none
RDS Gateway Slow Initial Connection RRS feed

  • Question

  • Hi I'm having a few issues with Remote App being slow during the initial Connection (after the fact no problems). The average initial Connection is anywhere from 10 Seconds to 2 minutes when connecting externally. Internally the connection varies but not nearly as bad and is usually around 10 seconds. I'm working my way through the event logs under: TerminalServices-ClientActiveXCore on the client machine. A lot of the errors in this event log are not very "google/bing" friendly.

    My Setup

    Server 1 (virtual): Gateway,Broker,License Server

    Server 2 (virtual):Session Host

    Server 3 (virtual):Session Host

    Server 4 (Physical):Session Host

    Here are the 3 most common errors:

    Component name:CAAClientAdapter, :: 'm_spHelper->ReadCreds failed' in CAAClientAdapter::CreateTunnel at 380 err=[0xffffffff], Error code:0xFFFFFFFF

    Component name:CAAHttpClientTunnel, :: 'Workspace ID was obtained, but it does not smell like a GUID (SERVERNAME.XXXX.org)' in CAAHttpClientTunnel::ObtainWorkspaceId at 3819 err=[0x0], Error code:0x0

    Component name:CheckInternetConnectionTask, :: 'Internet-connection is alive. Server checked: http://www.microsoft.com' in CheckInternetConnectionTask::ExecuteTask at 3625 err=[0x0], Error code:0x0

    Can anyone shed some insight on these Errors? I assume the first one is some kind of credentials check but I'm not certain where to start on that and am uncertain on the other 2. Any help is greatly Appreciated.

    Monday, October 1, 2018 7:04 PM

All replies

  • Hi,

    In general, if a RD client is outside of a corporate network, the client connects through a RDG. Then, connects to an intended RDSH/ RDVH once RDCB provides the connection information.

    I not sure if it is a multi-homed RD Gateway? Or, if there is a large number of remote sessions on your environment? If possible, you can consider of building a dedicated RD Gateway and confirm that if it will improve the performance of external remote sessions.

    >I'm working my way through the event logs under: TerminalServices-ClientActiveXCore on the client machine.
    Please provide detail Event ID of the event you had mentioned.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 2, 2018 3:09 AM
    Moderator
  • The event Id is 1033 for the errors. I forgot to mention all OS is Server 2016 and as far as load there are only about 35 users connecting  split across 3 separate Session host servers. I just want to make sure I don't have something miss configured. The errors listed above always occur when first connecting. There is another error later on during the connection but I believe it is related to one of the UDP channels not connecting on server 2016. My Gateway server is locked down by the external firewall and only allows HTTPS 443 and UDP 3391. 

    Tuesday, October 2, 2018 12:54 PM
  • Hi,

    >My Gateway server is locked down by the external firewall and only allows HTTPS 443 and UDP 3391.
    In general, Port TCP 443 should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server.

    Just based on the Event ID 1033 with source TerminalServices-ClientActiveXCore is difficult to identify the details. 

    Also, as mentioned that internal client which do not use RD Gateway did not have such problem. If possible, please simplify/disable polices on Gateway and have a test to check the result. 

    Besides, please check event on RD Gateway and confirm that if there is any relate event has been logged:
    Event Viewer – Applications and Services Logs – Microsoft – Windows – TerminalServices and RemoteDesktopServices

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 3, 2018 8:31 AM
    Moderator
  • I would like to point out that i am receiving these errors internally as well (Different windows 10 machine but still 1803), but the internal connection on average is faster. I suspect this is because of the shortest path to the server vs External Infrastructure and because I believe authentication is using kerberos when internal if i'm not mistaken. My Security Settings are as follows on the gateway Server.

    Server 2016 OS Version 1607 (OS Build 14393.2485)

    SSL (TLS 1.0)

    Encryption Level: High

    Enabled: Allow connections only from computers running Remote Desktop with Network Level Authentication

    The Logon Method is Password Authentication

    Bypass RD Gateway server for local addresses is NOT checked.

    Also I noticed on Server 2016 that one of the UDP channels is not Connecting.

    Component name:CAAUDPClientChannel, :: 'Received connect response with MTU - U[1132], D[1232]' in CAAUDPClientChannel::InternalConnect at 1543 err=[0x0], Error code:0x0

    This seems to be a known issue https://blog.workinghardinit.work/2016/12/08/changes-in-rdp-over-udp-behavior-in-windows-10-and-windows-2016/but I have found nothing from Microsoft Regarding this issue. I would like to point out that my server does not have HTTP enabled at all. Does the Remote App first attempt communication on HTTP 80 then setup a tunnel on HTTPS 443?

    Wednesday, October 3, 2018 1:07 PM
  • I did check the event logs on the server and most all of the terminal server gateway logs look good no errors. I do notice an error in the System log occasionally:

    EVENT ID:7036

    The program lsass.exe, with the assigned process ID 732, could not authenticate locally by using the target name TERMSRV/PUBLICFQDN.ORG. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

    The error seems to be referencing the public name we use to connect to the gateway (which is different then the name of the server).

    Wednesday, October 3, 2018 2:50 PM
  • Hi,

    >Does the Remote App first attempt communication on HTTP 80 then setup a tunnel on HTTPS 443?
    Clients -> RD Web:
    TCP port 443(HTTPS).

    Clients -> RD Gateway:
    TCP 443 - HTTP (includes RPC over HTTP) over SSL.
    UDP 3391 - RDP/UDP.

    RDS 2012: Which ports are used during deployment:
    https://social.technet.microsoft.com/wiki/contents/articles/16164.rds-2012-which-ports-are-used-during-deployment.aspx

    As there is no specific error during connection, and in order to find more information about connection delay, we may need to capture packages on both client and RDS system. Using tool such as Network Monitoring and etc. 

    Communication package would provide more detail information and help to find root cause about the problem. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 5, 2018 6:54 AM
    Moderator
  • One thing that is of concern before checking any network related issues. I notice in the event log there is clearly a timeout occurring in the sequence of errors when first connecting as noted by the third error below. Is there any way to adjust the connection timeout from 90? 

    Component name:CAAClientAdapter, :: 'm_spHelper->ReadCreds failed' in CAAClientAdapter::CreateTunnel at 380 err=[0xffffffff], Error code:0xFFFFFFFF

    Component name:CClientProxyTransport, :: 'm_ClientAdapter->CreateTunnel failed' in CProxyRawTrans::CreateProxyConnection at 2119 err=[0x800759d9], Error code:0x800759D9

    Component name:CClientProxyTransport, :: 'Gateway connection time out is 90' in CClientHTTPProxyTransport::Connect at 1196 err=[0x800759d9], Error code:0x800759D9

    Component name:CClientProxyTransport, :: 'CreateConnection failed' in CClientHTTPProxyTransport::Connect at 1205 err=[0x800759d9], Error code:0x800759D9

    Component name:CClientProxyTransport, :: 'Gateway Error' in CClientProxyTransport::SetErrorStatus at 2853 err=[0x800759d9], Error code:0x800759D9

    This same sequence of errors always occurs internally and externally. I also notice the Local host name of the server is being presented in the credentials prompt. Is this an issue?  The connection does connect eventually but I would think that the external Server name would appear here (The external name does appear when you first double click the RDP file).

    Friday, October 5, 2018 2:10 PM