Solved

Unable to access RDP session of a host in a Windows 2012 RDS farm.

Posted on 2016-07-27
8
40 Views
Last Modified: 2016-07-28
We have a Windows 2012 RDS farm that contains 3 RDS hosts.  When I try to access a published app as a domain user, I am getting an error "The user was denied access".  

When I try to RDP to a farm host as a domain user, I am getting "The requested session access is denied".  

I have already made sure the local Remote Desktop User Group includes mydomain\domain users.

Please advise where I should look at.  

Thanks,
0
Comment
Question by:nav2567
  • 4
  • 4
8 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41731826
How did you configure the farm? If you used server manager and created a collection, you add users/groups there *(by default) and don't need to edit the local remote desktop users group manually at all. But if you try to forcibly configure everything by hand, you'll definitely have issues as the RDCB will not have the appropriate policies to properly redirect and therefore will close the connection, even if you edit groups manually.  2012 relies on the RDCB role far more heavily than previous versions of windows
0
 

Author Comment

by:nav2567
ID: 41731840
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41731862
While the link you provided is indeed a Microsoft property, they are in turn linking to a non-Microsoft property. Which isn't to say the advice is necessarily bad, but sometimes independent author's change things and clarity gets lost or other changes occur.

I'd recommend this guide instead. It is more concise, far fewer links, but still covers all of the same steps. And perhaps I missed it, but editing the local remote desktop group didn't seem to be mentioned in the guide you linked to either. So, again, going off the rails can have unintended consequences.

https://blogs.technet.microsoft.com/askperf/2012/10/30/windows-8-windows-server-2012-remote-desktop-management-server/

The blog post I am linking to includes adding users to the deployment and granting permissions to the published app/desktop.
0
 

Author Comment

by:nav2567
ID: 41731943
I have read it carefully and do not see anything I have missed in my setup or anything difference between your link and the one I use.  

Question, when you remote connect to a host in your farm, do you see the below message?

The remote computer ..... that you are trying to connect is redirecting you to another remote computer named .... Remote Desktop Connection cannot verify that the computers belong to the same RD session host server farm.  You must use the farm name not the comptuer name when you connect to an RD session host server farm.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 41731949
I have only seen that when someone us using an external load balancer or has configured round robin DNS.  In 2012, all connectins should go to the RDCB first, and the RDCB will redirect as needed, and does indeed use individual server names. "Farms' are virtually dead in 2012. Instead you have "collections" and the RDCB balances across servers in a collection an since RDCB knows those members, it won't throw that error. But a machine with a name mismatching its certificate (which happens when one of the above conditions...load balancer or round robin DNS) mismatches.

I see it often when people follow 2008 habits/guidance.

At this point, since this sounds like a new deployment, I'd tear it down and start fresh. Doing a basic one RDCB, one RDSH server deployment is very straightforward. You can then add additional servers as needed/desired once you've got a functional deployment. But at this point, you've got multiple misconfigurations that are going to muddy the troubleshooting. Faster and easier just to rebuild.
0
 

Author Comment

by:nav2567
ID: 41733285
I have realized using mstsc.exe, logging as a regular user to access a host does not work in Windows 2012.  I have to actually use either a RDWEB/RDP file to launch my app.   I can use mstsc /admin and login as the administrator to admin the server.  I think this is by designed.  Does it sound right to you?

I asked a question previously  which I have not heard back - In your RDS environment, can you use mstsc to access a host and login as a regular user without any issue?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 41733320
As I've said multiple times, mstsc does not have a GUI to properly connect to a load balanced collection. No, I don't ever launch mstsc directly for end-user tasks. That is not the indended or designed workflow and hasn't been for some time.
0
 

Author Comment

by:nav2567
ID: 41733412
I am doing that for troubleshooting purpose only.  

Thanks.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now