Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Unable to access RDP session of a host in a Windows 2012 RDS farm.

Posted on 2016-07-27
8
Medium Priority
?
152 Views
Last Modified: 2016-07-28
We have a Windows 2012 RDS farm that contains 3 RDS hosts.  When I try to access a published app as a domain user, I am getting an error "The user was denied access".  

When I try to RDP to a farm host as a domain user, I am getting "The requested session access is denied".  

I have already made sure the local Remote Desktop User Group includes mydomain\domain users.

Please advise where I should look at.  

Thanks,
0
Comment
Question by:nav2567
  • 4
  • 4
8 Comments
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 41731826
How did you configure the farm? If you used server manager and created a collection, you add users/groups there *(by default) and don't need to edit the local remote desktop users group manually at all. But if you try to forcibly configure everything by hand, you'll definitely have issues as the RDCB will not have the appropriate policies to properly redirect and therefore will close the connection, even if you edit groups manually.  2012 relies on the RDCB role far more heavily than previous versions of windows
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 41731862
While the link you provided is indeed a Microsoft property, they are in turn linking to a non-Microsoft property. Which isn't to say the advice is necessarily bad, but sometimes independent author's change things and clarity gets lost or other changes occur.

I'd recommend this guide instead. It is more concise, far fewer links, but still covers all of the same steps. And perhaps I missed it, but editing the local remote desktop group didn't seem to be mentioned in the guide you linked to either. So, again, going off the rails can have unintended consequences.

https://blogs.technet.microsoft.com/askperf/2012/10/30/windows-8-windows-server-2012-remote-desktop-management-server/

The blog post I am linking to includes adding users to the deployment and granting permissions to the published app/desktop.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:nav2567
ID: 41731943
I have read it carefully and do not see anything I have missed in my setup or anything difference between your link and the one I use.  

Question, when you remote connect to a host in your farm, do you see the below message?

The remote computer ..... that you are trying to connect is redirecting you to another remote computer named .... Remote Desktop Connection cannot verify that the computers belong to the same RD session host server farm.  You must use the farm name not the comptuer name when you connect to an RD session host server farm.
0
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 41731949
I have only seen that when someone us using an external load balancer or has configured round robin DNS.  In 2012, all connectins should go to the RDCB first, and the RDCB will redirect as needed, and does indeed use individual server names. "Farms' are virtually dead in 2012. Instead you have "collections" and the RDCB balances across servers in a collection an since RDCB knows those members, it won't throw that error. But a machine with a name mismatching its certificate (which happens when one of the above conditions...load balancer or round robin DNS) mismatches.

I see it often when people follow 2008 habits/guidance.

At this point, since this sounds like a new deployment, I'd tear it down and start fresh. Doing a basic one RDCB, one RDSH server deployment is very straightforward. You can then add additional servers as needed/desired once you've got a functional deployment. But at this point, you've got multiple misconfigurations that are going to muddy the troubleshooting. Faster and easier just to rebuild.
0
 

Author Comment

by:nav2567
ID: 41733285
I have realized using mstsc.exe, logging as a regular user to access a host does not work in Windows 2012.  I have to actually use either a RDWEB/RDP file to launch my app.   I can use mstsc /admin and login as the administrator to admin the server.  I think this is by designed.  Does it sound right to you?

I asked a question previously  which I have not heard back - In your RDS environment, can you use mstsc to access a host and login as a regular user without any issue?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 41733320
As I've said multiple times, mstsc does not have a GUI to properly connect to a load balanced collection. No, I don't ever launch mstsc directly for end-user tasks. That is not the indended or designed workflow and hasn't been for some time.
0
 

Author Comment

by:nav2567
ID: 41733412
I am doing that for troubleshooting purpose only.  

Thanks.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix policies are the most efficient method to configure and tune XenDesktop environments, allowing organizations to control connection, security and bandwidth settings based on various combinations of users, devices or connection types.  Citrix …
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question