon


    Edit/Update: Happens on random servers. 1st reboot, WMI settings were gone on servers 1,2,3 and 5. Next reboot it was only server 3.
    Thursday, January 24, 2013 9:36 AM
  • We logged a support incident with MS support (113012410163979 in case somebody's interested), and I think the problem is solved now.

    I have restarted both RDSH's and RDweb servers at least 10 times today, and haven't seen the issue reappear, but I still had some event ID 1000 and 1010 in the RemoteApp and Desktop Connection Management/Admin. Please give this a try if you have the same issue, and let us know what your results are. Mileage may vary, and use at your own risk and blah blah. :)

    Here is the response I got from MS support. The part I think helped out was section 3 (last one) - Rebuilding the WMI repository on each RDSH and RDweb server.

    Please confirm if you have perform the following steps:
    ==============
    •Add the RD Connection Broker computer account to the TS Web Access Computers group on the RD Session Host server.
    •Modify the DCOM permissions on the RD Session Host server.
    •Modify the Windows Management Instrumentation (WMI) security settings on the RD Session Host server.
    
    I noticed that you have added the WMI permission, please also confirm if the DCOM permission is corrected.
    
    After that please try to reboot the RDS servers to test if this issue still occurs, if this issue still occurs on some servers, please collect the following steps:
    =================
    1.    Please let me know the details for the RDweb failure, can you logon the RDweb of if the RemoteApp icons are unable to be listed. Please capture a screenshot to us.
    2.    Please perform the following steps on the affected server to test if the WMI basic query works.
    -------------------
    Run wbemtest, connect the namespace root\cimv2
     Click Query… and enter query as:
     
    Select * from Win32_ComputerSystem.
    
              Note: If the WMI query works, above command will list the computer name.
    
    3.    Please try to rebuild the WMI Repository on the affected RDS server and the RDweb server.
    =========================
    a. Disable and stop the WMI service.
    sc config winmgmt start= disabled
    net stop winmgmt
    b. At a command prompt (cmd), change to the WBEM folder.
    cd %windir%\system32\wbem
    c. Rename the repository folder
    rename repository repository.old
    d. Re-enable the WMI service.
    sc config winmgmt start= auto
    e. Run the following command to manually recompile all of the default WMI .mof files and .mfl files
    cd %windir%\system32\wbem
    for /f %s in ('dir /b *.mof *.mfl') do mofcomp %s
    

    Cheers

    Simon

    Monday, January 28, 2013 1:55 PM
  • Hey Simon,

    Definately been through that process before including step 3.  I will try it again and see if it works.   If not I will open a case as well.  I am sorry but I couldn't find the other link.  I will post as soon as I do.

    If you still get the 1010 errors then some of your servers have already dropped their wmi permissions.  Double check all your servers to make sure they all have the permissions set.


    Tuesday, January 29, 2013 9:01 PM
  • Another thing we did to our problem server was to use a scheduled task to do a salvage repository on WMI

    C:\Windows\System32\wbem\WinMgmt.exe /salvagerepository

    It does this every morning after the server reboots.  So far so good, although we did wind up applying 2 fixes at once, so I don't have proof of which one is truly helping.

    YMMV.

    Thursday, January 31, 2013 5:19 PM
  • Same problem, same fix! Took me real long time, pulled a lot of hair, glad to saw this post! For me it was the WMI sec settings, they disappeared after a Windows patch round. My App sources are even physical boxes, so no movement or whatsoever involved.

    All kudos!

    Friday, May 24, 2013 1:11 PM
  • Same here.  Added some sysprepped VM's to the farm and experienced issues in the WMI security settings.  At least I know what to look for now!  :-)

    Terrence O'Leary Senior Tech Support Rep Verdiem Power Management for PC Networks T: 206.708.8256 F: 206.838.2801 http://www.verdiem.com

    Thursday, June 13, 2013 8:43 PM
  • GOLD, thanks Travis

    WMI Security had changed on our host's, must have been an update.

    Very happy I came by this post.

    Monday, July 7, 2014 5:30 AM
  • Hi IQ_IT,

    I feel I am in the same boat as you were some time ago. DCOM and WMI are setup correctly and when I swap the IIS AppPool ID to anything other than standard "Application Pool Identity" then the website breaks. (that includes network service or domain admin)

    Did you manage to over come by any means? I have a feeling there is a security issue locally to the web server given that it is breaking when running as domain admin.

    Thanks,
    Tom

    Wednesday, June 24, 2015 10:31 AM
  • Esto ha sido la solución, muchas Gracias.
    Wednesday, September 30, 2015 4:11 PM
  • I had the SAME problem because my server was as a Domain Administrator , which generated conflict with the RD Web Access . Taken as a Domain Administrator and able to access without problems. Thank you.
    Wednesday, February 10, 2016 4:44 PM