Solved

External users cannot connect to RDS Farm (Azure).

Posted on 2014-01-25
5
941 Views
Last Modified: 2014-11-12
Hi Experts,

I hope someone is able to help me with this. I have search high and low, but have not found a solution.

Here we go:

I have setup a RDS Farm in Microsoft Azure, consisting of the following servers:

KRPDC01 (Domain Controler / Active Directory / DNS Server)
KRPSH01 (Remote Session Host #1)
KRPSH02 (Remote Session Host #2)
KRPCB01 (Connection Broker)

All servers are Windows 2012 R2 Datacenter

I have installed the respective Remote session roles on the above server and added my group of users to the "Remote Desktop Users" group on each Session Host server.  

At first glance it seems to work. I seem to be able to connect to the farm with the first user. But most of the times, when a second users tries to connect to the same farm, then login hangs for a time, and the connection is refused with this message:

"Remote Desktop cannot connect to the remote computer for one of the following reasons:

1) Remote Access to the server is not enabled
2) The Remote Computer is turned off
3) The Remote Computer is not available on the network

Make sure that the remote computer is turned on and connected to the network, and that remote access is enabled."



Sometimes not even the first user can connect to the farm at all with the same error message.


I have looked into the logs on the connection broker, and something interesting shows up.

It seems that whenever the connection broker wants to redirect a users connection request to a different server than the one that recieved the connection request, then the connection fails. If however the connection broker grants the connection to the same server as the request is comming from, then the user is logged in.

Here are the log entries when the connection fails:


"RD Connection Broker received connection request for user xxx\testuser.
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.KRPCLOUD
Initial Application = NULL
Call came from Redirector Server = KRPSH01.xxx.net
Redirector is configured as Farm member"


Followed by:

"RD Connection Broker successfully processed the connection request for user xxx\testuser. Redirection info:
Target Name = KRPSH02
Target IP Address = 10.4.3.7
Target Netbios = KRPSH02
Target FQDN = KRPSH02.xxx.net
Disconnected Session Found = 0x0"


The a few minutes later this entry is found in the log:

"Remote Desktop Connection Broker Client failed to redirect the user xxx\testuser
Error: NULL"


These are the log entries when the connection is successfull:

"RD Connection Broker received connection request for user xxx\testuser
Hints in the RDP file (TSV URL) = tsv://MS Terminal Services Plugin.1.KRPCLOUD
Initial Application = NULL
Call came from Redirector Server = KRPSH02.xxx.net
Redirector is configured as Farm member"


Followed by:

"RD Connection Broker successfully processed the connection request for user xxx\testuser. Redirection info:
Target Name = KRPSH02
Target IP Address = 10.4.3.7
Target Netbios = KRPSH02
Target FQDN = KRPSH02.xxx.net
Disconnected Session Found = 0x0"


And then:

"Session for user xxx\testuser successfully added to RD Connection Broker's database.
Target Name = KRPSH02.xxx.net
Session ID = 2
Farm Name = KRPCLOUD"

And:

"This connection request has resulted in a successful session logon (User successfully logged on to the end point). Remote Desktop Connection Broker will stop monitoring this connection request."


If I connect to one of the other servers on the network - the KRPDC01 - and from there connects to the RDS Farm (internally) then there is no problem recieving the connections. Also connections where the broker has to redirect the connection to a differing Session Host is completed without problems.

I have noticed than when successfully connection from internally where the connection is redirected by the connection broker, then I actually recieved 2 certificate warnings. One first from the Session Host that have recieved the connection request, and the shortly after from the second Session Host (when the connection broker is redirecting the connection) and then the connection is established.

When connection from the outside, I never get the second certificate warning.


In Azure I have setup indpoint for Remote Desktop - TCP/3389 on both Session Host servers and on the Connection broker.


As mentioned I am at a total loss, and I hope someone out there is able to help me solve this issue.

Thanks in advance :-)

Regards,

Daniél
0
Comment
Question by:llobello
  • 3
5 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi

Do you have additional Remote Desktop Service licenses in place?
0
 

Author Comment

by:llobello
Comment Utility
Hi,

Sorry, the license server role is installed on the same server as the connection broker. I have merely added the role through server manager.

Daniél
0
 

Author Comment

by:llobello
Comment Utility
I have not yet added any license packs to the server, but am still running in evaluation mode...

Daniél
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 300 total points
Comment Utility
You need to set up RDGateway. Azure VMs still run behind NAT so, even though you have created two endpoints, the broker is redirecting to a non-routable IP and then the connection fails. With a gateway in place, this can be avoided, and the RDS wizard in 2012 R2 server manager automates getting this configuration to work.
0
 

Author Comment

by:llobello
Comment Utility
Hi Cliff,

That sounds as if it would fic my problems, I will install the gateway later and let you know.

Thanks,

Daniél
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Steve Terp was featured in a video created by CRN about how "Channel Is Crucial To Market Disruption". Click on View source to see the video and article
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now